47742952d2bfc13628e7931f1c48ff76600ac7fe8b057cdfc1b16621bc80a198

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47742952d2bfc13628e7931f1c48ff76600ac7fe8b057cdfc1b16621bc80a198.exe
Size

143KB
MD5

937732efe13cdf1ad87cc2937934dda2
SHA1

09a95b960204186704edac294e18e30d6745bb7e
SHA256

47742952d2bfc13628e7931f1c48ff76600ac7fe8b057cdfc1b16621bc80a198
SHA512

5ed7ecdd640e7298986387f9832fbe7fd1d28500f19236973edb21e7227bec67896bfa7406bfeaef1cfe8c551f2dbc9f3d7f4110320ca3b30f259129099985ba
SSDEEP

3072:iN6ZekwVJIlgps5q9Eb648qwlS/+TfQO45Df7:pe9IB83ID5n

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	47742952d2bfc13628e7931f1c48ff76600ac7fe8b057cdfc1b16621bc80a198.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\f44acf95-7c2f-4945-ae38-9d03237c59df.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221128044541.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5088	msedge.exe
5088	msedge.exe
1440	msedge.exe
1440	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1092	47742952d2bfc13628e7931f1c48ff76600ac7fe8b057cdfc1b16621bc80a198.exe
1440	msedge.exe
1440	msedge.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1092	47742952d2bfc13628e7931f1c48ff76600ac7fe8b057cdfc1b16621bc80a198.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 4220	1092	47742952d2bfc13628e7931f1c48ff76600ac7fe8b057cdfc1b16621bc80a198.exe	82
PID 1092 wrote to memory of 4220	1092	47742952d2bfc13628e7931f1c48ff76600ac7fe8b057cdfc1b16621bc80a198.exe	82
PID 1092 wrote to memory of 4220	1092	47742952d2bfc13628e7931f1c48ff76600ac7fe8b057cdfc1b16621bc80a198.exe	82
PID 4220 wrote to memory of 1440	4220	cmd.exe	84
PID 4220 wrote to memory of 1440	4220	cmd.exe	84
PID 1440 wrote to memory of 4384	1440	msedge.exe	86
PID 1440 wrote to memory of 4384	1440	msedge.exe	86
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 1252	1440	msedge.exe	93
PID 1440 wrote to memory of 5088	1440	msedge.exe	95
PID 1440 wrote to memory of 5088	1440	msedge.exe	95
PID 1440 wrote to memory of 2232	1440	msedge.exe	98
PID 1440 wrote to memory of 2232	1440	msedge.exe	98
PID 1440 wrote to memory of 2232	1440	msedge.exe	98
PID 1440 wrote to memory of 2232	1440	msedge.exe	98
PID 1440 wrote to memory of 2232	1440	msedge.exe	98
PID 1440 wrote to memory of 2232	1440	msedge.exe	98
PID 1440 wrote to memory of 2232	1440	msedge.exe	98
PID 1440 wrote to memory of 2232	1440	msedge.exe	98
PID 1440 wrote to memory of 2232	1440	msedge.exe	98
PID 1440 wrote to memory of 2232	1440	msedge.exe	98
PID 1440 wrote to memory of 2232	1440	msedge.exe	98
PID 1440 wrote to memory of 2232	1440	msedge.exe	98
PID 1440 wrote to memory of 2232	1440	msedge.exe	98
PID 1440 wrote to memory of 2232	1440	msedge.exe	98
PID 1440 wrote to memory of 2232	1440	msedge.exe	98

C:\Users\Admin\AppData\Local\Temp\47742952d2bfc13628e7931f1c48ff76600ac7fe8b057cdfc1b16621bc80a198.exe
"C:\Users\Admin\AppData\Local\Temp\47742952d2bfc13628e7931f1c48ff76600ac7fe8b057cdfc1b16621bc80a198.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "start http://securedfileinfo.com/404.jsp?chid=5300108^&rsn=plde^&details=^|v6.2.9200x64sp0.0ws^|tt31^|dt0^|dc100^|fs-2^|dh0^|ec13^|se12007^|dr4^|ds0^|rs0^|p1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://securedfileinfo.com/404.jsp?chid=5300108&rsn=plde&details=|v6.2.9200x64sp0.0ws|tt31|dt0|dc100|fs-2|dh0|ec13|se12007|dr4|ds0|rs0|p1
    3⤵
    - Adds Run key to start application
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd117646f8,0x7ffd11764708,0x7ffd11764718
      4⤵
      PID:4384
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,14960981355332333027,6579287821824596727,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
      4⤵
      PID:1252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,14960981355332333027,6579287821824596727,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,14960981355332333027,6579287821824596727,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
      4⤵
      PID:2232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14960981355332333027,6579287821824596727,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:1
      4⤵
      PID:4656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14960981355332333027,6579287821824596727,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
      4⤵
      PID:4184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,14960981355332333027,6579287821824596727,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5016 /prefetch:8
      4⤵
      PID:4740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14960981355332333027,6579287821824596727,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
      4⤵
      PID:3376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,14960981355332333027,6579287821824596727,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5904 /prefetch:8
      4⤵
      PID:1732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14960981355332333027,6579287821824596727,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
      4⤵
      PID:3832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14960981355332333027,6579287821824596727,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
      4⤵
      PID:2568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,14960981355332333027,6579287821824596727,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
      4⤵
      PID:4872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:2440
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x280,0x284,0x288,0x25c,0x28c,0x7ff76f785460,0x7ff76f785470,0x7ff76f785480
        5⤵
        
        PID:4940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
f2080851a6780703a0f3764645202ce1

SHA1
6e16ec7fe0404b0fe43ebd271ca47ffba9fc9588

SHA256
d3969401d4fc819669b9ce997251cc41d4883a31c4f43271b088944fadce3a83

SHA512
50e5661d1b5c66073c34d164b49733d7c1c1d7b2782611596646b60dae81321c5c92f9e64dce980cea8306b29db6136e582dcc07f1a951580c1f9f4d69643121

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
472B

MD5
9f6cc8d3fe9092a6d3901e873a87fd87

SHA1
2e0aac117a4cc57596efb3d6f6624c269f94b031

SHA256
e73982e62b92abac3d15b161f4525448cc2bc8b9bacefdcbfc6f87b74ec372e4

SHA512
9736a099967d7ad595439768e45c633ff7d34de92f7cb0c19cd3d4590c4a6dd4fedfcd1b5617c81652e61f4ffe919057507f622f4c6d8d626cfc40234ad2c757

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
cc7182a79d3e36178d9c354f925b9cac

SHA1
cff89cc2310f09646da45eb9b311344ed5aad10a

SHA256
e0e6b145f951d9379e9d62e486edf80f9705e4b2308a20c07971c6dd4169b6c8

SHA512
91308a37a5b5927eb820caaf5422b1c9e7bd50a51e38154a77adeafd952aa2175b9b514ef2f35c8a11c0869c033ffdf7b035d8fe304cc7c911ca9979d665b072

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
402B

MD5
1b74db05ebb0a749ae5e1567624fbbd6

SHA1
8c431e81e6f97b72c6c43bcdbb1458be811bbe18

SHA256
f150ecd79099f912f71a201b05e686c9f4208f1f49fea0f662582d9b220472d9

SHA512
e905e9f4a780c2ebea874d214bbbe25546cd7ff3b136902fa7fab153ef569658981a73ee48e728412f72b32731819723e7795c01692a6702a2dabf48d1ee6b0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
23a0acbbeada5325c5f022cc5b05dbcd

SHA1
0e8a671b27686af4deb11709127c7b2dc3296ca2

SHA256
e7cce22e7c3af11934297287b9b8cd22f22a40551408a0b1ce5a2d6333e52fd1

SHA512
6156d1cc2a0293bd77d613d9dc3b9b03c8741c6c7c3089ba71f0bd454d8dd34616589633629fc202185808aa9468f4c1d96aef49b2fa89cadce9698b5d3b904a

Download Submit