7d59e012425fa89fb114e036d8ed199f49c438228f09fb446f1fc33c567448ad

Analysis

max time kernel
152s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 08:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7d59e012425fa89fb114e036d8ed199f49c438228f09fb446f1fc33c567448ad.dll
Size

605KB
MD5

85a031a16136e7bb4a896cc10274da0f
SHA1

c5d537d95d9ec346d3d52c78cdca39b91ef34586
SHA256

7d59e012425fa89fb114e036d8ed199f49c438228f09fb446f1fc33c567448ad
SHA512

dc242466b01bfce49a3fa71aac7cee76b96bfea57c36bc18f1f23404d8dc4064bbb728dfdccd923ae0cca7e3082a0250814ef308b632762adcdefb6d7feed757
SSDEEP

12288:ewpShFKn/pQIH9movxlrnJttgj41MwZE9RzYnYkim97ighNrWfAJ:zqKn/iU9VvxldYeMIHhim97BWf

Score

8^/10

persistence upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4864-133-0x00000000029D0000-0x0000000002AE6000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4864 set thread context of 4812	4864	rundll32.exe	82

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\dc61e2fd-fc95-4079-bcc0-5b42fafe7891.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221128051442.pma	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4372	msedge.exe
4372	msedge.exe
5064	msedge.exe
5064	msedge.exe
4684	identity_helper.exe
4684	identity_helper.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 4864	4952	rundll32.exe	81
PID 4952 wrote to memory of 4864	4952	rundll32.exe	81
PID 4952 wrote to memory of 4864	4952	rundll32.exe	81
PID 4864 wrote to memory of 4812	4864	rundll32.exe	82
PID 4864 wrote to memory of 4812	4864	rundll32.exe	82
PID 4864 wrote to memory of 4812	4864	rundll32.exe	82
PID 4864 wrote to memory of 4812	4864	rundll32.exe	82
PID 4864 wrote to memory of 4812	4864	rundll32.exe	82
PID 4812 wrote to memory of 5064	4812	svchost.exe	83
PID 4812 wrote to memory of 5064	4812	svchost.exe	83
PID 5064 wrote to memory of 2132	5064	msedge.exe	84
PID 5064 wrote to memory of 2132	5064	msedge.exe	84
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4008	5064	msedge.exe	89
PID 5064 wrote to memory of 4372	5064	msedge.exe	90
PID 5064 wrote to memory of 4372	5064	msedge.exe	90
PID 5064 wrote to memory of 800	5064	msedge.exe	92
PID 5064 wrote to memory of 800	5064	msedge.exe	92
PID 5064 wrote to memory of 800	5064	msedge.exe	92
PID 5064 wrote to memory of 800	5064	msedge.exe	92
PID 5064 wrote to memory of 800	5064	msedge.exe	92
PID 5064 wrote to memory of 800	5064	msedge.exe	92
PID 5064 wrote to memory of 800	5064	msedge.exe	92
PID 5064 wrote to memory of 800	5064	msedge.exe	92
PID 5064 wrote to memory of 800	5064	msedge.exe	92
PID 5064 wrote to memory of 800	5064	msedge.exe	92

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7d59e012425fa89fb114e036d8ed199f49c438228f09fb446f1fc33c567448ad.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7d59e012425fa89fb114e036d8ed199f49c438228f09fb446f1fc33c567448ad.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.java.com/pt_BR/
      4⤵
      Adds Run key to start application
      Enumerates system info in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:5064
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffaa49a46f8,0x7ffaa49a4708,0x7ffaa49a4718
        5⤵
        
        PID:2132
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,9377281119404730787,1452772711407263643,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
        5⤵
        
        PID:4008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,9377281119404730787,1452772711407263643,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4372
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,9377281119404730787,1452772711407263643,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
        5⤵
        
        PID:800
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9377281119404730787,1452772711407263643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        5⤵
        
        PID:4240
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9377281119404730787,1452772711407263643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
        5⤵
        
        PID:1240
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,9377281119404730787,1452772711407263643,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 /prefetch:8
        5⤵
        
        PID:3764
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9377281119404730787,1452772711407263643,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
        5⤵
        
        PID:1044
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9377281119404730787,1452772711407263643,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
        5⤵
        
        PID:4328
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,9377281119404730787,1452772711407263643,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6188 /prefetch:8
        5⤵
        
        PID:4792
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9377281119404730787,1452772711407263643,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
        5⤵
        
        PID:4088
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9377281119404730787,1452772711407263643,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
        5⤵
        
        PID:3852
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,9377281119404730787,1452772711407263643,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6512 /prefetch:8
        5⤵
        
        PID:1708
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
        5⤵
        Drops file in Program Files directory
        
        PID:4708
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x264,0x268,0x26c,0x224,0x270,0x7ff73b7b5460,0x7ff73b7b5470,0x7ff73b7b5480
        6⤵
        
        PID:4016
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,9377281119404730787,1452772711407263643,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6512 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4684
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2116,9377281119404730787,1452772711407263643,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3480 /prefetch:8
        5⤵
        
        PID:4740
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2116,9377281119404730787,1452772711407263643,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3972 /prefetch:8
        5⤵
        
        PID:4776
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2116,9377281119404730787,1452772711407263643,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3132 /prefetch:8
        5⤵
        
        PID:3708
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,9377281119404730787,1452772711407263643,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3096 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3580
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2116,9377281119404730787,1452772711407263643,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3584 /prefetch:8
        5⤵
        
        PID:2584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\image.gif

Filesize
1012B

MD5
f00093f9575660d15d7dd83b9130e3f7

SHA1
81d8e449ce7a36787e38bd78de3a7d68b6789515

SHA256
5928b53a994409d81eb9f8a1ad7082fa6bba5613f8589c13d766f3dd42d777b0

SHA512
76d2b217507f44080882b67066ed7fff4575bbb8bf829d612f89862b33aaa0d303936bc28bb84458885e67dce25480e0a581cce991cf3634c1e268ee6dde92de

Download Submit
memory/4812-139-0x000000003C040000-0x000000003C09F000-memory.dmp

Filesize
380KB

Download
memory/4812-137-0x000000003C040000-0x000000003C09F000-memory.dmp

Filesize
380KB

Download
memory/4812-136-0x000000003C040000-0x000000003C09F000-memory.dmp

Filesize
380KB

Download
memory/4812-152-0x000000003C040000-0x000000003C09F000-memory.dmp

Filesize
380KB

Download
memory/4812-135-0x000000003C040000-0x000000003C09F000-memory.dmp

Filesize
380KB

Download
memory/4864-133-0x00000000029D0000-0x0000000002AE6000-memory.dmp

Filesize
1.1MB

Download