1062351d40df053e97fb8bd748b4a81a3a0184027de0e8a3cbf514f831d56afa

Analysis

max time kernel
156s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1062351d40df053e97fb8bd748b4a81a3a0184027de0e8a3cbf514f831d56afa.exe
Size

143KB
MD5

d12e184bc2f11321a3746b39baede836
SHA1

f8acc9b2f215941eedf684ad9119a4a7a2d19e55
SHA256

1062351d40df053e97fb8bd748b4a81a3a0184027de0e8a3cbf514f831d56afa
SHA512

9d0bb4198e0f0e19d6d355de86c5ce545cea7e99a2c6b845c523ba616ac629869921315adf91064f1be92ded5ea922ffd2473038c7414fd7ecbf05d7c43f71d8
SSDEEP

3072:iN6ZekwVJIlgps5q9Eb648qwlS/+TfQO45Dg:pe9IB83ID50

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	1062351d40df053e97fb8bd748b4a81a3a0184027de0e8a3cbf514f831d56afa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1132	msedge.exe
1132	msedge.exe
4000	msedge.exe
4000	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4000	msedge.exe
4000	msedge.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4660	1062351d40df053e97fb8bd748b4a81a3a0184027de0e8a3cbf514f831d56afa.exe
4000	msedge.exe
4000	msedge.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4660	1062351d40df053e97fb8bd748b4a81a3a0184027de0e8a3cbf514f831d56afa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 4936	4660	1062351d40df053e97fb8bd748b4a81a3a0184027de0e8a3cbf514f831d56afa.exe	85
PID 4660 wrote to memory of 4936	4660	1062351d40df053e97fb8bd748b4a81a3a0184027de0e8a3cbf514f831d56afa.exe	85
PID 4660 wrote to memory of 4936	4660	1062351d40df053e97fb8bd748b4a81a3a0184027de0e8a3cbf514f831d56afa.exe	85
PID 4936 wrote to memory of 4000	4936	cmd.exe	87
PID 4936 wrote to memory of 4000	4936	cmd.exe	87
PID 4000 wrote to memory of 3080	4000	msedge.exe	90
PID 4000 wrote to memory of 3080	4000	msedge.exe	90
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1996	4000	msedge.exe	95
PID 4000 wrote to memory of 1132	4000	msedge.exe	96
PID 4000 wrote to memory of 1132	4000	msedge.exe	96
PID 4000 wrote to memory of 4972	4000	msedge.exe	97
PID 4000 wrote to memory of 4972	4000	msedge.exe	97
PID 4000 wrote to memory of 4972	4000	msedge.exe	97
PID 4000 wrote to memory of 4972	4000	msedge.exe	97
PID 4000 wrote to memory of 4972	4000	msedge.exe	97
PID 4000 wrote to memory of 4972	4000	msedge.exe	97
PID 4000 wrote to memory of 4972	4000	msedge.exe	97
PID 4000 wrote to memory of 4972	4000	msedge.exe	97
PID 4000 wrote to memory of 4972	4000	msedge.exe	97
PID 4000 wrote to memory of 4972	4000	msedge.exe	97
PID 4000 wrote to memory of 4972	4000	msedge.exe	97
PID 4000 wrote to memory of 4972	4000	msedge.exe	97
PID 4000 wrote to memory of 4972	4000	msedge.exe	97
PID 4000 wrote to memory of 4972	4000	msedge.exe	97
PID 4000 wrote to memory of 4972	4000	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\1062351d40df053e97fb8bd748b4a81a3a0184027de0e8a3cbf514f831d56afa.exe
"C:\Users\Admin\AppData\Local\Temp\1062351d40df053e97fb8bd748b4a81a3a0184027de0e8a3cbf514f831d56afa.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "start http://securedfileinfo.com/404.jsp?chid=4300109^&rsn=plde^&details=^|v6.2.9200x64sp0.0ws^|tt31^|dt0^|dc100^|fs-2^|dh0^|ec13^|se12007^|dr4^|ds0^|rs0^|p1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://securedfileinfo.com/404.jsp?chid=4300109&rsn=plde&details=|v6.2.9200x64sp0.0ws|tt31|dt0|dc100|fs-2|dh0|ec13|se12007|dr4|ds0|rs0|p1
    3⤵
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8317d46f8,0x7ff8317d4708,0x7ff8317d4718
      4⤵
      PID:3080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,5046200405202991943,17417388094249603205,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
      4⤵
      PID:1996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,5046200405202991943,17417388094249603205,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2472 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,5046200405202991943,17417388094249603205,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
      4⤵
      PID:4972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5046200405202991943,17417388094249603205,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2104 /prefetch:1
      4⤵
      PID:3472
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5046200405202991943,17417388094249603205,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
      4⤵
      PID:4800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
167cfd90cb81d3dddd63f107249a0f2e

SHA1
39a78631cc336bb71fe7a02eeb91474bbc335eea

SHA256
4c527164ea0096494cfd68b9e9167c0587c162106e8ec71edc705963c9fc543b

SHA512
013a16d1dc963bf536a156ccb6ea94596887e1d774d6b18636000bbda06b57c135bac00ef046d18022b8512d6abb9bffd3c26b6d10998b4f0e86b46c319b7911

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
c6d3e24cca551aac0cc12d2c17e69a9a

SHA1
ae01ddf841714bda67a7edf94b7f9a0589cfabe3

SHA256
26f2c3dd56c38f6930d0e38ded4f290bdebfd17cb80fbe078c41f86708d8db7c

SHA512
d25e06c69a612f6a6f3a31e95b6401a80135b9377795611b242befa0450acd04f9b3fea808f1886730b34c8d1a73aaeee5ca5fba9b3c4b755c07f38920d4d243

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
d129b067bffdb8f57e291305c3ba7ea6

SHA1
cbba5a7c60aeff01786bfb1335d8d4bad43a4e41

SHA256
1ff9d007c230730075c71d0ae0590af5902312cc8c38269adee113939061c212

SHA512
cb3cb32b7a85d7a01f1a6598af6775c90cb1c74dcdc232aa9796095e46c1311b7caec1aab53548816ddabbce0136e8d0922bea9c5d12960fa640d295859f70eb

Download Submit