b98932763d82836e2de77e3043b1687db27a17ea98fc1532818032d4ea9f2543

Analysis

max time kernel
195s
max time network
217s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b98932763d82836e2de77e3043b1687db27a17ea98fc1532818032d4ea9f2543.exe
Size

1.4MB
MD5

2db0597e0fbbf3aab93dea3ca76db883
SHA1

9b431e5d427176fe9bca82464322be3f3a723187
SHA256

b98932763d82836e2de77e3043b1687db27a17ea98fc1532818032d4ea9f2543
SHA512

7cc86eddb9be47dda8bc03197319ba686f46ff765b8bea2260ba308f720d7ccee73dd868b7ee92eb973f3a1a15986039659c09c572cae2cb6477ee01dbf223ca
SSDEEP

24576:YOhS6Gp4FvrTVAoByFq45oMWTSV0Oq20dGIIxocDIukNdl5ThASKYReX5kPTwHH:NndrTtMquojTSCOIOlCTyfX5kUHH

Score

8^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/3800-132-0x0000000000400000-0x000000000072E000-memory.dmp	vmprotect
behavioral2/memory/3800-133-0x0000000000400000-0x000000000072E000-memory.dmp	vmprotect
behavioral2/memory/3800-137-0x0000000000400000-0x000000000072E000-memory.dmp	vmprotect
behavioral2/memory/3800-140-0x0000000000400000-0x000000000072E000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

b98932763d82836e2de77e3043b1687db27a17ea98fc1532818032d4ea9f2543.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	b98932763d82836e2de77e3043b1687db27a17ea98fc1532818032d4ea9f2543.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\IESettingSync	b98932763d82836e2de77e3043b1687db27a17ea98fc1532818032d4ea9f2543.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	b98932763d82836e2de77e3043b1687db27a17ea98fc1532818032d4ea9f2543.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	b98932763d82836e2de77e3043b1687db27a17ea98fc1532818032d4ea9f2543.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

b98932763d82836e2de77e3043b1687db27a17ea98fc1532818032d4ea9f2543.exemsedge.exemsedge.exe

pid	process
3800	b98932763d82836e2de77e3043b1687db27a17ea98fc1532818032d4ea9f2543.exe
3800	b98932763d82836e2de77e3043b1687db27a17ea98fc1532818032d4ea9f2543.exe
3112	msedge.exe
3112	msedge.exe
4936	msedge.exe
4936	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4936 msedge.exe
4936 msedge.exe
4936 msedge.exe
4936 msedge.exe
4936 msedge.exe
4936 msedge.exe
4936 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b98932763d82836e2de77e3043b1687db27a17ea98fc1532818032d4ea9f2543.exe

description pid process

Token: SeDebugPrivilege 3800 b98932763d82836e2de77e3043b1687db27a17ea98fc1532818032d4ea9f2543.exe

description	pid	process
Token: SeDebugPrivilege	3800	b98932763d82836e2de77e3043b1687db27a17ea98fc1532818032d4ea9f2543.exe

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

msedge.exe

pid	process
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

msedge.exe

pid process

4936 msedge.exe
4936 msedge.exe
4936 msedge.exe
4936 msedge.exe
4936 msedge.exe
4936 msedge.exe
4936 msedge.exe
4936 msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

b98932763d82836e2de77e3043b1687db27a17ea98fc1532818032d4ea9f2543.exe

pid	process
3800	b98932763d82836e2de77e3043b1687db27a17ea98fc1532818032d4ea9f2543.exe
3800	b98932763d82836e2de77e3043b1687db27a17ea98fc1532818032d4ea9f2543.exe
3800	b98932763d82836e2de77e3043b1687db27a17ea98fc1532818032d4ea9f2543.exe
3800	b98932763d82836e2de77e3043b1687db27a17ea98fc1532818032d4ea9f2543.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b98932763d82836e2de77e3043b1687db27a17ea98fc1532818032d4ea9f2543.exemsedge.exe

description	pid	process	target process
PID 3800 wrote to memory of 4936	3800	b98932763d82836e2de77e3043b1687db27a17ea98fc1532818032d4ea9f2543.exe	msedge.exe
PID 3800 wrote to memory of 4936	3800	b98932763d82836e2de77e3043b1687db27a17ea98fc1532818032d4ea9f2543.exe	msedge.exe
PID 4936 wrote to memory of 4204	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 4204	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 2512	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 3112	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 3112	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 3944	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 3944	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 3944	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 3944	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 3944	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 3944	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 3944	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 3944	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 3944	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 3944	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 3944	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 3944	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 3944	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 3944	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 3944	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 3944	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 3944	4936	msedge.exe	msedge.exe
PID 4936 wrote to memory of 3944	4936	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\b98932763d82836e2de77e3043b1687db27a17ea98fc1532818032d4ea9f2543.exe
"C:\Users\Admin\AppData\Local\Temp\b98932763d82836e2de77e3043b1687db27a17ea98fc1532818032d4ea9f2543.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.cfxindong.com/#network
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd8dcc46f8,0x7ffd8dcc4708,0x7ffd8dcc4718
    3⤵
    PID:4204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,747750452987712560,13653430213597335364,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
    3⤵
    PID:2512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,747750452987712560,13653430213597335364,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,747750452987712560,13653430213597335364,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2356 /prefetch:8
    3⤵
    PID:3944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,747750452987712560,13653430213597335364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1
    3⤵
    PID:4976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,747750452987712560,13653430213597335364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
    3⤵
    PID:532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,747750452987712560,13653430213597335364,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5400 /prefetch:8
    3⤵
    PID:2748
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,747750452987712560,13653430213597335364,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
    3⤵
    PID:3804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,747750452987712560,13653430213597335364,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
    3⤵
    PID:2092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,747750452987712560,13653430213597335364,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5464 /prefetch:8
    3⤵
    PID:1496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,747750452987712560,13653430213597335364,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
    3⤵
    PID:1648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,747750452987712560,13653430213597335364,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
    3⤵
    PID:4304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,747750452987712560,13653430213597335364,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4356 /prefetch:1
    3⤵
    PID:1708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\pipe\LOCAL\crashpad_4936_JXFEMJKHYFONSIDS

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/532-150-0x0000000000000000-mapping.dmp

Download
memory/1496-158-0x0000000000000000-mapping.dmp

Download
memory/1648-160-0x0000000000000000-mapping.dmp

Download
memory/1708-164-0x0000000000000000-mapping.dmp

Download
memory/2092-156-0x0000000000000000-mapping.dmp

Download
memory/2512-142-0x0000000000000000-mapping.dmp

Download
memory/2748-152-0x0000000000000000-mapping.dmp

Download
memory/3112-143-0x0000000000000000-mapping.dmp

Download
memory/3800-137-0x0000000000400000-0x000000000072E000-memory.dmp

Filesize
3.2MB

Download
memory/3800-132-0x0000000000400000-0x000000000072E000-memory.dmp

Filesize
3.2MB

Download
memory/3800-140-0x0000000000400000-0x000000000072E000-memory.dmp

Filesize
3.2MB

Download
memory/3800-136-0x0000000001800000-0x000000000180C000-memory.dmp

Filesize
48KB

Download
memory/3800-133-0x0000000000400000-0x000000000072E000-memory.dmp

Filesize
3.2MB

Download
memory/3804-154-0x0000000000000000-mapping.dmp

Download
memory/3944-146-0x0000000000000000-mapping.dmp

Download
memory/4204-139-0x0000000000000000-mapping.dmp

Download
memory/4304-162-0x0000000000000000-mapping.dmp

Download
memory/4936-138-0x0000000000000000-mapping.dmp

Download
memory/4976-148-0x0000000000000000-mapping.dmp

Download