2058ba3787ac2a09dc2c680f216a4cc3ab0c1079c0d71240c5b5138385e70089

Analysis

max time kernel
148s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2022, 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2058ba3787ac2a09dc2c680f216a4cc3ab0c1079c0d71240c5b5138385e70089.exe
Size

162KB
MD5

e85fd7acbea1ba3b012c7d088476af84
SHA1

3824f5441381bf879d8ba24a5bf151a0075e1527
SHA256

2058ba3787ac2a09dc2c680f216a4cc3ab0c1079c0d71240c5b5138385e70089
SHA512

ebe525a3992a5b2da9cf62f11ee63bd2bcc8485811ee695638ab4508a745c671932eacbb2df8043723627a596d05b624082d724ca5c7d478ecef9204f8cbe135
SSDEEP

3072:lZMJnTeM4cJJAhccNcpjgILMc4kbWsqfW9X25rplo6sOvuP4hc1HGr+M9477j2Ny:TeTeM/eccNcBgILMc4CdrmlopP4hc1H3

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Loads dropped DLL 13 IoCs

pid	Process
4836	2058ba3787ac2a09dc2c680f216a4cc3ab0c1079c0d71240c5b5138385e70089.exe
4836	2058ba3787ac2a09dc2c680f216a4cc3ab0c1079c0d71240c5b5138385e70089.exe
4836	2058ba3787ac2a09dc2c680f216a4cc3ab0c1079c0d71240c5b5138385e70089.exe
4836	2058ba3787ac2a09dc2c680f216a4cc3ab0c1079c0d71240c5b5138385e70089.exe
4836	2058ba3787ac2a09dc2c680f216a4cc3ab0c1079c0d71240c5b5138385e70089.exe
4836	2058ba3787ac2a09dc2c680f216a4cc3ab0c1079c0d71240c5b5138385e70089.exe
4836	2058ba3787ac2a09dc2c680f216a4cc3ab0c1079c0d71240c5b5138385e70089.exe
4836	2058ba3787ac2a09dc2c680f216a4cc3ab0c1079c0d71240c5b5138385e70089.exe
4836	2058ba3787ac2a09dc2c680f216a4cc3ab0c1079c0d71240c5b5138385e70089.exe
4836	2058ba3787ac2a09dc2c680f216a4cc3ab0c1079c0d71240c5b5138385e70089.exe
4836	2058ba3787ac2a09dc2c680f216a4cc3ab0c1079c0d71240c5b5138385e70089.exe
4836	2058ba3787ac2a09dc2c680f216a4cc3ab0c1079c0d71240c5b5138385e70089.exe
4836	2058ba3787ac2a09dc2c680f216a4cc3ab0c1079c0d71240c5b5138385e70089.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4260	msedge.exe
4260	msedge.exe
4572	msedge.exe
4572	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4572	msedge.exe
4572	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 4572	4836	2058ba3787ac2a09dc2c680f216a4cc3ab0c1079c0d71240c5b5138385e70089.exe	80
PID 4836 wrote to memory of 4572	4836	2058ba3787ac2a09dc2c680f216a4cc3ab0c1079c0d71240c5b5138385e70089.exe	80
PID 4572 wrote to memory of 1484	4572	msedge.exe	81
PID 4572 wrote to memory of 1484	4572	msedge.exe	81
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 2304	4572	msedge.exe	84
PID 4572 wrote to memory of 4260	4572	msedge.exe	85
PID 4572 wrote to memory of 4260	4572	msedge.exe	85
PID 4572 wrote to memory of 1648	4572	msedge.exe	86
PID 4572 wrote to memory of 1648	4572	msedge.exe	86
PID 4572 wrote to memory of 1648	4572	msedge.exe	86
PID 4572 wrote to memory of 1648	4572	msedge.exe	86
PID 4572 wrote to memory of 1648	4572	msedge.exe	86
PID 4572 wrote to memory of 1648	4572	msedge.exe	86
PID 4572 wrote to memory of 1648	4572	msedge.exe	86
PID 4572 wrote to memory of 1648	4572	msedge.exe	86
PID 4572 wrote to memory of 1648	4572	msedge.exe	86
PID 4572 wrote to memory of 1648	4572	msedge.exe	86
PID 4572 wrote to memory of 1648	4572	msedge.exe	86
PID 4572 wrote to memory of 1648	4572	msedge.exe	86
PID 4572 wrote to memory of 1648	4572	msedge.exe	86
PID 4572 wrote to memory of 1648	4572	msedge.exe	86
PID 4572 wrote to memory of 1648	4572	msedge.exe	86
PID 4572 wrote to memory of 1648	4572	msedge.exe	86
PID 4572 wrote to memory of 1648	4572	msedge.exe	86
PID 4572 wrote to memory of 1648	4572	msedge.exe	86

C:\Users\Admin\AppData\Local\Temp\2058ba3787ac2a09dc2c680f216a4cc3ab0c1079c0d71240c5b5138385e70089.exe
"C:\Users\Admin\AppData\Local\Temp\2058ba3787ac2a09dc2c680f216a4cc3ab0c1079c0d71240c5b5138385e70089.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.caogenchuangyejidi.com/MjA1OGJhMzc4N2FjMmEwOWRjMmM2ODBmMjE2YTRjYzNhYjBjMTA3OWMwZDcxMjQwYzViNTEzODM4NWU3MDA4OS5leGU=/40.html
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9070646f8,0x7ff907064708,0x7ff907064718
    3⤵
    PID:1484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,12046938938210430269,2757411327543840964,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
    3⤵
    PID:2304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,12046938938210430269,2757411327543840964,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,12046938938210430269,2757411327543840964,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
    3⤵
    PID:1648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12046938938210430269,2757411327543840964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
    3⤵
    PID:3860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12046938938210430269,2757411327543840964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
    3⤵
    PID:312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,12046938938210430269,2757411327543840964,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4852 /prefetch:8
    3⤵
    PID:1232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12046938938210430269,2757411327543840964,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
    3⤵
    PID:4612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12046938938210430269,2757411327543840964,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:1
    3⤵
    PID:2400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsbE178.tmp\Base64.dll

Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE178.tmp\Base64.dll

Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE178.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE178.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE178.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE178.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE178.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE178.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE178.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE178.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE178.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE178.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE178.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
memory/4836-147-0x00000000023E1000-0x00000000023E4000-memory.dmp

Filesize
12KB

Download
memory/4836-163-0x0000000000511000-0x0000000000514000-memory.dmp

Filesize
12KB

Download
memory/4836-137-0x00000000023A1000-0x00000000023A4000-memory.dmp

Filesize
12KB

Download