Analysis
-
max time kernel
154s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 13:09
Static task
static1
Behavioral task
behavioral1
Sample
b94255f5ab14c67dd057e2c789c5d3ac526e25f9deaaf1e9b5462cc553f1f61f.exe
Resource
win7-20220812-en
General
-
Target
b94255f5ab14c67dd057e2c789c5d3ac526e25f9deaaf1e9b5462cc553f1f61f.exe
-
Size
4.7MB
-
MD5
1cf6319445434ff3bf912ba624b56b2f
-
SHA1
c8cf1473082c3f046c2851c73f662585db706ee9
-
SHA256
b94255f5ab14c67dd057e2c789c5d3ac526e25f9deaaf1e9b5462cc553f1f61f
-
SHA512
47e9f20d6ab5a4d70255b0af31586e478de412a662c35f7398d3b0f96899ef50529d1e716362afc60fe1ea25ccd33fe0054d41aa254b50e0c502ab9510a46929
-
SSDEEP
98304:nRtl3HelZF7TFtX2/jGop3R6baTwlnzy2T6iELKJ2N3AG+vlD9yqJOW:RfOlZF77XknNRsFVT66AVATvV9h
Malware Config
Extracted
njrat
0.7d
HacKed
alaboo20.ddns.net:1177
997f3e18461eb88cd8dbaeae467eb195
-
reg_key
997f3e18461eb88cd8dbaeae467eb195
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
crack avast.execrack avast.exeavast_free_antivirus_setup_online.exeinstup.exepid process 1212 crack avast.exe 632 crack avast.exe 2232 avast_free_antivirus_setup_online.exe 2784 instup.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b94255f5ab14c67dd057e2c789c5d3ac526e25f9deaaf1e9b5462cc553f1f61f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation b94255f5ab14c67dd057e2c789c5d3ac526e25f9deaaf1e9b5462cc553f1f61f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
Processes:
avast_free_antivirus_setup_online.exedescription ioc process Key opened \REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast avast_free_antivirus_setup_online.exe Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast avast_free_antivirus_setup_online.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
crack avast.exedescription pid process target process PID 1212 set thread context of 632 1212 crack avast.exe crack avast.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\a41f1f48-f2e5-4cd9-99af-e937160ada2c.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221129195650.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 16 IoCs
Processes:
avast_free_antivirus_setup_online.exemsedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage avast_free_antivirus_setup_online.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "0" avast_free_antivirus_setup_online.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "23" avast_free_antivirus_setup_online.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "53" avast_free_antivirus_setup_online.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "69" avast_free_antivirus_setup_online.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "7" avast_free_antivirus_setup_online.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "15" avast_free_antivirus_setup_online.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "30" avast_free_antivirus_setup_online.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "38" avast_free_antivirus_setup_online.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "76" avast_free_antivirus_setup_online.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "92" avast_free_antivirus_setup_online.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "46" avast_free_antivirus_setup_online.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "61" avast_free_antivirus_setup_online.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "100" avast_free_antivirus_setup_online.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "84" avast_free_antivirus_setup_online.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 1952 msedge.exe 1952 msedge.exe 2076 msedge.exe 2076 msedge.exe 4324 identity_helper.exe 4324 identity_helper.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msedge.exepid process 2076 msedge.exe 2076 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
b94255f5ab14c67dd057e2c789c5d3ac526e25f9deaaf1e9b5462cc553f1f61f.exepid process 2700 b94255f5ab14c67dd057e2c789c5d3ac526e25f9deaaf1e9b5462cc553f1f61f.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b94255f5ab14c67dd057e2c789c5d3ac526e25f9deaaf1e9b5462cc553f1f61f.exenet.execrack avast.exeavast_free_antivirus_setup_online.exeinstup.execrack avast.exemsedge.exedescription pid process target process PID 2700 wrote to memory of 3884 2700 b94255f5ab14c67dd057e2c789c5d3ac526e25f9deaaf1e9b5462cc553f1f61f.exe net.exe PID 2700 wrote to memory of 3884 2700 b94255f5ab14c67dd057e2c789c5d3ac526e25f9deaaf1e9b5462cc553f1f61f.exe net.exe PID 2700 wrote to memory of 3884 2700 b94255f5ab14c67dd057e2c789c5d3ac526e25f9deaaf1e9b5462cc553f1f61f.exe net.exe PID 3884 wrote to memory of 1764 3884 net.exe net1.exe PID 3884 wrote to memory of 1764 3884 net.exe net1.exe PID 3884 wrote to memory of 1764 3884 net.exe net1.exe PID 2700 wrote to memory of 1212 2700 b94255f5ab14c67dd057e2c789c5d3ac526e25f9deaaf1e9b5462cc553f1f61f.exe crack avast.exe PID 2700 wrote to memory of 1212 2700 b94255f5ab14c67dd057e2c789c5d3ac526e25f9deaaf1e9b5462cc553f1f61f.exe crack avast.exe PID 2700 wrote to memory of 1212 2700 b94255f5ab14c67dd057e2c789c5d3ac526e25f9deaaf1e9b5462cc553f1f61f.exe crack avast.exe PID 1212 wrote to memory of 632 1212 crack avast.exe crack avast.exe PID 1212 wrote to memory of 632 1212 crack avast.exe crack avast.exe PID 1212 wrote to memory of 632 1212 crack avast.exe crack avast.exe PID 1212 wrote to memory of 632 1212 crack avast.exe crack avast.exe PID 1212 wrote to memory of 632 1212 crack avast.exe crack avast.exe PID 1212 wrote to memory of 632 1212 crack avast.exe crack avast.exe PID 1212 wrote to memory of 632 1212 crack avast.exe crack avast.exe PID 2700 wrote to memory of 2232 2700 b94255f5ab14c67dd057e2c789c5d3ac526e25f9deaaf1e9b5462cc553f1f61f.exe avast_free_antivirus_setup_online.exe PID 2700 wrote to memory of 2232 2700 b94255f5ab14c67dd057e2c789c5d3ac526e25f9deaaf1e9b5462cc553f1f61f.exe avast_free_antivirus_setup_online.exe PID 2700 wrote to memory of 2232 2700 b94255f5ab14c67dd057e2c789c5d3ac526e25f9deaaf1e9b5462cc553f1f61f.exe avast_free_antivirus_setup_online.exe PID 2232 wrote to memory of 2784 2232 avast_free_antivirus_setup_online.exe instup.exe PID 2232 wrote to memory of 2784 2232 avast_free_antivirus_setup_online.exe instup.exe PID 2232 wrote to memory of 2784 2232 avast_free_antivirus_setup_online.exe instup.exe PID 2784 wrote to memory of 2852 2784 instup.exe pcaui.exe PID 2784 wrote to memory of 2852 2784 instup.exe pcaui.exe PID 632 wrote to memory of 2076 632 crack avast.exe msedge.exe PID 632 wrote to memory of 2076 632 crack avast.exe msedge.exe PID 2076 wrote to memory of 4216 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4216 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 4644 2076 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b94255f5ab14c67dd057e2c789c5d3ac526e25f9deaaf1e9b5462cc553f1f61f.exe"C:\Users\Admin\AppData\Local\Temp\b94255f5ab14c67dd057e2c789c5d3ac526e25f9deaaf1e9b5462cc553f1f61f.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess3⤵
-
C:\crack avast.exe"C:\crack avast.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\crack avast.exe"C:\crack avast.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=crack avast.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.04⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffb632b46f8,0x7ffb632b4708,0x7ffb632b47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,16942178751809808405,15888558425128620488,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,16942178751809808405,15888558425128620488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,16942178751809808405,15888558425128620488,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16942178751809808405,15888558425128620488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16942178751809808405,15888558425128620488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,16942178751809808405,15888558425128620488,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4956 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16942178751809808405,15888558425128620488,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16942178751809808405,15888558425128620488,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16942178751809808405,15888558425128620488,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,16942178751809808405,15888558425128620488,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6236 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16942178751809808405,15888558425128620488,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16942178751809808405,15888558425128620488,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,16942178751809808405,15888558425128620488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,16942178751809808405,15888558425128620488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings5⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6d1245460,0x7ff6d1245470,0x7ff6d12454806⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,16942178751809808405,15888558425128620488,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6892 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,16942178751809808405,15888558425128620488,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1916 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,16942178751809808405,15888558425128620488,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5176 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,16942178751809808405,15888558425128620488,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6788 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,16942178751809808405,15888558425128620488,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6632 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,16942178751809808405,15888558425128620488,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,16942178751809808405,15888558425128620488,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5268 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=crack avast.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.04⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb632b46f8,0x7ffb632b4708,0x7ffb632b47185⤵
-
C:\avast_free_antivirus_setup_online.exe"C:\avast_free_antivirus_setup_online.exe"2⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\_av_iup.tm~a02060\instup.exe"C:\Users\Admin\AppData\Local\Temp\_av_iup.tm~a02060\instup.exe" /edition:1 /prod:ais /sfx:lite /sfxstorage:C:\Users\Admin\AppData\Local\Temp\_av_iup.tm~a020603⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\pcaui.exe"C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {5313d2fc-7e9c-4fb6-895c-3a229b317bcb} -a "Avast! Antivirus" -v "AVAST Software" -s "This app can't run because it causes security or performance issues on Windows. A new version may be available. Check with your software provider for an updated version that runs on this version of Windows." -n 2 -f 0 -k 0 -e "C:\Users\Admin\AppData\Local\Temp\_av_iup.tm~a02060\instup.exe"4⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD52c968eb620a865a9b9451323503e9c03
SHA1a203f45d9b90219e8e099a05f376a90cb97b11a2
SHA25692404c2ac949f1ffdd90086014ae73312a440c6e8cca8c6d0c95bbd83fc83453
SHA512c01ac079e97f5c92d9484a454cb3f8c2849bf249e1df3b75c5abf4ad700a3422f9f2ca35c77663223dbefb8f93ff12fcb85d62278e87cd4504cc7a6eed132f8c
-
C:\Users\Admin\AppData\Local\Temp\_av_iup.tm~a02060\instup.exeFilesize
193KB
MD52080dcebe27d92f29aab5fcff77613a2
SHA1c2cfe2952ffed46d37cd16dd5a005bbd940e4811
SHA256ebbbb3e92b01f1f1ff6330affa7d8c281ab5bb9aee1c900f5cf1aaf1e6813e42
SHA512e47395e5637d0e806a19e1038e13d6339f699708a97e47531d94c5cee68008eb243991ef808832cf4f6f95e7be058e08ba4c07b658abf0fc5b3d4ba0f53945f5
-
C:\Users\Admin\AppData\Local\Temp\_av_iup.tm~a02060\instup.exeFilesize
193KB
MD52080dcebe27d92f29aab5fcff77613a2
SHA1c2cfe2952ffed46d37cd16dd5a005bbd940e4811
SHA256ebbbb3e92b01f1f1ff6330affa7d8c281ab5bb9aee1c900f5cf1aaf1e6813e42
SHA512e47395e5637d0e806a19e1038e13d6339f699708a97e47531d94c5cee68008eb243991ef808832cf4f6f95e7be058e08ba4c07b658abf0fc5b3d4ba0f53945f5
-
C:\avast_free_antivirus_setup_online.exeFilesize
4.6MB
MD54af4d1d156df61fc7364d1193862a068
SHA15810199150ca3f0664cdbb28e27a01a8ed2de4ff
SHA2568ec99abde77997b132be9ed13d8c927428754bf95f49c0167b42427df83c7c3c
SHA5121fcc72b652e084294d9a4b425d58826bc2b777f168f238761da819a5dd2f05847360adab1da4b65487f6d5cf1095344b5b0f1fea6bd233cab642699d069d66d7
-
C:\avast_free_antivirus_setup_online.exeFilesize
4.6MB
MD54af4d1d156df61fc7364d1193862a068
SHA15810199150ca3f0664cdbb28e27a01a8ed2de4ff
SHA2568ec99abde77997b132be9ed13d8c927428754bf95f49c0167b42427df83c7c3c
SHA5121fcc72b652e084294d9a4b425d58826bc2b777f168f238761da819a5dd2f05847360adab1da4b65487f6d5cf1095344b5b0f1fea6bd233cab642699d069d66d7
-
C:\crack avast.exeFilesize
46KB
MD5e079e9f1e4546e1d06d9f620e74a22b5
SHA1b7704ae276c4b76f33799b533f4df83f3f81494a
SHA256c0916ec3cd6555759e285e3f24056e7338e3e331a8b04b14d2a10c64ff4c16e5
SHA51207b95f49138fa49e0694bbd4badacbc088013a74e8bbdfcb6e20743b5bd37153791179e892f5f90e8bd457da9f60f21ee32b3d2b8138f5d669d7fb7aaff9ded7
-
C:\crack avast.exeFilesize
46KB
MD5e079e9f1e4546e1d06d9f620e74a22b5
SHA1b7704ae276c4b76f33799b533f4df83f3f81494a
SHA256c0916ec3cd6555759e285e3f24056e7338e3e331a8b04b14d2a10c64ff4c16e5
SHA51207b95f49138fa49e0694bbd4badacbc088013a74e8bbdfcb6e20743b5bd37153791179e892f5f90e8bd457da9f60f21ee32b3d2b8138f5d669d7fb7aaff9ded7
-
C:\crack avast.exeFilesize
46KB
MD5e079e9f1e4546e1d06d9f620e74a22b5
SHA1b7704ae276c4b76f33799b533f4df83f3f81494a
SHA256c0916ec3cd6555759e285e3f24056e7338e3e331a8b04b14d2a10c64ff4c16e5
SHA51207b95f49138fa49e0694bbd4badacbc088013a74e8bbdfcb6e20743b5bd37153791179e892f5f90e8bd457da9f60f21ee32b3d2b8138f5d669d7fb7aaff9ded7
-
\??\pipe\LOCAL\crashpad_2076_CDTBJXPOVDAPVQFSMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/400-156-0x0000000000000000-mapping.dmp
-
memory/432-166-0x0000000000000000-mapping.dmp
-
memory/632-140-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/632-139-0x0000000000000000-mapping.dmp
-
memory/1076-188-0x0000000000000000-mapping.dmp
-
memory/1136-169-0x0000000000000000-mapping.dmp
-
memory/1212-136-0x0000000000000000-mapping.dmp
-
memory/1508-179-0x0000000000000000-mapping.dmp
-
memory/1744-158-0x0000000000000000-mapping.dmp
-
memory/1764-135-0x0000000000000000-mapping.dmp
-
memory/1952-153-0x0000000000000000-mapping.dmp
-
memory/2076-149-0x0000000000000000-mapping.dmp
-
memory/2136-193-0x0000000000000000-mapping.dmp
-
memory/2232-142-0x0000000000000000-mapping.dmp
-
memory/2456-160-0x0000000000000000-mapping.dmp
-
memory/2556-175-0x0000000000000000-mapping.dmp
-
memory/2604-182-0x0000000000000000-mapping.dmp
-
memory/2692-162-0x0000000000000000-mapping.dmp
-
memory/2784-145-0x0000000000000000-mapping.dmp
-
memory/2852-148-0x0000000000000000-mapping.dmp
-
memory/3572-177-0x0000000000000000-mapping.dmp
-
memory/3668-173-0x0000000000000000-mapping.dmp
-
memory/3688-164-0x0000000000000000-mapping.dmp
-
memory/3884-134-0x0000000000000000-mapping.dmp
-
memory/3972-171-0x0000000000000000-mapping.dmp
-
memory/4148-192-0x0000000000000000-mapping.dmp
-
memory/4216-150-0x0000000000000000-mapping.dmp
-
memory/4220-180-0x0000000000000000-mapping.dmp
-
memory/4308-190-0x0000000000000000-mapping.dmp
-
memory/4324-178-0x0000000000000000-mapping.dmp
-
memory/4516-165-0x0000000000000000-mapping.dmp
-
memory/4536-186-0x0000000000000000-mapping.dmp
-
memory/4644-152-0x0000000000000000-mapping.dmp
-
memory/4840-184-0x0000000000000000-mapping.dmp