b366588a6c9666a0db47041e3b8367b1dad303df0a147ca0f5e953464d931541

Analysis

max time kernel
186s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b366588a6c9666a0db47041e3b8367b1dad303df0a147ca0f5e953464d931541.exe
Size

148KB
MD5

af64e5ac685022820128cf4fe3bfa8e5
SHA1

e8c7c6d0b8399c7f10d477c0d5f6f102ac9beb51
SHA256

b366588a6c9666a0db47041e3b8367b1dad303df0a147ca0f5e953464d931541
SHA512

34f6c5e5e614a0152d5ca5157e8d28a8b34884fc94631409114e74ce86f0103df08c533424e83d8cbe381e55e1fb725c221ef7ca2bc877c0a8d3512aa2db0ef7
SSDEEP

1536:UGMQPwSSMFa643AL/U7hDu06ly74CCd35:UGVPwSSMFa643AL/U7hqzly8CCdp

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5092 set thread context of 1524	5092	b366588a6c9666a0db47041e3b8367b1dad303df0a147ca0f5e953464d931541.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3080	msedge.exe
3080	msedge.exe
3824	msedge.exe
3824	msedge.exe
3680	msedge.exe
3680	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3680	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5092	b366588a6c9666a0db47041e3b8367b1dad303df0a147ca0f5e953464d931541.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 1524	5092	b366588a6c9666a0db47041e3b8367b1dad303df0a147ca0f5e953464d931541.exe	83
PID 5092 wrote to memory of 1524	5092	b366588a6c9666a0db47041e3b8367b1dad303df0a147ca0f5e953464d931541.exe	83
PID 5092 wrote to memory of 1524	5092	b366588a6c9666a0db47041e3b8367b1dad303df0a147ca0f5e953464d931541.exe	83
PID 5092 wrote to memory of 1524	5092	b366588a6c9666a0db47041e3b8367b1dad303df0a147ca0f5e953464d931541.exe	83
PID 5092 wrote to memory of 1524	5092	b366588a6c9666a0db47041e3b8367b1dad303df0a147ca0f5e953464d931541.exe	83
PID 5092 wrote to memory of 1524	5092	b366588a6c9666a0db47041e3b8367b1dad303df0a147ca0f5e953464d931541.exe	83
PID 5092 wrote to memory of 1524	5092	b366588a6c9666a0db47041e3b8367b1dad303df0a147ca0f5e953464d931541.exe	83
PID 5092 wrote to memory of 1524	5092	b366588a6c9666a0db47041e3b8367b1dad303df0a147ca0f5e953464d931541.exe	83
PID 1524 wrote to memory of 3732	1524	b366588a6c9666a0db47041e3b8367b1dad303df0a147ca0f5e953464d931541.exe	86
PID 1524 wrote to memory of 3732	1524	b366588a6c9666a0db47041e3b8367b1dad303df0a147ca0f5e953464d931541.exe	86
PID 3732 wrote to memory of 4900	3732	msedge.exe	87
PID 3732 wrote to memory of 4900	3732	msedge.exe	87
PID 1524 wrote to memory of 3680	1524	b366588a6c9666a0db47041e3b8367b1dad303df0a147ca0f5e953464d931541.exe	88
PID 1524 wrote to memory of 3680	1524	b366588a6c9666a0db47041e3b8367b1dad303df0a147ca0f5e953464d931541.exe	88
PID 3680 wrote to memory of 4348	3680	msedge.exe	89
PID 3680 wrote to memory of 4348	3680	msedge.exe	89
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3148	3680	msedge.exe	92
PID 3680 wrote to memory of 3080	3680	msedge.exe	93
PID 3680 wrote to memory of 3080	3680	msedge.exe	93
PID 3732 wrote to memory of 4236	3732	msedge.exe	94
PID 3732 wrote to memory of 4236	3732	msedge.exe	94
PID 3732 wrote to memory of 4236	3732	msedge.exe	94
PID 3732 wrote to memory of 4236	3732	msedge.exe	94
PID 3732 wrote to memory of 4236	3732	msedge.exe	94
PID 3732 wrote to memory of 4236	3732	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\b366588a6c9666a0db47041e3b8367b1dad303df0a147ca0f5e953464d931541.exe
"C:\Users\Admin\AppData\Local\Temp\b366588a6c9666a0db47041e3b8367b1dad303df0a147ca0f5e953464d931541.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Users\Admin\AppData\Local\Temp\b366588a6c9666a0db47041e3b8367b1dad303df0a147ca0f5e953464d931541.exe
  "C:\Users\Admin\AppData\Local\Temp\b366588a6c9666a0db47041e3b8367b1dad303df0a147ca0f5e953464d931541.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=b366588a6c9666a0db47041e3b8367b1dad303df0a147ca0f5e953464d931541.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd77f146f8,0x7ffd77f14708,0x7ffd77f14718
      4⤵
      PID:4900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,16083078243808628019,17067633656166997083,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
      4⤵
      PID:4236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,16083078243808628019,17067633656166997083,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=b366588a6c9666a0db47041e3b8367b1dad303df0a147ca0f5e953464d931541.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd77f146f8,0x7ffd77f14708,0x7ffd77f14718
      4⤵
      PID:4348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,4052384906917158302,10367756905561768231,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
      4⤵
      PID:3148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,4052384906917158302,10367756905561768231,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,4052384906917158302,10367756905561768231,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
      4⤵
      PID:3984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4052384906917158302,10367756905561768231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
      4⤵
      PID:4584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4052384906917158302,10367756905561768231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
      4⤵
      PID:4468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4052384906917158302,10367756905561768231,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
      4⤵
      PID:3052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a58a7931227f93b9a54bc982c0d99582

SHA1
7591b129f025f2003039a81830b9cd5d7043d3e2

SHA256
a6751ef5a8d88960e0fc22e205155f766e840d13c46c962166f35e3bf8367ac0

SHA512
24eec66ba6b79cebb2b920cdad34f9b68fcc9503a2e4bc718ddf3d39b8f959ee1c7b0e73079b31a0e8acc98960fcedeb7e49f38b8f5036aa21294048f7f1a79b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a58a7931227f93b9a54bc982c0d99582

SHA1
7591b129f025f2003039a81830b9cd5d7043d3e2

SHA256
a6751ef5a8d88960e0fc22e205155f766e840d13c46c962166f35e3bf8367ac0

SHA512
24eec66ba6b79cebb2b920cdad34f9b68fcc9503a2e4bc718ddf3d39b8f959ee1c7b0e73079b31a0e8acc98960fcedeb7e49f38b8f5036aa21294048f7f1a79b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a58a7931227f93b9a54bc982c0d99582

SHA1
7591b129f025f2003039a81830b9cd5d7043d3e2

SHA256
a6751ef5a8d88960e0fc22e205155f766e840d13c46c962166f35e3bf8367ac0

SHA512
24eec66ba6b79cebb2b920cdad34f9b68fcc9503a2e4bc718ddf3d39b8f959ee1c7b0e73079b31a0e8acc98960fcedeb7e49f38b8f5036aa21294048f7f1a79b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a58a7931227f93b9a54bc982c0d99582

SHA1
7591b129f025f2003039a81830b9cd5d7043d3e2

SHA256
a6751ef5a8d88960e0fc22e205155f766e840d13c46c962166f35e3bf8367ac0

SHA512
24eec66ba6b79cebb2b920cdad34f9b68fcc9503a2e4bc718ddf3d39b8f959ee1c7b0e73079b31a0e8acc98960fcedeb7e49f38b8f5036aa21294048f7f1a79b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6102471af38b45f30decc8db2f59a8e2

SHA1
35428c52f58b3a35d5028929b6298d6b95d6bdec

SHA256
57e3a5210c5872fc5d56b4111a4d07e512ef54a79128391084c167c101a9d7c4

SHA512
1040720fe63680c7a17ced8026e3a2e31e0e73066bd0c3d74e5cd4a19c0e6f23dc30e0a41f62d92c0b9cc9840895ece4b3d36a200816e400feec49e54599b3fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6102471af38b45f30decc8db2f59a8e2

SHA1
35428c52f58b3a35d5028929b6298d6b95d6bdec

SHA256
57e3a5210c5872fc5d56b4111a4d07e512ef54a79128391084c167c101a9d7c4

SHA512
1040720fe63680c7a17ced8026e3a2e31e0e73066bd0c3d74e5cd4a19c0e6f23dc30e0a41f62d92c0b9cc9840895ece4b3d36a200816e400feec49e54599b3fe

Download Submit
memory/1524-135-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download