Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 01:15
Static task
static1
Behavioral task
behavioral1
Sample
7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exe
Resource
win10v2004-20220812-en
General
-
Target
7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exe
-
Size
437KB
-
MD5
d305c00acc4cd962dfd2ab69c3d9fbda
-
SHA1
adf57e2f7555badf5467c127e138de49a58cfb2b
-
SHA256
7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d
-
SHA512
a8eb88507e124fa66fa1cb420e69c86b45f584f8f55281d25d9daf3b33017e06effcf5ea17421b6990d48107617cc0cd2dc3eda6786128b5f68efe808d6ecc01
-
SSDEEP
6144:FCOoWSuTpRMgDtvAP+2PqdAdeF54hFNE9cZQ5XR7nyHOshfXR7nyHOsh:FyuTpRJvAP7ydAdeohxQ5ByusdByus
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
WORM.EXE.EXEZXZ.EXEsvchost.exepid process 4956 WORM.EXE.EXE 5012 ZXZ.EXE 3644 svchost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exeZXZ.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation ZXZ.EXE -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe svchost.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
svchost.exemsedge.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ba4c12bee3027d94da5c81db2d196bfd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ba4c12bee3027d94da5c81db2d196bfd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\6daa3bb0-01c5-494b-b67e-30611e771210.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221201170728.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
svchost.exemsedge.exemsedge.exemsedge.exeidentity_helper.exepid process 3644 svchost.exe 3644 svchost.exe 3644 svchost.exe 3644 svchost.exe 3644 svchost.exe 3644 svchost.exe 3644 svchost.exe 3644 svchost.exe 3644 svchost.exe 3644 svchost.exe 3644 svchost.exe 3644 svchost.exe 3644 svchost.exe 3644 svchost.exe 3644 svchost.exe 3644 svchost.exe 3644 svchost.exe 3644 svchost.exe 3644 svchost.exe 3644 svchost.exe 3644 svchost.exe 3644 svchost.exe 3644 svchost.exe 3644 svchost.exe 3644 svchost.exe 3164 msedge.exe 3164 msedge.exe 3272 msedge.exe 3272 msedge.exe 4368 msedge.exe 4368 msedge.exe 1336 identity_helper.exe 1336 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 3644 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msedge.exepid process 4368 msedge.exe 4368 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exeZXZ.EXEsvchost.exeWORM.EXE.EXEmsedge.exemsedge.exedescription pid process target process PID 4284 wrote to memory of 4956 4284 7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exe WORM.EXE.EXE PID 4284 wrote to memory of 4956 4284 7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exe WORM.EXE.EXE PID 4284 wrote to memory of 4956 4284 7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exe WORM.EXE.EXE PID 4284 wrote to memory of 5012 4284 7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exe ZXZ.EXE PID 4284 wrote to memory of 5012 4284 7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exe ZXZ.EXE PID 4284 wrote to memory of 5012 4284 7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exe ZXZ.EXE PID 5012 wrote to memory of 3644 5012 ZXZ.EXE svchost.exe PID 5012 wrote to memory of 3644 5012 ZXZ.EXE svchost.exe PID 5012 wrote to memory of 3644 5012 ZXZ.EXE svchost.exe PID 3644 wrote to memory of 3004 3644 svchost.exe netsh.exe PID 3644 wrote to memory of 3004 3644 svchost.exe netsh.exe PID 3644 wrote to memory of 3004 3644 svchost.exe netsh.exe PID 4956 wrote to memory of 920 4956 WORM.EXE.EXE msedge.exe PID 4956 wrote to memory of 920 4956 WORM.EXE.EXE msedge.exe PID 4956 wrote to memory of 4368 4956 WORM.EXE.EXE msedge.exe PID 4956 wrote to memory of 4368 4956 WORM.EXE.EXE msedge.exe PID 4368 wrote to memory of 4776 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 4776 4368 msedge.exe msedge.exe PID 920 wrote to memory of 3140 920 msedge.exe msedge.exe PID 920 wrote to memory of 3140 920 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 4368 wrote to memory of 1852 4368 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 4368 wrote to memory of 1852 4368 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 4368 wrote to memory of 1852 4368 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 4368 wrote to memory of 1852 4368 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 4368 wrote to memory of 1852 4368 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 920 wrote to memory of 4300 920 msedge.exe msedge.exe PID 4368 wrote to memory of 1852 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 1852 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 1852 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 1852 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 1852 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 1852 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 1852 4368 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exe"C:\Users\Admin\AppData\Local\Temp\7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WORM.EXE.EXE"C:\Users\Admin\AppData\Local\Temp\WORM.EXE.EXE"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=WORM.EXE.EXE&platform=0009&osver=6&isServer=0&shimver=4.0.30319.03⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ff87f6646f8,0x7ff87f664708,0x7ff87f6647184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,5062575004467259363,7111997554354215495,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,5062575004467259363,7111997554354215495,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=WORM.EXE.EXE&platform=0009&osver=6&isServer=0&shimver=4.0.30319.03⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff87f6646f8,0x7ff87f664708,0x7ff87f6647184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2808 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3008 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5224 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5920 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1c4,0x22c,0x7ff747bf5460,0x7ff747bf5470,0x7ff747bf54805⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3524 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2140,562312310587285693,11945947792598148534,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:84⤵
-
C:\Users\Admin\AppData\Local\Temp\ZXZ.EXE"C:\Users\Admin\AppData\Local\Temp\ZXZ.EXE"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE4⤵
- Modifies Windows Firewall
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177Filesize
471B
MD5d1287b882680d426851631f5cc6f98d8
SHA16182ed7f6b85ad3fdf2de7d50f78802aea537753
SHA2564afcd48438f2bc14b1f22635e5ad8f9b5519de90fb04af02ad6ab017a505a4f0
SHA51212817b72604ae58c4a33f4eb43c00554938a25df605c674f9d53c50d1d386555b6324906b99ec6a46a086853ee9c10acfefd85722dedb732f5e31ac6e93c797a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEFilesize
471B
MD53121a89c589b43806469c733a1d6fbb1
SHA1af970955ec34de61958a2b1e0bf271d440b514d1
SHA256c57070af2586a5fa446a93cde9c596e9cea16c136c803b4eb920d70da56b5e45
SHA512b02b94cc6438ccab4267eca60f66a63da970761c74f04e46541d5eb84c9f98fcff54aa8448b8d6862a588f58fcecc904104aef9b6c7fee050ab87383ad688c6d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177Filesize
412B
MD504b7b77baecddeee900195955309667d
SHA1cbe1ad5b213b57a33baf39991c047df400110f0c
SHA256b761b073cdec59bd75ee7b4296694ed3aff509040e849188e4a341a392bf121d
SHA51260b807361baf2037fb80c1514f7f72b93eaac8c6dd475ec8bbfb83edbc3eaedc1481b43d320d10e76b74f91c2567ede79c6e325b1746b96a6ef3cae3c251c7d2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEFilesize
446B
MD599a9999cdae3926cabdb82d6f1e512b5
SHA1b5ce6854db5b45239a3b74c220cba393bc1775e5
SHA256a71c8b61ea311ebc75ae69f0411c93c9c11f3b1d159912c9c2c3f2b298d9e2e9
SHA512fbf64f259d7aa120e420ca8b434a1f889824327d4b71f6761590bf425c89e0d3cea4cffc155847721ae32bf138fb272e6978985a3cc963d3e29ba43f61bc546e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEFilesize
446B
MD599a9999cdae3926cabdb82d6f1e512b5
SHA1b5ce6854db5b45239a3b74c220cba393bc1775e5
SHA256a71c8b61ea311ebc75ae69f0411c93c9c11f3b1d159912c9c2c3f2b298d9e2e9
SHA512fbf64f259d7aa120e420ca8b434a1f889824327d4b71f6761590bf425c89e0d3cea4cffc155847721ae32bf138fb272e6978985a3cc963d3e29ba43f61bc546e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEFilesize
446B
MD599a9999cdae3926cabdb82d6f1e512b5
SHA1b5ce6854db5b45239a3b74c220cba393bc1775e5
SHA256a71c8b61ea311ebc75ae69f0411c93c9c11f3b1d159912c9c2c3f2b298d9e2e9
SHA512fbf64f259d7aa120e420ca8b434a1f889824327d4b71f6761590bf425c89e0d3cea4cffc155847721ae32bf138fb272e6978985a3cc963d3e29ba43f61bc546e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e1661723f09a6aed8290c3f836ef2c2b
SHA155e08c810da94c08c5ee54ace181d4347f4e2ae5
SHA256a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2
SHA512dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e1661723f09a6aed8290c3f836ef2c2b
SHA155e08c810da94c08c5ee54ace181d4347f4e2ae5
SHA256a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2
SHA512dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e1661723f09a6aed8290c3f836ef2c2b
SHA155e08c810da94c08c5ee54ace181d4347f4e2ae5
SHA256a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2
SHA512dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b3f352bbc8046d1d5d84c5bb693e2e5
SHA1e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c
SHA256471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da
SHA512c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b3f352bbc8046d1d5d84c5bb693e2e5
SHA1e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c
SHA256471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da
SHA512c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b3f352bbc8046d1d5d84c5bb693e2e5
SHA1e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c
SHA256471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da
SHA512c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\old_GPUCache_000\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD5632aacef3e454ec69047d88130c397d9
SHA1186722cad4d7d2beaf7f4e1a0a82cdcdd1833dfc
SHA256df54d327d38b86b8b614f97d0941c66f16ff89633c14845a8f2deb38966562b7
SHA512708639b5ee7f0cf4ec2a1709dc93e9d90891e9c00a4ff291e31ef0a680f5cfa8c44158c2f27bf6a75d2043fc9a31037bcecb23428f1d6dc573f4f89a9d6252d3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettingsFilesize
81B
MD5f222079e71469c4d129b335b7c91355e
SHA10056c3003874efef229a5875742559c8c59887dc
SHA256e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00
SHA512e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1Filesize
126KB
MD56698422bea0359f6d385a4d059c47301
SHA1b1107d1f8cc1ef600531ed87cea1c41b7be474f6
SHA2562f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
SHA512d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUrisFilesize
40B
MD57db6359a730fea73adafe1ebb3bf88a0
SHA160a80dad1d551bfca99e6445484690bbea4cb471
SHA256d3c9f4f810cfc4fce7990b68bae524320bf9600b017ce84fb2673e0b53dbd1af
SHA5127d5b9beee44cfd2e2039ab0e863885963600d7c0ed22c7cdd24054f02e85f1dd5898766c53b462df344cb2982a41c0a2c14ab9fd120f8036e95902f256cb0830
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638055039137925133Filesize
3KB
MD55125353cf2c40e6c689b2607ba5f0331
SHA18d6fa6678ac8698a1025d20a9d23e45637dba661
SHA25666ffcb91ed367b5a5ad5cc580060de181bff23d4373ac2ea8d9439452abe9d6c
SHA5122b947584c5e4c96d88a03b4e67443e95128975f333c840a8cbce75f56bdc710ba4d5f69bd9bec0ec55bd17891456c1c4b4986736c457e2d7dcafb9f2b678c8ff
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTrafficFilesize
29B
MD552e2839549e67ce774547c9f07740500
SHA1b172e16d7756483df0ca0a8d4f7640dd5d557201
SHA256f81b7b9ce24f5a2b94182e817037b5f1089dc764bc7e55a9b0a6227a7e121f32
SHA512d80e7351e4d83463255c002d3fdce7e5274177c24c4c728d7b7932d0be3ebcfeb68e1e65697ed5e162e1b423bb8cdfa0864981c4b466d6ad8b5e724d84b4203b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638004170464094982Filesize
450KB
MD5e9c502db957cdb977e7f5745b34c32e6
SHA1dbd72b0d3f46fa35a9fe2527c25271aec08e3933
SHA2565a6b49358772db0b5c682575f02e8630083568542b984d6d00727740506569d4
SHA512b846e682427cf144a440619258f5aa5c94caee7612127a60e4bd3c712f8ff614da232d9a488e27fc2b0d53fd6acf05409958aea3b21ea2c1127821bd8e87a5ca
-
C:\Users\Admin\AppData\Local\Temp\WORM.EXE.EXEFilesize
224KB
MD5c32a647e5267d256d848afeef2fec541
SHA17804edc0904f221bc775245956132044a45ae3f4
SHA256f233c11d12b0636c53fee2c068af95d4a20a184e560820a226bfc803bde740e3
SHA51224dacb9a901cbaa13395669ae1cb572fd31abca07287c74094fd4f5e37144bfa7ec6abd79b758b13910b7b5583832f3b92a37dbdf34e32e09df60a521ff40362
-
C:\Users\Admin\AppData\Local\Temp\WORM.EXE.EXEFilesize
224KB
MD5c32a647e5267d256d848afeef2fec541
SHA17804edc0904f221bc775245956132044a45ae3f4
SHA256f233c11d12b0636c53fee2c068af95d4a20a184e560820a226bfc803bde740e3
SHA51224dacb9a901cbaa13395669ae1cb572fd31abca07287c74094fd4f5e37144bfa7ec6abd79b758b13910b7b5583832f3b92a37dbdf34e32e09df60a521ff40362
-
C:\Users\Admin\AppData\Local\Temp\ZXZ.EXEFilesize
129KB
MD56d016b4211d51618831cff6d5a142783
SHA1b98898da9e032320a3e38541d5f54de6bd34cbfa
SHA256607efe27b04897f879dd7646b9acb30434b3550abba5da5ea1ce0393c15c1e8b
SHA512c3be048092df8f6f6872673adc8422ade38d58df2d01fb2447bf3b5cc6eb1d7d2539d3cf24a7140b01b06d9bb550e866e8542b5bfd662462a7e952a5a876f639
-
C:\Users\Admin\AppData\Local\Temp\ZXZ.EXEFilesize
129KB
MD56d016b4211d51618831cff6d5a142783
SHA1b98898da9e032320a3e38541d5f54de6bd34cbfa
SHA256607efe27b04897f879dd7646b9acb30434b3550abba5da5ea1ce0393c15c1e8b
SHA512c3be048092df8f6f6872673adc8422ade38d58df2d01fb2447bf3b5cc6eb1d7d2539d3cf24a7140b01b06d9bb550e866e8542b5bfd662462a7e952a5a876f639
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
129KB
MD56d016b4211d51618831cff6d5a142783
SHA1b98898da9e032320a3e38541d5f54de6bd34cbfa
SHA256607efe27b04897f879dd7646b9acb30434b3550abba5da5ea1ce0393c15c1e8b
SHA512c3be048092df8f6f6872673adc8422ade38d58df2d01fb2447bf3b5cc6eb1d7d2539d3cf24a7140b01b06d9bb550e866e8542b5bfd662462a7e952a5a876f639
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
129KB
MD56d016b4211d51618831cff6d5a142783
SHA1b98898da9e032320a3e38541d5f54de6bd34cbfa
SHA256607efe27b04897f879dd7646b9acb30434b3550abba5da5ea1ce0393c15c1e8b
SHA512c3be048092df8f6f6872673adc8422ade38d58df2d01fb2447bf3b5cc6eb1d7d2539d3cf24a7140b01b06d9bb550e866e8542b5bfd662462a7e952a5a876f639
-
\??\pipe\LOCAL\crashpad_4368_IMFXNSEHEXOXQEHDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_920_XKZEISJSSEXEULYRMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/688-187-0x0000000000000000-mapping.dmp
-
memory/716-205-0x0000000000000000-mapping.dmp
-
memory/716-201-0x0000000000000000-mapping.dmp
-
memory/920-147-0x0000000000000000-mapping.dmp
-
memory/1336-203-0x0000000000000000-mapping.dmp
-
memory/1804-189-0x0000000000000000-mapping.dmp
-
memory/1852-157-0x0000000000000000-mapping.dmp
-
memory/3004-144-0x0000000000000000-mapping.dmp
-
memory/3140-151-0x0000000000000000-mapping.dmp
-
memory/3164-162-0x0000000000000000-mapping.dmp
-
memory/3272-164-0x0000000000000000-mapping.dmp
-
memory/3508-199-0x0000000000000000-mapping.dmp
-
memory/3644-146-0x0000000074780000-0x0000000074D31000-memory.dmpFilesize
5.7MB
-
memory/3644-145-0x0000000074780000-0x0000000074D31000-memory.dmpFilesize
5.7MB
-
memory/3644-140-0x0000000000000000-mapping.dmp
-
memory/3784-197-0x0000000000000000-mapping.dmp
-
memory/4140-202-0x0000000000000000-mapping.dmp
-
memory/4192-183-0x0000000000000000-mapping.dmp
-
memory/4300-158-0x0000000000000000-mapping.dmp
-
memory/4340-191-0x0000000000000000-mapping.dmp
-
memory/4348-179-0x0000000000000000-mapping.dmp
-
memory/4368-148-0x0000000000000000-mapping.dmp
-
memory/4456-207-0x0000000000000000-mapping.dmp
-
memory/4592-195-0x0000000000000000-mapping.dmp
-
memory/4776-150-0x0000000000000000-mapping.dmp
-
memory/4780-193-0x0000000000000000-mapping.dmp
-
memory/4956-132-0x0000000000000000-mapping.dmp
-
memory/4956-138-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/4956-149-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/4960-185-0x0000000000000000-mapping.dmp
-
memory/5012-135-0x0000000000000000-mapping.dmp
-
memory/5012-139-0x0000000074780000-0x0000000074D31000-memory.dmpFilesize
5.7MB
-
memory/5012-143-0x0000000074780000-0x0000000074D31000-memory.dmpFilesize
5.7MB