9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf

General

Target

9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe
Size

722KB
MD5

a7653be2c395c8919b16050ca4d2a735
SHA1

9599c03484f016971982ac4366c829a710bd8aa5
SHA256

9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf
SHA512

0293a2a1cbf46d6b991da259d7e2cbc130577d0f3a36f1be4389fbbb3c80597f38d713ad285b96a469d9836fb3a1df0b8a2eb7a911be6da767b3fd7fa35ca78a
SSDEEP

6144:Mc5DI5J2b4YX0ayv8a7JRpyG9AN2UeQY0yzcPSHpLUYQdeNgVmn/l4EI8XuGJHmj:x+mxDyv8GAoUegic8pLUYQANZ//eOGr

Score

10^/10

microsoft evasion persistence phishing

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 10 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\chrome.exe = "C:\\Users\\Admin\\AppData\\Roaming\\chrome.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\vbc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vbc.exe:*:Enabled:Windows Messanger"	reg.exe

Executes dropped EXE 3 IoCs

Processes:

mhzi.exechrome.exevbc.exe

pid process

4964 mhzi.exe
532 chrome.exe
4180 vbc.exe

pid	process
4964	mhzi.exe
532	chrome.exe
4180	vbc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chrome.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live = "C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Suspicious use of SetThreadContext 2 IoCs

Processes:

9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exechrome.exe

description	pid	process	target process
PID 3612 set thread context of 4964	3612	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe	mhzi.exe
PID 532 set thread context of 4180	532	chrome.exe	vbc.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\17171b6c-c2ee-4278-8e72-1ba816cff6ba.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221203130728.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

2136 reg.exe
660 reg.exe
2036 reg.exe
4632 reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

pid	process
2136	reg.exe
660	reg.exe
2036	reg.exe
4632	reg.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
1244	msedge.exe
1244	msedge.exe
32	msedge.exe
32	msedge.exe
928	identity_helper.exe
928	identity_helper.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

32 msedge.exe
32 msedge.exe
32 msedge.exe
32 msedge.exe
32 msedge.exe
32 msedge.exe
32 msedge.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

32 msedge.exe
32 msedge.exe
32 msedge.exe

pid	process
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe
32	msedge.exe

pid	process
32	msedge.exe
32	msedge.exe
32	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exemhzi.exemsedge.exe

description	pid	process	target process
PID 3612 wrote to memory of 4964	3612	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe	mhzi.exe
PID 3612 wrote to memory of 4964	3612	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe	mhzi.exe
PID 3612 wrote to memory of 4964	3612	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe	mhzi.exe
PID 3612 wrote to memory of 4964	3612	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe	mhzi.exe
PID 3612 wrote to memory of 4964	3612	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe	mhzi.exe
PID 3612 wrote to memory of 4964	3612	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe	mhzi.exe
PID 3612 wrote to memory of 4964	3612	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe	mhzi.exe
PID 3612 wrote to memory of 4964	3612	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe	mhzi.exe
PID 3612 wrote to memory of 532	3612	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe	chrome.exe
PID 3612 wrote to memory of 532	3612	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe	chrome.exe
PID 3612 wrote to memory of 532	3612	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe	chrome.exe
PID 4964 wrote to memory of 32	4964	mhzi.exe	msedge.exe
PID 4964 wrote to memory of 32	4964	mhzi.exe	msedge.exe
PID 32 wrote to memory of 224	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 224	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 4460	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 1244	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 1244	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 2496	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 2496	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 2496	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 2496	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 2496	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 2496	32	msedge.exe	msedge.exe
PID 32 wrote to memory of 2496	32	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe
"C:\Users\Admin\AppData\Local\Temp\9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3612

C:\Users\Admin\AppData\Local\Temp\mhzi.exe
C:\Users\Admin\AppData\Local\Temp\\mhzi.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=mhzi.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:32

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdf5c046f8,0x7ffdf5c04708,0x7ffdf5c04718
4⤵
PID:224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,11706646705468163427,17309854473148902424,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
4⤵
PID:4460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,11706646705468163427,17309854473148902424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,11706646705468163427,17309854473148902424,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
4⤵
PID:2496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11706646705468163427,17309854473148902424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
4⤵
PID:4436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11706646705468163427,17309854473148902424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
4⤵
PID:4576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2160,11706646705468163427,17309854473148902424,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4900 /prefetch:8
4⤵
PID:1928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11706646705468163427,17309854473148902424,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
4⤵
PID:3168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11706646705468163427,17309854473148902424,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
4⤵
PID:3184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11706646705468163427,17309854473148902424,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
4⤵
PID:3636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2160,11706646705468163427,17309854473148902424,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6244 /prefetch:8
4⤵
PID:4412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11706646705468163427,17309854473148902424,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
4⤵
PID:3876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11706646705468163427,17309854473148902424,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
4⤵
PID:2308

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,11706646705468163427,17309854473148902424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1120 /prefetch:8
4⤵
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
- Drops file in Program Files directory
PID:2992

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7e2cc5460,0x7ff7e2cc5470,0x7ff7e2cc5480
5⤵
PID:856

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,11706646705468163427,17309854473148902424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1120 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2160,11706646705468163427,17309854473148902424,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5692 /prefetch:8
4⤵
PID:664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,11706646705468163427,17309854473148902424,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3216 /prefetch:2
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=mhzi.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
3⤵
PID:4916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf5c046f8,0x7ffdf5c04708,0x7ffdf5c04718
4⤵
PID:472

C:\Users\Admin\AppData\Local\Temp\chrome.exe
"C:\Users\Admin\AppData\Local\Temp\chrome.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:532

C:\Users\Admin\AppData\Local\Temp\vbc.exe
C:\Users\Admin\AppData\Local\Temp\\vbc.exe
3⤵
- Executes dropped EXE
PID:4180

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
5⤵
- Modifies firewall policy service
- Modifies registry key
PID:2036

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\chrome.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\chrome.exe:*:Enabled:Windows Messanger" /f
4⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\chrome.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\chrome.exe:*:Enabled:Windows Messanger" /f
5⤵
- Modifies firewall policy service
- Modifies registry key
PID:2136

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
PID:4020

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
5⤵
- Modifies firewall policy service
- Modifies registry key
PID:4632

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\vbc.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\vbc.exe:*:Enabled:Windows Messanger" /f
4⤵
PID:2572

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\vbc.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\vbc.exe:*:Enabled:Windows Messanger" /f
5⤵
- Modifies firewall policy service
- Modifies registry key
PID:660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9cc113cab81df2ff66421c3dd6bf4d31

SHA1
c1e1b1e2f007732c8c79eedac889b7312b08990e

SHA256
48438eda8d47a465f7aa67c36937ec174be450bea6b501e2fc1cc929c917e2ea

SHA512
e069f0cbd04f3fc91824df48f247e1542c6858cc3cf3dd4f16c26258beac2f7aa256bad6cdda3b2cef916afd186b269375a43013138fbc795f22c1367c799a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome.exe

Filesize
245KB

MD5
ac6cd9f9612a853ee5b8bed06976c87f

SHA1
5df9942ab8c5dd06990bf356ed9c16f5d8c92f62

SHA256
fd16e2fe6e9886afa396baf17154cd2e2cc3ea6ac310edb82cd883ac469a8655

SHA512
0729294bfab8ab817363633b910ac39a8d867c9edfdc2da00bc07edd1ad9a74e79c6291fddf96cf437f3611225d20fc111b4b3755df24c2f86a71228374fac46

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome.exe

Filesize
245KB

MD5
ac6cd9f9612a853ee5b8bed06976c87f

SHA1
5df9942ab8c5dd06990bf356ed9c16f5d8c92f62

SHA256
fd16e2fe6e9886afa396baf17154cd2e2cc3ea6ac310edb82cd883ac469a8655

SHA512
0729294bfab8ab817363633b910ac39a8d867c9edfdc2da00bc07edd1ad9a74e79c6291fddf96cf437f3611225d20fc111b4b3755df24c2f86a71228374fac46

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhzi.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhzi.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
\??\pipe\LOCAL\crashpad_32_FEZWMWXULHDVRZZX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/32-143-0x0000000000000000-mapping.dmp

Download
memory/224-144-0x0000000000000000-mapping.dmp

Download
memory/472-161-0x0000000000000000-mapping.dmp

Download
memory/532-138-0x0000000000000000-mapping.dmp

Download
memory/532-142-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/532-171-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/532-157-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/660-172-0x0000000000000000-mapping.dmp

Download
memory/664-187-0x0000000000000000-mapping.dmp

Download
memory/856-184-0x0000000000000000-mapping.dmp

Download
memory/928-185-0x0000000000000000-mapping.dmp

Download
memory/1244-147-0x0000000000000000-mapping.dmp

Download
memory/1928-156-0x0000000000000000-mapping.dmp

Download
memory/2036-174-0x0000000000000000-mapping.dmp

Download
memory/2136-175-0x0000000000000000-mapping.dmp

Download
memory/2308-181-0x0000000000000000-mapping.dmp

Download
memory/2496-150-0x0000000000000000-mapping.dmp

Download
memory/2992-183-0x0000000000000000-mapping.dmp

Download
memory/3168-159-0x0000000000000000-mapping.dmp

Download
memory/3184-167-0x0000000000000000-mapping.dmp

Download
memory/3612-133-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/3612-141-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/3612-132-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/3636-169-0x0000000000000000-mapping.dmp

Download
memory/3876-179-0x0000000000000000-mapping.dmp

Download
memory/4180-163-0x0000000000000000-mapping.dmp

Download
memory/4180-170-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4180-164-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4180-182-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4412-177-0x0000000000000000-mapping.dmp

Download
memory/4436-152-0x0000000000000000-mapping.dmp

Download
memory/4460-146-0x0000000000000000-mapping.dmp

Download
memory/4576-154-0x0000000000000000-mapping.dmp

Download
memory/4588-188-0x0000000000000000-mapping.dmp

Download
memory/4632-173-0x0000000000000000-mapping.dmp

Download
memory/4916-160-0x0000000000000000-mapping.dmp

Download
memory/4964-135-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4964-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads