3b9113e0fc28a52930d192eba3e45933bd938a963e918853b1a899ab94354a83

Analysis

max time kernel
153s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b9113e0fc28a52930d192eba3e45933bd938a963e918853b1a899ab94354a83.exe
Size

126KB
MD5

7302b53f29c4df20be55bd384953a870
SHA1

876524a0943ffa888fc5a1996db1e7b312169437
SHA256

3b9113e0fc28a52930d192eba3e45933bd938a963e918853b1a899ab94354a83
SHA512

9a3ddab5f002c4cdd5ad62079d9da7cfa0a77a34a1b7882f626adab76cd41f364f794bf9f387abdf88ad0004e3a2079e16944ac9fbc67b54906974b90fac3f43
SSDEEP

1536:xLr21msgtUgseNTqmwygI6uVBmXSyz7y9RDypmJ7AX/Ztnv+uMMF5EatlATg1DdW:1r21msGUgxZh6uVr+7y9RDypOA+HM8w8

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1484 set thread context of 3612	1484	3b9113e0fc28a52930d192eba3e45933bd938a963e918853b1a899ab94354a83.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4944	msedge.exe
4944	msedge.exe
3848	msedge.exe
3848	msedge.exe
2940	msedge.exe
2940	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2940	msedge.exe
2940	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 3612	1484	3b9113e0fc28a52930d192eba3e45933bd938a963e918853b1a899ab94354a83.exe	86
PID 1484 wrote to memory of 3612	1484	3b9113e0fc28a52930d192eba3e45933bd938a963e918853b1a899ab94354a83.exe	86
PID 1484 wrote to memory of 3612	1484	3b9113e0fc28a52930d192eba3e45933bd938a963e918853b1a899ab94354a83.exe	86
PID 1484 wrote to memory of 3612	1484	3b9113e0fc28a52930d192eba3e45933bd938a963e918853b1a899ab94354a83.exe	86
PID 1484 wrote to memory of 3612	1484	3b9113e0fc28a52930d192eba3e45933bd938a963e918853b1a899ab94354a83.exe	86
PID 1484 wrote to memory of 3612	1484	3b9113e0fc28a52930d192eba3e45933bd938a963e918853b1a899ab94354a83.exe	86
PID 1484 wrote to memory of 3612	1484	3b9113e0fc28a52930d192eba3e45933bd938a963e918853b1a899ab94354a83.exe	86
PID 1484 wrote to memory of 3612	1484	3b9113e0fc28a52930d192eba3e45933bd938a963e918853b1a899ab94354a83.exe	86
PID 1484 wrote to memory of 3612	1484	3b9113e0fc28a52930d192eba3e45933bd938a963e918853b1a899ab94354a83.exe	86
PID 3612 wrote to memory of 5028	3612	3b9113e0fc28a52930d192eba3e45933bd938a963e918853b1a899ab94354a83.exe	90
PID 3612 wrote to memory of 5028	3612	3b9113e0fc28a52930d192eba3e45933bd938a963e918853b1a899ab94354a83.exe	90
PID 5028 wrote to memory of 2304	5028	msedge.exe	91
PID 5028 wrote to memory of 2304	5028	msedge.exe	91
PID 3612 wrote to memory of 2940	3612	3b9113e0fc28a52930d192eba3e45933bd938a963e918853b1a899ab94354a83.exe	96
PID 3612 wrote to memory of 2940	3612	3b9113e0fc28a52930d192eba3e45933bd938a963e918853b1a899ab94354a83.exe	96
PID 2940 wrote to memory of 3060	2940	msedge.exe	95
PID 2940 wrote to memory of 3060	2940	msedge.exe	95
PID 2940 wrote to memory of 3596	2940	msedge.exe	100
PID 2940 wrote to memory of 3596	2940	msedge.exe	100
PID 5028 wrote to memory of 952	5028	msedge.exe	99
PID 5028 wrote to memory of 952	5028	msedge.exe	99
PID 2940 wrote to memory of 3596	2940	msedge.exe	100
PID 2940 wrote to memory of 3596	2940	msedge.exe	100
PID 5028 wrote to memory of 952	5028	msedge.exe	99
PID 2940 wrote to memory of 3596	2940	msedge.exe	100
PID 2940 wrote to memory of 3596	2940	msedge.exe	100
PID 2940 wrote to memory of 3596	2940	msedge.exe	100
PID 5028 wrote to memory of 952	5028	msedge.exe	99
PID 2940 wrote to memory of 3596	2940	msedge.exe	100
PID 5028 wrote to memory of 952	5028	msedge.exe	99
PID 2940 wrote to memory of 3596	2940	msedge.exe	100
PID 2940 wrote to memory of 3596	2940	msedge.exe	100
PID 5028 wrote to memory of 952	5028	msedge.exe	99
PID 2940 wrote to memory of 3596	2940	msedge.exe	100
PID 5028 wrote to memory of 952	5028	msedge.exe	99
PID 5028 wrote to memory of 952	5028	msedge.exe	99
PID 2940 wrote to memory of 3596	2940	msedge.exe	100
PID 5028 wrote to memory of 952	5028	msedge.exe	99
PID 2940 wrote to memory of 3596	2940	msedge.exe	100
PID 2940 wrote to memory of 3596	2940	msedge.exe	100
PID 5028 wrote to memory of 952	5028	msedge.exe	99
PID 2940 wrote to memory of 3596	2940	msedge.exe	100
PID 5028 wrote to memory of 952	5028	msedge.exe	99
PID 2940 wrote to memory of 3596	2940	msedge.exe	100
PID 2940 wrote to memory of 3596	2940	msedge.exe	100
PID 5028 wrote to memory of 952	5028	msedge.exe	99
PID 5028 wrote to memory of 952	5028	msedge.exe	99
PID 2940 wrote to memory of 3596	2940	msedge.exe	100
PID 2940 wrote to memory of 3596	2940	msedge.exe	100
PID 5028 wrote to memory of 952	5028	msedge.exe	99
PID 2940 wrote to memory of 3596	2940	msedge.exe	100
PID 5028 wrote to memory of 952	5028	msedge.exe	99
PID 2940 wrote to memory of 3596	2940	msedge.exe	100
PID 5028 wrote to memory of 952	5028	msedge.exe	99
PID 5028 wrote to memory of 952	5028	msedge.exe	99
PID 2940 wrote to memory of 3596	2940	msedge.exe	100
PID 5028 wrote to memory of 952	5028	msedge.exe	99
PID 2940 wrote to memory of 3596	2940	msedge.exe	100
PID 5028 wrote to memory of 952	5028	msedge.exe	99
PID 2940 wrote to memory of 3596	2940	msedge.exe	100
PID 2940 wrote to memory of 3596	2940	msedge.exe	100
PID 5028 wrote to memory of 952	5028	msedge.exe	99
PID 5028 wrote to memory of 952	5028	msedge.exe	99
PID 2940 wrote to memory of 3596	2940	msedge.exe	100

C:\Users\Admin\AppData\Local\Temp\3b9113e0fc28a52930d192eba3e45933bd938a963e918853b1a899ab94354a83.exe
"C:\Users\Admin\AppData\Local\Temp\3b9113e0fc28a52930d192eba3e45933bd938a963e918853b1a899ab94354a83.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Users\Admin\AppData\Local\Temp\3b9113e0fc28a52930d192eba3e45933bd938a963e918853b1a899ab94354a83.exe
  "C:\Users\Admin\AppData\Local\Temp\3b9113e0fc28a52930d192eba3e45933bd938a963e918853b1a899ab94354a83.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=3b9113e0fc28a52930d192eba3e45933bd938a963e918853b1a899ab94354a83.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa780746f8,0x7ffa78074708,0x7ffa78074718
      4⤵
      PID:2304
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,12649284518501413416,7875619067097713681,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
      4⤵
      PID:952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,12649284518501413416,7875619067097713681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=3b9113e0fc28a52930d192eba3e45933bd938a963e918853b1a899ab94354a83.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,9623714363117742999,5225632261757920262,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
      4⤵
      PID:3596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,9623714363117742999,5225632261757920262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,9623714363117742999,5225632261757920262,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
      4⤵
      PID:4432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9623714363117742999,5225632261757920262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
      4⤵
      PID:4908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9623714363117742999,5225632261757920262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
      4⤵
      PID:3692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9623714363117742999,5225632261757920262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2740 /prefetch:1
      4⤵
      PID:3460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa780746f8,0x7ffa78074708,0x7ffa78074718
1⤵
PID:3060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
18ad3a99cbd5ddc6b806e98374137f92

SHA1
03b6e4402a81fc0585430539a6d4a208b6ca9020

SHA256
b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f

SHA512
faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
18ad3a99cbd5ddc6b806e98374137f92

SHA1
03b6e4402a81fc0585430539a6d4a208b6ca9020

SHA256
b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f

SHA512
faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
bf3b55a93107eaf8f388723e454cb075

SHA1
7c15223cf55a0444453b30d88c76ffacd8e0bcce

SHA256
beae074117cd487cb1704480349621fab6f1953c9760bd4408cbc762370d25d6

SHA512
c670c469b4e13cbe678425d1b9438776d65052167fc827a2627afe4a691a9537159fc1470bbdc3dfa8ea86f84873fa8e987404a8a6236cc2f40c39caa0993a6d

Download Submit
memory/3612-133-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download