Analysis
-
max time kernel
153s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
01/12/2022, 10:39
General
-
Target
9bdada33f3fc95ffccc40f10a047caa88ba45857cc18c545cd0d35a601128e61.exe
-
Size
1.4MB
-
MD5
3418d80859058585e177aaa64641e820
-
SHA1
28e835edad756f392e909b7761892f46cf0bdded
-
SHA256
9bdada33f3fc95ffccc40f10a047caa88ba45857cc18c545cd0d35a601128e61
-
SHA512
ae0f671343fd0d8625f659392fd40189864aea4029cbfdadf553c9db40e462692c44fb8eaa3f1e2065bc25df00d934203e6f25f066ac39936935f391e6004874
-
SSDEEP
24576:UGXghB8kjjGlTBiBkdXORxhQZoaeTKh1YTqdoIMGF0NyzZhb:UJCBh+vhQfaKh142wUD
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer start page 1 TTPs 1 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9bdada33f3fc95ffccc40f10a047caa88ba45857cc18c545cd0d35a601128e61.exe"C:\Users\Admin\AppData\Local\Temp\9bdada33f3fc95ffccc40f10a047caa88ba45857cc18c545cd0d35a601128e61.exe"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.cffuzhu.com/2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8353346f8,0x7ff835334708,0x7ff8353347183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,15067798168986612017,12603349036068599562,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,15067798168986612017,12603349036068599562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,15067798168986612017,12603349036068599562,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15067798168986612017,12603349036068599562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15067798168986612017,12603349036068599562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,15067798168986612017,12603349036068599562,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5196 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,15067798168986612017,12603349036068599562,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5756 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15067798168986612017,12603349036068599562,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15067798168986612017,12603349036068599562,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15067798168986612017,12603349036068599562,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,15067798168986612017,12603349036068599562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6252 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1bc,0x22c,0x7ff781e05460,0x7ff781e05470,0x7ff781e054804⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,15067798168986612017,12603349036068599562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6252 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2120,15067798168986612017,12603349036068599562,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3016 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2120,15067798168986612017,12603349036068599562,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3284 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2120,15067798168986612017,12603349036068599562,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3244 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2120,15067798168986612017,12603349036068599562,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6420 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,15067798168986612017,12603349036068599562,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3836 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2120,15067798168986612017,12603349036068599562,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1728 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2120,15067798168986612017,12603349036068599562,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5628 /prefetch:83⤵
-
-
-
C:\Windows\SysWOW64\CFleilei.exeC:\Windows\system32\CFleilei.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.75ts.com/?ldgq3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8353346f8,0x7ff835334708,0x7ff8353347184⤵
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58461b627fd0e03a19c0066e408ea7046
SHA1799fe8fc1b7cd1e9b361bc29eb53d22ac4650f22
SHA2563cfe7bdbfc30c77d71caba0bb759ffb0c37c243f89ff5de9352fb37a2d977ba7
SHA5122d965a4516e87529eb3ed7bcb366e1b42711b1fee840a2b3679a4298ccbdb5634f4f5c2fdfc23db41e297fa01d153f5014bcdbd184088f27c41c4877134fe04d
-
Filesize
1KB
MD5aae127276e11f73783b91ae7865b959b
SHA1b886fc94dad951346d28aa28e3617aacd9782037
SHA256323a186c50387c4bcc670314dd3f21ae7bf7745822460ffb9e1af745f33628a0
SHA512f8f6001f3b74f9ffe068df182084511582c25305f42db292803fadeeaea04622334ba036a51d001d86619fd6eaaa7becad9e5befa2fa7d6968499f01b2c23e7d
-
Filesize
1KB
MD5e29a26604b680270f8e11b80d9651225
SHA1cd5d1cdacacc222587f58cd13c67d8b4861b50ea
SHA25698a02c4653cfcdee506bc09effe6f168f5af5950e700f94ccc4bd421f2fe01cb
SHA5126fd94823a98e52a899a094c2f3b9cd1f7b63c62d7bfe0cd4e0f784494d3981fdf723aa09253c13c964ec74315d552127784007c7fb2da0ed6b5d1ea3c0bae75f
-
Filesize
508B
MD58a70693ad43b4fa54d445b3cc23cd438
SHA158091c59220f8f6c8684fcbaebcb7371ede6b29e
SHA2567a1731f511a8dc9694542382ae88d434cf131488b3f9421fb8cfe3bba95870e8
SHA512bd5e75fc14653badae7a41169a21f2d4e9ce7556a20f641f2d2f9b8874965dad691273119483cfd7a7e22627b79255ce6202b6c53258ffa3a16551538abe3829
-
Filesize
532B
MD519fe1a6429a844bb63531a47a9bafa41
SHA15656a5dacbd1e1606dc3c341858554901f999969
SHA2568beff46b866a0dd8a0e173c9ecc4411c3e249678be1fc8d7a9989da1d760795d
SHA5125a21b4710937446e8639d98237eb167002eb7f0da741c07484dc45baf7229341f60931f9a54bfb889465fc88643ad585732bbdfb1da27872bd75e5cad65595b6
-
Filesize
506B
MD5bb9dc97b62376f987cd1c171b2abf78f
SHA159a8e94b773e3e2b120daad9a304bd552a0818ba
SHA25667310f411bfa859c9ccb6304e46180a271e7b20f8a1abea328f3da46c29fdab7
SHA51288c521040f28cec2d24bc2c6e7a3f629caa805a8c4daf5aa18e2ad9dbe30e3f6b9c32e5eb48a36f2264cad62b2a7366f8e731e2d492799b6c26a6bc954817b4e
-
Filesize
152B
MD5b8814439123c54cbc8e61bb010a24511
SHA1403ad16668fc85e4ef366f00749eaec0f88b94b0
SHA256ee60f00dcded0ed07c9c88d582efde48ddc73d1f1a28081d5e2dea006c4ac894
SHA512de05eaa43d562783009cb1ade9c87f3d1b1020c951067d2f95dbab698b5f35271790bb9a547dd30cacf68783e09a4bdd1dfbfcf8cf53343b132b9c3d6c4d2800
-
Filesize
632KB
MD5f8441fa40c9108ba8a056b2012ea4f64
SHA13444544f8abbf47165d3f3303274d3ce7325a8c2
SHA256e946af5ee5c30450ab8d85fb0387a8f369e720794195ee3487f22a6b0b02dc4f
SHA51267395c945ad4f3b4c2edfb6ec322f430230da699c1e9956fd768b794c0719e4a85af5c44b0611380c3483182d7d2dce9a46364b032d3b138c1b296a2d9e0269c
-
Filesize
632KB
MD5f8441fa40c9108ba8a056b2012ea4f64
SHA13444544f8abbf47165d3f3303274d3ce7325a8c2
SHA256e946af5ee5c30450ab8d85fb0387a8f369e720794195ee3487f22a6b0b02dc4f
SHA51267395c945ad4f3b4c2edfb6ec322f430230da699c1e9956fd768b794c0719e4a85af5c44b0611380c3483182d7d2dce9a46364b032d3b138c1b296a2d9e0269c
-
Filesize
176B
MD580f383a4d1210550bc6f3b12a10fd7a1
SHA11d7a5b4d27330e3e9fce9643a1dd9f21c9fec2b0
SHA25616619b7484e7b6af3a1bd7fdd21e9541485c0e557bcc265cb289e369690a8301
SHA512a5c901e354607bf052a0bcc5d0b802dd0382c49cf9fdf44d269b0e970a3f8d0532af8090618ceea5e7395b87ce1dd981266cf9cfe7f58e1bcf6e8a6f1d33726a
-
Filesize
176B
MD580f383a4d1210550bc6f3b12a10fd7a1
SHA11d7a5b4d27330e3e9fce9643a1dd9f21c9fec2b0
SHA25616619b7484e7b6af3a1bd7fdd21e9541485c0e557bcc265cb289e369690a8301
SHA512a5c901e354607bf052a0bcc5d0b802dd0382c49cf9fdf44d269b0e970a3f8d0532af8090618ceea5e7395b87ce1dd981266cf9cfe7f58e1bcf6e8a6f1d33726a