94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be

Analysis

max time kernel
151s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe
Size

1.6MB
MD5

092f676806f421fc91108b26df82e509
SHA1

63126e40059fae981ca12062202c5b466e56735e
SHA256

94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be
SHA512

6837eaf597cdd0eb1d0d247cd8d0151da98c64c2af8ce0c20c91638a8fec80d3ed97130bfb6bfc37e8a7a2df9a6c1e2d724cba6692ecf98c0a165cdde3aaf13a
SSDEEP

49152:vaVs0VJ433lsPsKN2V49Spz9MAI9kX2EM:vUVJ43qoI9v

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5112	taskkill.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "www.qr520.net"	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2404	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe
4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe
4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe
4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe
4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe
4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe
4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe
4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe
4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe
4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe
4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe
4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe
4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe
4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe
4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe
4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe
3780	msedge.exe
3780	msedge.exe
1348	msedge.exe
1348	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1348	msedge.exe
1348	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe
Token: SeDebugPrivilege	4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe
Token: SeDebugPrivilege	4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1348	msedge.exe
1348	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe
4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe
4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe
4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 1348	4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe	89
PID 4960 wrote to memory of 1348	4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe	89
PID 4960 wrote to memory of 2092	4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe	90
PID 4960 wrote to memory of 2092	4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe	90
PID 4960 wrote to memory of 2092	4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe	90
PID 1348 wrote to memory of 1440	1348	msedge.exe	92
PID 1348 wrote to memory of 1440	1348	msedge.exe	92
PID 2092 wrote to memory of 2404	2092	cmd.exe	93
PID 2092 wrote to memory of 2404	2092	cmd.exe	93
PID 2092 wrote to memory of 2404	2092	cmd.exe	93
PID 4960 wrote to memory of 5112	4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe	98
PID 4960 wrote to memory of 5112	4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe	98
PID 4960 wrote to memory of 5112	4960	94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe	98
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 2312	1348	msedge.exe	100
PID 1348 wrote to memory of 3780	1348	msedge.exe	101
PID 1348 wrote to memory of 3780	1348	msedge.exe	101
PID 1348 wrote to memory of 4860	1348	msedge.exe	102
PID 1348 wrote to memory of 4860	1348	msedge.exe	102
PID 1348 wrote to memory of 4860	1348	msedge.exe	102
PID 1348 wrote to memory of 4860	1348	msedge.exe	102
PID 1348 wrote to memory of 4860	1348	msedge.exe	102
PID 1348 wrote to memory of 4860	1348	msedge.exe	102
PID 1348 wrote to memory of 4860	1348	msedge.exe	102
PID 1348 wrote to memory of 4860	1348	msedge.exe	102
PID 1348 wrote to memory of 4860	1348	msedge.exe	102

C:\Users\Admin\AppData\Local\Temp\94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe
"C:\Users\Admin\AppData\Local\Temp\94a26f8c98f82f401254ff3f4b516febea212c75a081f56f2cb750ebbbbf62be.exe"
1⤵
- Checks computer location settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.rz900.com/
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffd8cbd46f8,0x7ffd8cbd4708,0x7ffd8cbd4718
    3⤵
    PID:1440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,10749625342935508514,4658388992068780734,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
    3⤵
    PID:2312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,10749625342935508514,4658388992068780734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,10749625342935508514,4658388992068780734,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
    3⤵
    PID:4860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10749625342935508514,4658388992068780734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
    3⤵
    PID:1496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10749625342935508514,4658388992068780734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
    3⤵
    PID:4056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,10749625342935508514,4658388992068780734,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5212 /prefetch:8
    3⤵
    PID:4852
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c ping 127.1&del DNFÐ¡¾«Áé.exe&ren ×¢ÈëÆ÷±¸·ÝÎÄ¼þ.bak DNFÐ¡¾«Áé.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1
    3⤵
    - Runs ping.exe
    PID:2404
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /DNF.exe.manifest
  2⤵
  - Kills process with taskkill
  PID:5112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4960-132-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/4960-145-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/4960-133-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download