2c6360c393961843536af06f772805cabeba761e83d06095851ec2c96183ddc2

Analysis

max time kernel
187s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 14:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2c6360c393961843536af06f772805cabeba761e83d06095851ec2c96183ddc2.exe
Size

456KB
MD5

61f987ab0bf32b133d6f714feacd48ec
SHA1

cf57ed6b0f4d3662f85e1621ad593dce95dff925
SHA256

2c6360c393961843536af06f772805cabeba761e83d06095851ec2c96183ddc2
SHA512

87e5fa8ca74aeeb4594c05c26078f9a5366126942e88faf1c3c99241794aa69ac3aa1d8d19bd470ac014d04f74774e6616dd60babe4ba5e3974dde521e20812a
SSDEEP

12288:PsiMirVoV3o1XCQZr84evWEsA7dBcHfRAPKI6:EOVs3o1Pp893XcHF

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	2c6360c393961843536af06f772805cabeba761e83d06095851ec2c96183ddc2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	2c6360c393961843536af06f772805cabeba761e83d06095851ec2c96183ddc2.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\IESettingSync	2c6360c393961843536af06f772805cabeba761e83d06095851ec2c96183ddc2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	2c6360c393961843536af06f772805cabeba761e83d06095851ec2c96183ddc2.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1700	msedge.exe
1700	msedge.exe
2168	msedge.exe
2168	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2168	msedge.exe
2168	msedge.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2168	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
992	2c6360c393961843536af06f772805cabeba761e83d06095851ec2c96183ddc2.exe
992	2c6360c393961843536af06f772805cabeba761e83d06095851ec2c96183ddc2.exe
992	2c6360c393961843536af06f772805cabeba761e83d06095851ec2c96183ddc2.exe
992	2c6360c393961843536af06f772805cabeba761e83d06095851ec2c96183ddc2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 2168	992	2c6360c393961843536af06f772805cabeba761e83d06095851ec2c96183ddc2.exe	85
PID 992 wrote to memory of 2168	992	2c6360c393961843536af06f772805cabeba761e83d06095851ec2c96183ddc2.exe	85
PID 2168 wrote to memory of 4556	2168	msedge.exe	86
PID 2168 wrote to memory of 4556	2168	msedge.exe	86
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1712	2168	msedge.exe	89
PID 2168 wrote to memory of 1700	2168	msedge.exe	90
PID 2168 wrote to memory of 1700	2168	msedge.exe	90
PID 2168 wrote to memory of 1176	2168	msedge.exe	91
PID 2168 wrote to memory of 1176	2168	msedge.exe	91
PID 2168 wrote to memory of 1176	2168	msedge.exe	91
PID 2168 wrote to memory of 1176	2168	msedge.exe	91
PID 2168 wrote to memory of 1176	2168	msedge.exe	91
PID 2168 wrote to memory of 1176	2168	msedge.exe	91
PID 2168 wrote to memory of 1176	2168	msedge.exe	91
PID 2168 wrote to memory of 1176	2168	msedge.exe	91
PID 2168 wrote to memory of 1176	2168	msedge.exe	91
PID 2168 wrote to memory of 1176	2168	msedge.exe	91
PID 2168 wrote to memory of 1176	2168	msedge.exe	91
PID 2168 wrote to memory of 1176	2168	msedge.exe	91
PID 2168 wrote to memory of 1176	2168	msedge.exe	91
PID 2168 wrote to memory of 1176	2168	msedge.exe	91
PID 2168 wrote to memory of 1176	2168	msedge.exe	91
PID 2168 wrote to memory of 1176	2168	msedge.exe	91
PID 2168 wrote to memory of 1176	2168	msedge.exe	91
PID 2168 wrote to memory of 1176	2168	msedge.exe	91

C:\Users\Admin\AppData\Local\Temp\2c6360c393961843536af06f772805cabeba761e83d06095851ec2c96183ddc2.exe
"C:\Users\Admin\AppData\Local\Temp\2c6360c393961843536af06f772805cabeba761e83d06095851ec2c96183ddc2.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.feicgg.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd4,0xfc,0x100,0xd8,0x104,0x7ffba60046f8,0x7ffba6004708,0x7ffba6004718
    3⤵
    PID:4556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,5783320070348986293,611159925769747246,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
    3⤵
    PID:1712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,5783320070348986293,611159925769747246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,5783320070348986293,611159925769747246,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3296 /prefetch:8
    3⤵
    PID:1176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5783320070348986293,611159925769747246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:1
    3⤵
    PID:2556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5783320070348986293,611159925769747246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
    3⤵
    PID:5104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/992-132-0x0000000000400000-0x00000000005EF001-memory.dmp

Filesize
1.9MB

Download
memory/992-133-0x0000000000400000-0x00000000005EF001-memory.dmp

Filesize
1.9MB

Download
memory/992-136-0x0000000000400000-0x00000000005EF001-memory.dmp

Filesize
1.9MB

Download