d6065c4e700d99a2d864e9dc2bb79150494397de681334e9c2a2581be3b4a743

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6065c4e700d99a2d864e9dc2bb79150494397de681334e9c2a2581be3b4a743.exe
Size

38KB
MD5

319e6acc4cf60abfd3c42f737f907d4e
SHA1

ae6f911670d7b6fc80a9374b9dd7eb49d1d296c5
SHA256

d6065c4e700d99a2d864e9dc2bb79150494397de681334e9c2a2581be3b4a743
SHA512

85e01457e8548a39f236c4a4c619276cf92ca5211b63424c2ee1ef524ca5a476350d199ed6d7b7e319b7303d48e8324df5b1e3ed0cf37218f11d15786d869901
SSDEEP

768:FFe7tEyaKaorzIgQGgV7qw2ZqoAX7W8UnY7:/caKaorzIgzgZqwmqRX7IY7

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	d6065c4e700d99a2d864e9dc2bb79150494397de681334e9c2a2581be3b4a743.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2960 set thread context of 5004	2960	d6065c4e700d99a2d864e9dc2bb79150494397de681334e9c2a2581be3b4a743.exe	81

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\05c2dded-a74c-4f39-b806-f20692d950e8.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221203231309.pma	setup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32:server.exe	d6065c4e700d99a2d864e9dc2bb79150494397de681334e9c2a2581be3b4a743.exe
File opened for modification	C:\Windows\system32:server.exe	d6065c4e700d99a2d864e9dc2bb79150494397de681334e9c2a2581be3b4a743.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Windows\system32:server.exe	d6065c4e700d99a2d864e9dc2bb79150494397de681334e9c2a2581be3b4a743.exe
File opened for modification	C:\Windows\system32:server.exe	d6065c4e700d99a2d864e9dc2bb79150494397de681334e9c2a2581be3b4a743.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3268	msedge.exe
3268	msedge.exe
5004	msedge.exe
5004	msedge.exe
4056	identity_helper.exe
4056	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	920	d6065c4e700d99a2d864e9dc2bb79150494397de681334e9c2a2581be3b4a743.exe
Token: SeIncBasePriorityPrivilege	2960	d6065c4e700d99a2d864e9dc2bb79150494397de681334e9c2a2581be3b4a743.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 2960	920	d6065c4e700d99a2d864e9dc2bb79150494397de681334e9c2a2581be3b4a743.exe	80
PID 920 wrote to memory of 2960	920	d6065c4e700d99a2d864e9dc2bb79150494397de681334e9c2a2581be3b4a743.exe	80
PID 920 wrote to memory of 2960	920	d6065c4e700d99a2d864e9dc2bb79150494397de681334e9c2a2581be3b4a743.exe	80
PID 2960 wrote to memory of 5004	2960	d6065c4e700d99a2d864e9dc2bb79150494397de681334e9c2a2581be3b4a743.exe	81
PID 2960 wrote to memory of 5004	2960	d6065c4e700d99a2d864e9dc2bb79150494397de681334e9c2a2581be3b4a743.exe	81
PID 2960 wrote to memory of 5004	2960	d6065c4e700d99a2d864e9dc2bb79150494397de681334e9c2a2581be3b4a743.exe	81
PID 5004 wrote to memory of 5024	5004	msedge.exe	82
PID 5004 wrote to memory of 5024	5004	msedge.exe	82
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 976	5004	msedge.exe	85
PID 5004 wrote to memory of 3268	5004	msedge.exe	86
PID 5004 wrote to memory of 3268	5004	msedge.exe	86
PID 5004 wrote to memory of 4256	5004	msedge.exe	87
PID 5004 wrote to memory of 4256	5004	msedge.exe	87
PID 5004 wrote to memory of 4256	5004	msedge.exe	87
PID 5004 wrote to memory of 4256	5004	msedge.exe	87
PID 5004 wrote to memory of 4256	5004	msedge.exe	87
PID 5004 wrote to memory of 4256	5004	msedge.exe	87
PID 5004 wrote to memory of 4256	5004	msedge.exe	87
PID 5004 wrote to memory of 4256	5004	msedge.exe	87
PID 5004 wrote to memory of 4256	5004	msedge.exe	87
PID 5004 wrote to memory of 4256	5004	msedge.exe	87
PID 5004 wrote to memory of 4256	5004	msedge.exe	87
PID 5004 wrote to memory of 4256	5004	msedge.exe	87
PID 5004 wrote to memory of 4256	5004	msedge.exe	87
PID 5004 wrote to memory of 4256	5004	msedge.exe	87

C:\Users\Admin\AppData\Local\Temp\d6065c4e700d99a2d864e9dc2bb79150494397de681334e9c2a2581be3b4a743.exe
"C:\Users\Admin\AppData\Local\Temp\d6065c4e700d99a2d864e9dc2bb79150494397de681334e9c2a2581be3b4a743.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:920
- C:\Users\Admin\AppData\Local\Temp\d6065c4e700d99a2d864e9dc2bb79150494397de681334e9c2a2581be3b4a743.exe
  "C:\Users\Admin\AppData\Local\Temp\d6065c4e700d99a2d864e9dc2bb79150494397de681334e9c2a2581be3b4a743.exe" -s
  2⤵
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    C:\Users\Admin\AppData\Local\Temp\d6065c4e700d99a2d864e9dc2bb79150494397de681334e9c2a2581be3b4a743.exe
    3⤵
    - Adds Run key to start application
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd8aa346f8,0x7ffd8aa34708,0x7ffd8aa34718
      4⤵
      PID:5024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,12772610123985844144,1093189604797937152,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
      4⤵
      PID:976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,12772610123985844144,1093189604797937152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,12772610123985844144,1093189604797937152,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
      4⤵
      PID:4256
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12772610123985844144,1093189604797937152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
      4⤵
      PID:5068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12772610123985844144,1093189604797937152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1
      4⤵
      PID:2044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12772610123985844144,1093189604797937152,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
      4⤵
      PID:4520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,12772610123985844144,1093189604797937152,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5116 /prefetch:8
      4⤵
      PID:888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,12772610123985844144,1093189604797937152,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5568 /prefetch:8
      4⤵
      PID:424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12772610123985844144,1093189604797937152,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
      4⤵
      PID:3504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,12772610123985844144,1093189604797937152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6192 /prefetch:8
      4⤵
      PID:3924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:4888
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff654ef5460,0x7ff654ef5470,0x7ff654ef5480
        5⤵
        
        PID:916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,12772610123985844144,1093189604797937152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6192 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2096,12772610123985844144,1093189604797937152,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1296 /prefetch:8
      4⤵
      PID:4628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5004-134-0x0000000030000000-0x0000000030011000-memory.dmp

Filesize
68KB

Download