bf65d6b5d594b9a65ee5cc7b9760432fea8abdd4278e61d74a5bdf921678b0b0

General

Target

vbs (3).vbs
Size

888KB
MD5

7a3b1d9cf6ea0fb03959c6d3160aaa41
SHA1

d964ca2c51a6b98b857ec1a11830b3d58d8964f2
SHA256

bf65d6b5d594b9a65ee5cc7b9760432fea8abdd4278e61d74a5bdf921678b0b0
SHA512

1973383acdc95e22b9d750d3a5084067a3f330f5ddb168a12ffd13e2464d00c3beae2cb8375fc8a4aac68cecc7a0eccd087b01ec22c649ebc9292fdebdd48063
SSDEEP

12288:2YLY1birWYjdYmYD+lJ3YNDCDZstN9RglY2Y7tsYuxaYBIYa:bUAar1nbvILa

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

WScript.exe

flow pid process

5 4540 WScript.exe
7 4540 WScript.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

modeling.exeScientificCalculator.exeblueView.exe

pid process

1832 modeling.exe
4184 ScientificCalculator.exe
536 blueView.exe

flow	pid	process
5	4540	WScript.exe
7	4540	WScript.exe

pid	process
1832	modeling.exe
4184	ScientificCalculator.exe
536	blueView.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exeblueView.exeScientificCalculator.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AMDGO = "C:\\ManualBox\\blueView.exe"	blueView.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scien = "C:\\ManualBox\\ScientificCalculator.exe"	ScientificCalculator.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\18bfa6c1-0cb6-471b-9dea-3144337df001.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221202022120.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
3504	msedge.exe
3504	msedge.exe
2788	msedge.exe
2788	msedge.exe
4788	identity_helper.exe
4788	identity_helper.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ScientificCalculator.exe

pid process

4184 ScientificCalculator.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

2788 msedge.exe
2788 msedge.exe
2788 msedge.exe
2788 msedge.exe
2788 msedge.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

msedge.exeWScript.exe

pid process

2788 msedge.exe
2788 msedge.exe
2788 msedge.exe
4540 WScript.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ScientificCalculator.exeblueView.exe

pid process

4184 ScientificCalculator.exe
536 blueView.exe

pid	process
4184	ScientificCalculator.exe

pid	process
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe

pid	process
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
4540	WScript.exe

pid	process
4184	ScientificCalculator.exe
536	blueView.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exemsedge.exe

description	pid	process	target process
PID 4540 wrote to memory of 2788	4540	WScript.exe	msedge.exe
PID 4540 wrote to memory of 2788	4540	WScript.exe	msedge.exe
PID 2788 wrote to memory of 2976	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 2976	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 4212	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 3504	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 3504	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 3044	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 3044	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 3044	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 3044	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 3044	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 3044	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 3044	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 3044	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 3044	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 3044	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 3044	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 3044	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 3044	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 3044	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 3044	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 3044	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 3044	2788	msedge.exe	msedge.exe
PID 2788 wrote to memory of 3044	2788	msedge.exe	msedge.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs (3).vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://tiny.one/financasaudicao
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcef7e46f8,0x7ffcef7e4708,0x7ffcef7e4718
3⤵
PID:2976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,3514844340116205296,1882110340440093638,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,3514844340116205296,1882110340440093638,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1488 /prefetch:2
3⤵
PID:4212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,3514844340116205296,1882110340440093638,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
3⤵
PID:3044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3514844340116205296,1882110340440093638,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
3⤵
PID:1456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3514844340116205296,1882110340440093638,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
3⤵
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,3514844340116205296,1882110340440093638,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5248 /prefetch:8
3⤵
PID:4080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3514844340116205296,1882110340440093638,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
3⤵
PID:64

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,3514844340116205296,1882110340440093638,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5752 /prefetch:8
3⤵
PID:1800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3514844340116205296,1882110340440093638,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
3⤵
PID:2364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3514844340116205296,1882110340440093638,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
3⤵
PID:3340

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,3514844340116205296,1882110340440093638,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
3⤵
PID:5000

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:3440

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1c0,0x22c,0x7ff60f745460,0x7ff60f745470,0x7ff60f745480
4⤵
PID:1332

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,3514844340116205296,1882110340440093638,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,3514844340116205296,1882110340440093638,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5044 /prefetch:8
3⤵
PID:3420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,3514844340116205296,1882110340440093638,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4816 /prefetch:8
3⤵
PID:4584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,3514844340116205296,1882110340440093638,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7040 /prefetch:8
3⤵
PID:960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,3514844340116205296,1882110340440093638,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3972 /prefetch:8
3⤵
PID:376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,3514844340116205296,1882110340440093638,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6644 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,3514844340116205296,1882110340440093638,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5012 /prefetch:8
3⤵
PID:4180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,3514844340116205296,1882110340440093638,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2128 /prefetch:8
3⤵
PID:800

C:\Windows\System32\cmd.exe
cmd /c start C:\Users\Public\NortonLifeLock\modeling.exe
2⤵
PID:3796

C:\Users\Public\NortonLifeLock\modeling.exe
C:\Users\Public\NortonLifeLock\modeling.exe
3⤵
- Executes dropped EXE
PID:1832

C:\ManualBox\ScientificCalculator.exe
C:\ManualBox\ScientificCalculator.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4184

C:\ManualBox\blueView.exe
C:\ManualBox\blueView.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ManualBox\ScientificCalculator.exe

Filesize
17.1MB

MD5
6f6072e464f90f4f12432dd4cec04866

SHA1
17fe9cdd20a64fec5d471f6878a462a2ef0af212

SHA256
2cf983a131a11d33c86c7930fe6001be3415c690a9c3a0c54573137181e242e1

SHA512
962f4342b451e531108c8d8e67fe88a13da0ad0da774d0dda1e223ebd5122411b7fe71c69aa7e599c54752465681db6ed5e2c43eefccac5a80574ebe67ba1dfc

Download Submit
C:\ManualBox\blueView.exe

Filesize
5.1MB

MD5
94513b57b45e54901d1de05e39e1d0d8

SHA1
41ab10d5e057e714d8caad5855c115f5bef76097

SHA256
3a6e92e50ac8c34636d8e7a6ddcb74f7e28dd68cccfc27428b217846a3e5bff1

SHA512
53ce5deaedbdcfc2e6aeb66b19e040ddf20c8a268990a7d1fb62fad930b3c4dcc2454cbcb20659f1937b473f56d3f4fbe4f71a709afaa9f38c4f8be59ac9ac26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
58aa65696a745e5ece26263451b60d24

SHA1
705401ee8f90840abd4ce4b41224c201d4dc790e

SHA256
ad69150a1261a181dd2fa6bf7e8195d28217afbe96c671d24ff7aa8bf00bc7b4

SHA512
c426100e7a81605c62fde337ee41eb03fdda970982cb97789751002fe1409f62b38a2be9977d6f4895eedfde1284bc6ffe46ac795e4f9d60c187068ac603cd78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
6f8ec26a50e723ff3c8ec83eca87a75b

SHA1
4ce8b416327c3fc3abe7fb72a7b1cdd36808cca2

SHA256
8aabb3de8e3351b580fa034c2d450e8980c809650240b6c9f88f28c9c83f64b1

SHA512
2f12ddb6597fbffb32a55992f3ce7e23c553fbea7a903bfb276a6cf6be775464cd9b99fe6cc12a5f1a912be752d2743a9774db1b196cf21de98798ee6d660055

Download Submit
C:\Users\Public\NortonLifeLock\modeling.exe

Filesize
4.4MB

MD5
e0b670005db2d2eef16a5366deae18a8

SHA1
26be17aef483d553c0e5678e35611b019acd28a3

SHA256
354c109f7a129a45895fc2d4c2abc10cf20d66be19d28708e7dabaeef193fef6

SHA512
6dfee2d4a6f8b503b19a993db1bc2c1b944dc596f76aa1f5b41882246c785eac71607766ac250b2a7cf43b2ee353584a3cabb3299b39da5e20008745221d62a4

Download Submit
\??\pipe\LOCAL\crashpad_2788_OADNDAWRIFDYWQGN

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/64-152-0x0000000000000000-mapping.dmp

Download
memory/376-176-0x0000000000000000-mapping.dmp

Download
memory/536-167-0x0000000000000000-mapping.dmp

Download
memory/800-181-0x0000000000000000-mapping.dmp

Download
memory/960-174-0x0000000000000000-mapping.dmp

Download
memory/1332-160-0x0000000000000000-mapping.dmp

Download
memory/1456-146-0x0000000000000000-mapping.dmp

Download
memory/1800-154-0x0000000000000000-mapping.dmp

Download
memory/1832-163-0x0000000000000000-mapping.dmp

Download
memory/2364-156-0x0000000000000000-mapping.dmp

Download
memory/2788-135-0x0000000000000000-mapping.dmp

Download
memory/2976-136-0x0000000000000000-mapping.dmp

Download
memory/3044-142-0x0000000000000000-mapping.dmp

Download
memory/3340-158-0x0000000000000000-mapping.dmp

Download
memory/3420-170-0x0000000000000000-mapping.dmp

Download
memory/3440-159-0x0000000000000000-mapping.dmp

Download
memory/3464-177-0x0000000000000000-mapping.dmp

Download
memory/3504-139-0x0000000000000000-mapping.dmp

Download
memory/3796-162-0x0000000000000000-mapping.dmp

Download
memory/4080-148-0x0000000000000000-mapping.dmp

Download
memory/4180-179-0x0000000000000000-mapping.dmp

Download
memory/4184-165-0x0000000000000000-mapping.dmp

Download
memory/4212-138-0x0000000000000000-mapping.dmp

Download
memory/4544-144-0x0000000000000000-mapping.dmp

Download
memory/4584-172-0x0000000000000000-mapping.dmp

Download
memory/4788-161-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads