681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6

Analysis

max time kernel
151s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
Size

472KB
MD5

a556239106d352687659687e1832928a
SHA1

af477660e54642aae12a8584be9d0c7a6dbe3de3
SHA256

681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6
SHA512

d1a81e56852757a0336b60bdca21dba62599e247fbcd1f83cdbf9ac9762366122b432a150ced1274a50f241c0aff072b93091ba231a64ccb576266b98016beed
SSDEEP

3072:FQL8va4bjhxxp7HAM95tNez6HOB52YvpvQv5ijs3+0jJuvkca4ryF:FrdpHAM95tNez6HRxcj6u0

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
2668	msedge.exe
2668	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1388	msedge.exe
1388	msedge.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1388	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 1388	2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe	84
PID 2064 wrote to memory of 1388	2064	681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe	84
PID 1388 wrote to memory of 3368	1388	msedge.exe	85
PID 1388 wrote to memory of 3368	1388	msedge.exe	85
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2004	1388	msedge.exe	90
PID 1388 wrote to memory of 2668	1388	msedge.exe	91
PID 1388 wrote to memory of 2668	1388	msedge.exe	91
PID 1388 wrote to memory of 4568	1388	msedge.exe	92
PID 1388 wrote to memory of 4568	1388	msedge.exe	92
PID 1388 wrote to memory of 4568	1388	msedge.exe	92
PID 1388 wrote to memory of 4568	1388	msedge.exe	92
PID 1388 wrote to memory of 4568	1388	msedge.exe	92
PID 1388 wrote to memory of 4568	1388	msedge.exe	92
PID 1388 wrote to memory of 4568	1388	msedge.exe	92
PID 1388 wrote to memory of 4568	1388	msedge.exe	92
PID 1388 wrote to memory of 4568	1388	msedge.exe	92
PID 1388 wrote to memory of 4568	1388	msedge.exe	92
PID 1388 wrote to memory of 4568	1388	msedge.exe	92
PID 1388 wrote to memory of 4568	1388	msedge.exe	92
PID 1388 wrote to memory of 4568	1388	msedge.exe	92
PID 1388 wrote to memory of 4568	1388	msedge.exe	92
PID 1388 wrote to memory of 4568	1388	msedge.exe	92
PID 1388 wrote to memory of 4568	1388	msedge.exe	92
PID 1388 wrote to memory of 4568	1388	msedge.exe	92
PID 1388 wrote to memory of 4568	1388	msedge.exe	92

C:\Users\Admin\AppData\Local\Temp\681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe
"C:\Users\Admin\AppData\Local\Temp\681c1a99aba58046650b4e2e323c0e389922dea8b6e977aaf848751d281c44a6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.youtube.com/watch?v=FUoNq1zO0BM
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffab28e46f8,0x7ffab28e4708,0x7ffab28e4718
    3⤵
    PID:3368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,4178880187228069620,3155511246116427729,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
    3⤵
    PID:2004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,4178880187228069620,3155511246116427729,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,4178880187228069620,3155511246116427729,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3248 /prefetch:8
    3⤵
    PID:4568
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4178880187228069620,3155511246116427729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2596 /prefetch:1
    3⤵
    PID:5048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4178880187228069620,3155511246116427729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2584 /prefetch:1
    3⤵
    PID:1916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2064-134-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2064-136-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download