Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
03-12-2022 10:39
General
-
Target
858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3.exe
-
Size
435KB
-
MD5
dde59803ad21998c769f45975bc028eb
-
SHA1
058b4c801773d6acd2e1a4a4d2fc51698090d05f
-
SHA256
858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3
-
SHA512
fc1debe4b2648c5f08d9ca5f2ab212009f847681cb6c0a37953806bec981869687f12b0e697305a526b1ba984309335fee56f19419fbc94cd5282d6141ce3171
-
SSDEEP
12288:gG4vQqF148+hgIWOMaAto70A1BbZq9kl4M:mr42KMaxp16M
Malware Config
Signatures
-
ASPack v2.12-2.42 2 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE 1 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 26 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3.exe"C:\Users\Admin\AppData\Local\Temp\858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\windows\system\Isass.exe"C:\windows\system\Isass.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\windows\system\cartao.html2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x9c,0x104,0x7ffea72846f8,0x7ffea7284708,0x7ffea72847183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,12399529067528376944,5018938095286264315,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,12399529067528376944,5018938095286264315,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,12399529067528376944,5018938095286264315,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12399529067528376944,5018938095286264315,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12399529067528376944,5018938095286264315,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12399529067528376944,5018938095286264315,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,12399529067528376944,5018938095286264315,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5140 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12399529067528376944,5018938095286264315,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12399529067528376944,5018938095286264315,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2892 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,12399529067528376944,5018938095286264315,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3748 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12399529067528376944,5018938095286264315,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12399529067528376944,5018938095286264315,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,12399529067528376944,5018938095286264315,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6703e5460,0x7ff6703e5470,0x7ff6703e54804⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,12399529067528376944,5018938095286264315,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12399529067528376944,5018938095286264315,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12399529067528376944,5018938095286264315,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2660 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,12399529067528376944,5018938095286264315,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5684 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,12399529067528376944,5018938095286264315,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3172 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12399529067528376944,5018938095286264315,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,12399529067528376944,5018938095286264315,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1868 /prefetch:83⤵
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5673ebc6bd420c2311ed712deafc5e744
SHA1e9e737ca005e7f5d2fe22633e50b8d954b7060ee
SHA2567e2c61c3a97760bb147863ef5b32476e7ad40281c49f88f96b626987cf87daa8
SHA51202a57157ce464daed8b83c4dd3eb42eddc8851a1c4a5997b44c11eb24ebbfd119bd11e3aad31187cfc1d693d920dcc78d10593b98264e06a4d79ffe39046d35f
-
Filesize
1KB
MD561a43ad7b5e0efb0fd2a3468d3d3ec4a
SHA1549e5ea79d18c1443df8e33e06767c6743303c66
SHA2560e01a5872ad78b80cd0dbd9f4a68b0b7578e1b2cb4c335a48fe6e3b906b8228f
SHA51266c624ed2713fbd406d793de16c041048f6fa8ebe6888cf694311801037cc3f41ee21916a21c8ae4756db507a641166b7544901f245a05d1d110a82e72fa5523
-
Filesize
1KB
MD5eaa4dce3eae1609f49ebae7323d80fef
SHA1268d51e298f71353410a48e4ae2c3d9ba3e0b09b
SHA256df398498ccd10951e5b64a54a0d10547e36a78d1cbca6369ee8aabc83363ad83
SHA512132bafb53cca8aa087ecdf4c8b1432ff3a434412360a6bdec513add2c4417117fea4c02544cf914a3ba8f27893ced13ca883014d61258c5e11bd607d9a4a6946
-
Filesize
340B
MD50cefad0d28f8c24aa862f5ade2c88ad6
SHA17c8c32cb51c2de0c36f7d315072bc0fd87d6d274
SHA25666cad833409ac2299dda70ff1d260078975593ce03ea577e4c4e30b21418c08e
SHA51232fbdc8b3ff4ee9326116130c891e239828355160cbb261b90bfcb9b4681df8651cc13d6cd9ce19c48ea2adb12dc3c03fd04636a037d639e33e230d4fcd6f3e6
-
Filesize
442B
MD5b368095523cf31ae6f3bd42f275ea232
SHA1de4c40139bb9de098851e0adbdc6d9d477fca338
SHA256572ca0024186421d3328ad028d52f2f51f506aea7257f0e12561553499a827a4
SHA51262202f3f2dc8f518f30867df6221d128004faf29241252a1765a1c40c3816c26fdd4f417a436cb5da1ffa106296344e4176c76e1521aadf7c0ea6b47d29cc31d
-
Filesize
458B
MD5d9dfd3d77eba6accaec861899617076d
SHA115558bb563b05c28563319dfa8aac2dc89032915
SHA2563fa82ff32d96673b2ac40f96486943ea8891fb2157c5e247cbe41a23faf9d989
SHA5128b154e4ebb1815ae10f3a0fb03fcf972a31af39842d1278387714491e3cf3d91bc7f271753bb79d25354fc4bce9ba1faa28aa5d7c00c5263f625d06c93d83345
-
Filesize
432B
MD503bcae83e9fc33590305cad5ac5763db
SHA12526f80c4d8cef8d775fba4ae855d92de5fe241b
SHA256cc96350f779391cfa6d80aa9ed49d7f8710a2b807b542781d2582f210feb5047
SHA512b4934d80be9b84e32bc8086f2d718b22bb14a55fb4f4c8fa5423827dd01f0dc6ba003c42193a197ac51c51086e1d356f61c833e9ce79928a633e77e6fc38eb63
-
Filesize
374KB
MD58e84e918828c24aa20163f099802eda1
SHA1db2a492e3b1cd9f137bdb8567578e5116b321342
SHA256db7a049e95a848a3b54d53c751803950cd20ce4185bd2ad30bc3d6003eefcd93
SHA51268af9f490973adb8a7020c9bc2e622aa38bfd6503d5c2a6978e6d27e976f966bb6aa70bdd3ae4912c1e1046fb5357a24e5aaf5c0069dff5351c8e81638591135
-
Filesize
374KB
MD58e84e918828c24aa20163f099802eda1
SHA1db2a492e3b1cd9f137bdb8567578e5116b321342
SHA256db7a049e95a848a3b54d53c751803950cd20ce4185bd2ad30bc3d6003eefcd93
SHA51268af9f490973adb8a7020c9bc2e622aa38bfd6503d5c2a6978e6d27e976f966bb6aa70bdd3ae4912c1e1046fb5357a24e5aaf5c0069dff5351c8e81638591135
-
Filesize
68B
MD52152787342b7e99c8c6adc6a2430183c
SHA1f9a8dab3a4a08fe6af0eadcef06747cbd9c5dc11
SHA256fcd6ab594cf573d80609fb22ed43db08607c32da469ce930f783668b25146775
SHA51283489261f15bc9f2352a9246686cf2a091d078d90344975acaac1658743b9a5176ab36b53bbba04c1a75dd1fb6076c029cc723111d0565bb940ec5ea0d0d9511