c6e4dd14e30f57d82dd76067ad49d3bcb15d1e14eedabd29b4de27842ed045b0

Analysis

max time kernel
190s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 05:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c6e4dd14e30f57d82dd76067ad49d3bcb15d1e14eedabd29b4de27842ed045b0.exe
Size

308KB
MD5

d11abd22313efc9938af2b0a1fd49dbe
SHA1

974288054056f2eb171513b1f5fe592bfad67563
SHA256

c6e4dd14e30f57d82dd76067ad49d3bcb15d1e14eedabd29b4de27842ed045b0
SHA512

2b1d873212fda48d7c4102743d68ae69ba9f6f4fd0fa9e1735c061da0fa72c242ab878096104f1245117c88e9f8e2e26b7d55f3dca25df440ca06bfd4615de27
SSDEEP

3072:JYD2Jeidx1vse6HKHsHZHITelgA2rOu6t5xdgQkaKT8SD03BV:JYqJekDM5oT+gCP

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5064	msedge.exe
5064	msedge.exe
4520	msedge.exe
4520	msedge.exe
2160	msedge.exe
2160	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	224	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	224	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2160	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3452	c6e4dd14e30f57d82dd76067ad49d3bcb15d1e14eedabd29b4de27842ed045b0.exe
3452	c6e4dd14e30f57d82dd76067ad49d3bcb15d1e14eedabd29b4de27842ed045b0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 2160	3452	c6e4dd14e30f57d82dd76067ad49d3bcb15d1e14eedabd29b4de27842ed045b0.exe	84
PID 3452 wrote to memory of 2160	3452	c6e4dd14e30f57d82dd76067ad49d3bcb15d1e14eedabd29b4de27842ed045b0.exe	84
PID 3452 wrote to memory of 4712	3452	c6e4dd14e30f57d82dd76067ad49d3bcb15d1e14eedabd29b4de27842ed045b0.exe	85
PID 3452 wrote to memory of 4712	3452	c6e4dd14e30f57d82dd76067ad49d3bcb15d1e14eedabd29b4de27842ed045b0.exe	85
PID 2160 wrote to memory of 2124	2160	msedge.exe	87
PID 2160 wrote to memory of 2124	2160	msedge.exe	87
PID 4712 wrote to memory of 2576	4712	msedge.exe	86
PID 4712 wrote to memory of 2576	4712	msedge.exe	86
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 4712 wrote to memory of 3008	4712	msedge.exe	90
PID 2160 wrote to memory of 4700	2160	msedge.exe	91
PID 2160 wrote to memory of 4700	2160	msedge.exe	91
PID 2160 wrote to memory of 4700	2160	msedge.exe	91
PID 2160 wrote to memory of 4700	2160	msedge.exe	91
PID 2160 wrote to memory of 4700	2160	msedge.exe	91
PID 2160 wrote to memory of 4700	2160	msedge.exe	91
PID 2160 wrote to memory of 4700	2160	msedge.exe	91
PID 2160 wrote to memory of 4700	2160	msedge.exe	91
PID 2160 wrote to memory of 4700	2160	msedge.exe	91
PID 2160 wrote to memory of 4700	2160	msedge.exe	91
PID 2160 wrote to memory of 4700	2160	msedge.exe	91
PID 2160 wrote to memory of 4700	2160	msedge.exe	91
PID 2160 wrote to memory of 4700	2160	msedge.exe	91
PID 2160 wrote to memory of 4700	2160	msedge.exe	91
PID 2160 wrote to memory of 4700	2160	msedge.exe	91
PID 2160 wrote to memory of 4700	2160	msedge.exe	91
PID 2160 wrote to memory of 4700	2160	msedge.exe	91
PID 2160 wrote to memory of 4700	2160	msedge.exe	91
PID 2160 wrote to memory of 4700	2160	msedge.exe	91
PID 2160 wrote to memory of 4700	2160	msedge.exe	91
PID 2160 wrote to memory of 4700	2160	msedge.exe	91
PID 2160 wrote to memory of 4700	2160	msedge.exe	91
PID 2160 wrote to memory of 4700	2160	msedge.exe	91
PID 2160 wrote to memory of 4700	2160	msedge.exe	91

C:\Users\Admin\AppData\Local\Temp\c6e4dd14e30f57d82dd76067ad49d3bcb15d1e14eedabd29b4de27842ed045b0.exe
"C:\Users\Admin\AppData\Local\Temp\c6e4dd14e30f57d82dd76067ad49d3bcb15d1e14eedabd29b4de27842ed045b0.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://christian-k2.co.cc/
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc9b2d46f8,0x7ffc9b2d4708,0x7ffc9b2d4718
    3⤵
    PID:2124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,1668196578467662905,14016752051757387351,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
    3⤵
    PID:4700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,1668196578467662905,14016752051757387351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,1668196578467662905,14016752051757387351,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 /prefetch:8
    3⤵
    PID:1480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1668196578467662905,14016752051757387351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:1
    3⤵
    PID:2940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1668196578467662905,14016752051757387351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:1
    3⤵
    PID:4116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1668196578467662905,14016752051757387351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
    3⤵
    PID:3728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1668196578467662905,14016752051757387351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
    3⤵
    PID:4856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1668196578467662905,14016752051757387351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
    3⤵
    PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/profile.php?id=100000038547268
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc9b2d46f8,0x7ffc9b2d4708,0x7ffc9b2d4718
    3⤵
    PID:2576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,5835731701062307886,7885909337239820487,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
    3⤵
    PID:3008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,5835731701062307886,7885909337239820487,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5064

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3e4 0x3f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
6c45105d37cae5d67f739562faa24c0e

SHA1
4712bfcbd0250eec53be1e9c875527adfb692bce

SHA256
8c827f8ec567dba6e414c780523c54479ee02bcbacad9118804a6ef178e35fc4

SHA512
ea4419789cd1a20f784a6ee165fcb4cf9de288399f5551c97c2b8aa229122859caa5c31dded6df9be751b1365200da52c2bcff9823998f139f1a18564c10d3bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
442B

MD5
890ce109bcd90fbe2f97d464a5eb8d00

SHA1
03e01319aec58d8911f7fa7cbc607c6dedaa8a14

SHA256
b9eb72fa07a6ba1ec8a98f65dfe97b3b3a385a46852525528c693335b21081a4

SHA512
d200f787de636146b85fd673cde4bd8da4c9274bc2b6efb49e60fd747bbfc39f8f622451d292967f380fded1e8cbbe1271c828fa5d3b1157327416a1a334e643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a58a7931227f93b9a54bc982c0d99582

SHA1
7591b129f025f2003039a81830b9cd5d7043d3e2

SHA256
a6751ef5a8d88960e0fc22e205155f766e840d13c46c962166f35e3bf8367ac0

SHA512
24eec66ba6b79cebb2b920cdad34f9b68fcc9503a2e4bc718ddf3d39b8f959ee1c7b0e73079b31a0e8acc98960fcedeb7e49f38b8f5036aa21294048f7f1a79b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6102471af38b45f30decc8db2f59a8e2

SHA1
35428c52f58b3a35d5028929b6298d6b95d6bdec

SHA256
57e3a5210c5872fc5d56b4111a4d07e512ef54a79128391084c167c101a9d7c4

SHA512
1040720fe63680c7a17ced8026e3a2e31e0e73066bd0c3d74e5cd4a19c0e6f23dc30e0a41f62d92c0b9cc9840895ece4b3d36a200816e400feec49e54599b3fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6102471af38b45f30decc8db2f59a8e2

SHA1
35428c52f58b3a35d5028929b6298d6b95d6bdec

SHA256
57e3a5210c5872fc5d56b4111a4d07e512ef54a79128391084c167c101a9d7c4

SHA512
1040720fe63680c7a17ced8026e3a2e31e0e73066bd0c3d74e5cd4a19c0e6f23dc30e0a41f62d92c0b9cc9840895ece4b3d36a200816e400feec49e54599b3fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6102471af38b45f30decc8db2f59a8e2

SHA1
35428c52f58b3a35d5028929b6298d6b95d6bdec

SHA256
57e3a5210c5872fc5d56b4111a4d07e512ef54a79128391084c167c101a9d7c4

SHA512
1040720fe63680c7a17ced8026e3a2e31e0e73066bd0c3d74e5cd4a19c0e6f23dc30e0a41f62d92c0b9cc9840895ece4b3d36a200816e400feec49e54599b3fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6102471af38b45f30decc8db2f59a8e2

SHA1
35428c52f58b3a35d5028929b6298d6b95d6bdec

SHA256
57e3a5210c5872fc5d56b4111a4d07e512ef54a79128391084c167c101a9d7c4

SHA512
1040720fe63680c7a17ced8026e3a2e31e0e73066bd0c3d74e5cd4a19c0e6f23dc30e0a41f62d92c0b9cc9840895ece4b3d36a200816e400feec49e54599b3fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
62ab9426cd2b5028b7a26aeafc0a94f6

SHA1
8df6c445215bd38b646cc8384f2e45f4b30c4bd9

SHA256
d5328edf5962cd8995cf11ccf42001f2314be07e6e3251a7d60767fd13a24064

SHA512
d019c67d22b26c69580768d9da33ef8fc10adf10e9983cd37e136ffeae5240e00f276e6bba3208f21cb3c27500942c1907ed39e867e4f0a2b7a69b883d768491

Download Submit