9f29b786b8c29ee6cec2eb8f4a94513cea26d9298efb401e7c368a0b0a8e250c

Analysis

max time kernel
204s
max time network
209s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f29b786b8c29ee6cec2eb8f4a94513cea26d9298efb401e7c368a0b0a8e250c.exe
Size

5.0MB
MD5

86313d4bb564c330249fe779df9f7b98
SHA1

9ce66248be9279f426046990cb56b066d11fd359
SHA256

9f29b786b8c29ee6cec2eb8f4a94513cea26d9298efb401e7c368a0b0a8e250c
SHA512

34fb570fcc1f2b2a9b8188f43bb2501184e167abca3823107aea576a67a494b959b2915f329b51ca94d0c136ef58a4467e658c0c591026142796b52f19b0eff9
SSDEEP

98304:arxloPMQUnJJ81KZ0hzqedapQkOKUmbh3:yQMm7zqedapjUY3

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	9f29b786b8c29ee6cec2eb8f4a94513cea26d9298efb401e7c368a0b0a8e250c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4620	9f29b786b8c29ee6cec2eb8f4a94513cea26d9298efb401e7c368a0b0a8e250c.exe
4620	9f29b786b8c29ee6cec2eb8f4a94513cea26d9298efb401e7c368a0b0a8e250c.exe
4620	9f29b786b8c29ee6cec2eb8f4a94513cea26d9298efb401e7c368a0b0a8e250c.exe
4620	9f29b786b8c29ee6cec2eb8f4a94513cea26d9298efb401e7c368a0b0a8e250c.exe
4620	9f29b786b8c29ee6cec2eb8f4a94513cea26d9298efb401e7c368a0b0a8e250c.exe
4620	9f29b786b8c29ee6cec2eb8f4a94513cea26d9298efb401e7c368a0b0a8e250c.exe
4620	9f29b786b8c29ee6cec2eb8f4a94513cea26d9298efb401e7c368a0b0a8e250c.exe
4620	9f29b786b8c29ee6cec2eb8f4a94513cea26d9298efb401e7c368a0b0a8e250c.exe
3944	msedge.exe
3944	msedge.exe
2808	msedge.exe
2808	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2808	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4620	9f29b786b8c29ee6cec2eb8f4a94513cea26d9298efb401e7c368a0b0a8e250c.exe
4620	9f29b786b8c29ee6cec2eb8f4a94513cea26d9298efb401e7c368a0b0a8e250c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 3956	4620	9f29b786b8c29ee6cec2eb8f4a94513cea26d9298efb401e7c368a0b0a8e250c.exe	82
PID 4620 wrote to memory of 3956	4620	9f29b786b8c29ee6cec2eb8f4a94513cea26d9298efb401e7c368a0b0a8e250c.exe	82
PID 4620 wrote to memory of 3956	4620	9f29b786b8c29ee6cec2eb8f4a94513cea26d9298efb401e7c368a0b0a8e250c.exe	82
PID 4620 wrote to memory of 4428	4620	9f29b786b8c29ee6cec2eb8f4a94513cea26d9298efb401e7c368a0b0a8e250c.exe	83
PID 4620 wrote to memory of 4428	4620	9f29b786b8c29ee6cec2eb8f4a94513cea26d9298efb401e7c368a0b0a8e250c.exe	83
PID 3956 wrote to memory of 2808	3956	rundll32.exe	84
PID 3956 wrote to memory of 2808	3956	rundll32.exe	84
PID 2808 wrote to memory of 2984	2808	msedge.exe	85
PID 2808 wrote to memory of 2984	2808	msedge.exe	85
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 444	2808	msedge.exe	89
PID 2808 wrote to memory of 3944	2808	msedge.exe	90
PID 2808 wrote to memory of 3944	2808	msedge.exe	90
PID 2808 wrote to memory of 4024	2808	msedge.exe	91
PID 2808 wrote to memory of 4024	2808	msedge.exe	91
PID 2808 wrote to memory of 4024	2808	msedge.exe	91
PID 2808 wrote to memory of 4024	2808	msedge.exe	91
PID 2808 wrote to memory of 4024	2808	msedge.exe	91
PID 2808 wrote to memory of 4024	2808	msedge.exe	91
PID 2808 wrote to memory of 4024	2808	msedge.exe	91
PID 2808 wrote to memory of 4024	2808	msedge.exe	91
PID 2808 wrote to memory of 4024	2808	msedge.exe	91
PID 2808 wrote to memory of 4024	2808	msedge.exe	91
PID 2808 wrote to memory of 4024	2808	msedge.exe	91
PID 2808 wrote to memory of 4024	2808	msedge.exe	91
PID 2808 wrote to memory of 4024	2808	msedge.exe	91

C:\Users\Admin\AppData\Local\Temp\9f29b786b8c29ee6cec2eb8f4a94513cea26d9298efb401e7c368a0b0a8e250c.exe
"C:\Users\Admin\AppData\Local\Temp\9f29b786b8c29ee6cec2eb8f4a94513cea26d9298efb401e7c368a0b0a8e250c.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler www.dnf86.com
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.dnf86.com/
    3⤵
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffba70b46f8,0x7ffba70b4708,0x7ffba70b4718
      4⤵
      PID:2984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,2365190689342923461,4463935745096546812,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
      4⤵
      PID:444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,2365190689342923461,4463935745096546812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,2365190689342923461,4463935745096546812,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
      4⤵
      PID:4024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,2365190689342923461,4463935745096546812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
      4⤵
      PID:5008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,2365190689342923461,4463935745096546812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3044 /prefetch:1
      4⤵
      PID:2240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,2365190689342923461,4463935745096546812,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
      4⤵
      PID:2928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,2365190689342923461,4463935745096546812,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
      4⤵
      PID:4392
- C:\Windows\NOTEPAD.EXE
  C:\Windows\\NOTEPAD.EXE
  2⤵
  PID:4428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4620-133-0x0000000000400000-0x0000000000DCD000-memory.dmp

Filesize
9.8MB

Download
memory/4620-143-0x0000000000FA0000-0x0000000000FE0000-memory.dmp

Filesize
256KB

Download
memory/4620-142-0x0000000000400000-0x0000000000DCD000-memory.dmp

Filesize
9.8MB

Download
memory/4620-141-0x0000000000FA0000-0x0000000000FE0000-memory.dmp

Filesize
256KB

Download
memory/4620-140-0x0000000000400000-0x0000000000DCD000-memory.dmp

Filesize
9.8MB

Download
memory/4620-138-0x0000000000400000-0x0000000000DCD000-memory.dmp

Filesize
9.8MB

Download
memory/4620-136-0x0000000000400000-0x0000000000DCD000-memory.dmp

Filesize
9.8MB

Download
memory/4620-134-0x0000000000400000-0x0000000000DCD000-memory.dmp

Filesize
9.8MB

Download
memory/4620-132-0x0000000000400000-0x0000000000DCD000-memory.dmp

Filesize
9.8MB

Download