23853e1c3e27b5e9db0cacabfbbc85ee06dcd4f1156baa2e62d92e4f34129855

Analysis

max time kernel
161s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23853e1c3e27b5e9db0cacabfbbc85ee06dcd4f1156baa2e62d92e4f34129855.exe
Size

32KB
MD5

cdb134ee62c579959b9605ae4a3281b2
SHA1

2e1630828e3238600a9d7e3b91cc55c95dec85c0
SHA256

23853e1c3e27b5e9db0cacabfbbc85ee06dcd4f1156baa2e62d92e4f34129855
SHA512

ffb8aa577504d82f3c7a1d2b325c6bba56e439c11b34799187f31f8c1295531a8b2f077155dd2e396b83b559671f4f0a26c1e39f268d52b7b43c44663b282fb3
SSDEEP

768:qBT7d+kxELX1PDkIwkdVXi37xuud0w9MtLrMCq+M:gT7d+yONXHXsKtLrMCq+

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3640	msedge.exe
3640	msedge.exe
4384	msedge.exe
4384	msedge.exe
1300	msedge.exe
1300	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1300	msedge.exe
1300	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 1300	1144	23853e1c3e27b5e9db0cacabfbbc85ee06dcd4f1156baa2e62d92e4f34129855.exe	84
PID 1144 wrote to memory of 1300	1144	23853e1c3e27b5e9db0cacabfbbc85ee06dcd4f1156baa2e62d92e4f34129855.exe	84
PID 1300 wrote to memory of 1436	1300	msedge.exe	85
PID 1300 wrote to memory of 1436	1300	msedge.exe	85
PID 1144 wrote to memory of 1264	1144	23853e1c3e27b5e9db0cacabfbbc85ee06dcd4f1156baa2e62d92e4f34129855.exe	86
PID 1144 wrote to memory of 1264	1144	23853e1c3e27b5e9db0cacabfbbc85ee06dcd4f1156baa2e62d92e4f34129855.exe	86
PID 1264 wrote to memory of 1848	1264	msedge.exe	87
PID 1264 wrote to memory of 1848	1264	msedge.exe	87
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 912	1300	msedge.exe	90
PID 1300 wrote to memory of 3640	1300	msedge.exe	91
PID 1300 wrote to memory of 3640	1300	msedge.exe	91
PID 1264 wrote to memory of 2448	1264	msedge.exe	92
PID 1264 wrote to memory of 2448	1264	msedge.exe	92
PID 1264 wrote to memory of 2448	1264	msedge.exe	92
PID 1264 wrote to memory of 2448	1264	msedge.exe	92
PID 1264 wrote to memory of 2448	1264	msedge.exe	92
PID 1264 wrote to memory of 2448	1264	msedge.exe	92
PID 1264 wrote to memory of 2448	1264	msedge.exe	92
PID 1264 wrote to memory of 2448	1264	msedge.exe	92
PID 1264 wrote to memory of 2448	1264	msedge.exe	92
PID 1264 wrote to memory of 2448	1264	msedge.exe	92
PID 1264 wrote to memory of 2448	1264	msedge.exe	92
PID 1264 wrote to memory of 2448	1264	msedge.exe	92
PID 1264 wrote to memory of 2448	1264	msedge.exe	92
PID 1264 wrote to memory of 2448	1264	msedge.exe	92

C:\Users\Admin\AppData\Local\Temp\23853e1c3e27b5e9db0cacabfbbc85ee06dcd4f1156baa2e62d92e4f34129855.exe
"C:\Users\Admin\AppData\Local\Temp\23853e1c3e27b5e9db0cacabfbbc85ee06dcd4f1156baa2e62d92e4f34129855.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=23853e1c3e27b5e9db0cacabfbbc85ee06dcd4f1156baa2e62d92e4f34129855.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xdc,0x104,0x7ffa78ae46f8,0x7ffa78ae4708,0x7ffa78ae4718
    3⤵
    PID:1436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,15946628148406950261,8646073601872030510,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
    3⤵
    PID:912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,15946628148406950261,8646073601872030510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,15946628148406950261,8646073601872030510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
    3⤵
    PID:1352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15946628148406950261,8646073601872030510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
    3⤵
    PID:4020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15946628148406950261,8646073601872030510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:1
    3⤵
    PID:2288
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15946628148406950261,8646073601872030510,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:1
    3⤵
    PID:3384
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15946628148406950261,8646073601872030510,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
    3⤵
    PID:4068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15946628148406950261,8646073601872030510,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
    3⤵
    PID:5060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,15946628148406950261,8646073601872030510,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5976 /prefetch:8
    3⤵
    PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=23853e1c3e27b5e9db0cacabfbbc85ee06dcd4f1156baa2e62d92e4f34129855.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa78ae46f8,0x7ffa78ae4708,0x7ffa78ae4718
    3⤵
    PID:1848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,593755626804163898,9672381928701110305,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
    3⤵
    PID:2448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,593755626804163898,9672381928701110305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2868 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8A7891822FCFF127E4EADADE9757112B

Filesize
926B

MD5
ec0b217f434f655da9184c2c810789f0

SHA1
bddfd7f74c853889b6be6669313db20ad1650494

SHA256
a23c4cfbb5abc7cb305d3e2f3eb33ce135fd782c2bbc020797c26f2708448664

SHA512
952d57683a2e9bef308fc40eea3ad30542cacb9dd435f74b16cbee56ed044b1da96a9afe1072e3c3c7efce7f4cb5ecaa1971a555f9d68d90099636400e7f8de8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8A7891822FCFF127E4EADADE9757112B

Filesize
246B

MD5
11d97b37c237c8c78f97ba5dac92e5f5

SHA1
3c53652c5cff763dba24e79f5014a782dd7ee0c1

SHA256
6c210bddde98cdd258473cba61bd14680f40edf3f5f2c19cd54a757ca2db555c

SHA512
5759b2b11a5c0f03d729f66d80d6bde1add1a984e30603906791b9ad90cc2e912f1a1f613512a735e0eba76c094e14f73e490a94e3db3efa65c542263f91d7a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
18ad3a99cbd5ddc6b806e98374137f92

SHA1
03b6e4402a81fc0585430539a6d4a208b6ca9020

SHA256
b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f

SHA512
faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
18ad3a99cbd5ddc6b806e98374137f92

SHA1
03b6e4402a81fc0585430539a6d4a208b6ca9020

SHA256
b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f

SHA512
faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
18ad3a99cbd5ddc6b806e98374137f92

SHA1
03b6e4402a81fc0585430539a6d4a208b6ca9020

SHA256
b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f

SHA512
faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
d4233c07132191791c5f8c3ef0c5f4de

SHA1
c0588ceb99c5ed78b40b5378de38e8eb8df794f0

SHA256
45f766abe8fbaedea04b0e18b63be74b0b9305113564e2fc8efea92c1a7a7179

SHA512
8f02e3fb6bfc9027120cd2492450fbf72479961d7b94007b80b3a9955f8922664b617f3f2c38fca69ef55624105e82ee4589319848e17be41ffbb42cc34019cf

Download Submit