80daeec32c4197d23614bfd6bb33b970fb45afbc5ad2990e1d7571735f2dd840

Analysis

max time kernel
181s
max time network
209s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80daeec32c4197d23614bfd6bb33b970fb45afbc5ad2990e1d7571735f2dd840.exe
Size

56KB
MD5

d6db2418b92c1df56422e5fceaebe0f5
SHA1

15c0b039d8bfb1b0f9f753af73c279f1cc57df3e
SHA256

80daeec32c4197d23614bfd6bb33b970fb45afbc5ad2990e1d7571735f2dd840
SHA512

41f12b640f0909b8170d254255960d30ed49891fca0754379e7cc0528049a8f83cbd4b56a04edc75e78e98f9d39b1d9f15c30d71bb46d48259736596aa68451c
SSDEEP

768:ECPd5jJ2AeYUllXWhwkVzVVLZcTW+ZR1kUE6dLXUlPRAR911BtRbS4r:ECPd5jw7MF+6UE6d4lyr1W4

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\AlexHack2012.dll	80daeec32c4197d23614bfd6bb33b970fb45afbc5ad2990e1d7571735f2dd840.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
364	msedge.exe
364	msedge.exe
3068	msedge.exe
3068	msedge.exe
3568	msedge.exe
3568	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3568	msedge.exe
3568	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4900	80daeec32c4197d23614bfd6bb33b970fb45afbc5ad2990e1d7571735f2dd840.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 3464	4900	80daeec32c4197d23614bfd6bb33b970fb45afbc5ad2990e1d7571735f2dd840.exe	83
PID 4900 wrote to memory of 3464	4900	80daeec32c4197d23614bfd6bb33b970fb45afbc5ad2990e1d7571735f2dd840.exe	83
PID 4900 wrote to memory of 3568	4900	80daeec32c4197d23614bfd6bb33b970fb45afbc5ad2990e1d7571735f2dd840.exe	84
PID 4900 wrote to memory of 3568	4900	80daeec32c4197d23614bfd6bb33b970fb45afbc5ad2990e1d7571735f2dd840.exe	84
PID 3568 wrote to memory of 1928	3568	msedge.exe	85
PID 3568 wrote to memory of 1928	3568	msedge.exe	85
PID 3464 wrote to memory of 5036	3464	msedge.exe	86
PID 3464 wrote to memory of 5036	3464	msedge.exe	86
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3568 wrote to memory of 3060	3568	msedge.exe	92
PID 3464 wrote to memory of 3028	3464	msedge.exe	91
PID 3464 wrote to memory of 3028	3464	msedge.exe	91
PID 3464 wrote to memory of 3028	3464	msedge.exe	91
PID 3464 wrote to memory of 3028	3464	msedge.exe	91
PID 3464 wrote to memory of 3028	3464	msedge.exe	91
PID 3464 wrote to memory of 3028	3464	msedge.exe	91
PID 3464 wrote to memory of 3028	3464	msedge.exe	91
PID 3464 wrote to memory of 3028	3464	msedge.exe	91
PID 3464 wrote to memory of 3028	3464	msedge.exe	91
PID 3464 wrote to memory of 3028	3464	msedge.exe	91
PID 3464 wrote to memory of 3028	3464	msedge.exe	91
PID 3464 wrote to memory of 3028	3464	msedge.exe	91
PID 3464 wrote to memory of 3028	3464	msedge.exe	91
PID 3464 wrote to memory of 3028	3464	msedge.exe	91
PID 3464 wrote to memory of 3028	3464	msedge.exe	91
PID 3464 wrote to memory of 3028	3464	msedge.exe	91
PID 3464 wrote to memory of 3028	3464	msedge.exe	91
PID 3464 wrote to memory of 3028	3464	msedge.exe	91
PID 3464 wrote to memory of 3028	3464	msedge.exe	91
PID 3464 wrote to memory of 3028	3464	msedge.exe	91
PID 3464 wrote to memory of 3028	3464	msedge.exe	91
PID 3464 wrote to memory of 3028	3464	msedge.exe	91
PID 3464 wrote to memory of 3028	3464	msedge.exe	91
PID 3464 wrote to memory of 3028	3464	msedge.exe	91

C:\Users\Admin\AppData\Local\Temp\80daeec32c4197d23614bfd6bb33b970fb45afbc5ad2990e1d7571735f2dd840.exe
"C:\Users\Admin\AppData\Local\Temp\80daeec32c4197d23614bfd6bb33b970fb45afbc5ad2990e1d7571735f2dd840.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://facebook.com/25bil
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffab2ef46f8,0x7ffab2ef4708,0x7ffab2ef4718
    3⤵
    PID:5036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,10476167925385654078,1178532487335449370,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
    3⤵
    PID:3028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,10476167925385654078,1178532487335449370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://billkr4z.blogspot.com/
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0xfc,0x100,0x8,0x104,0x7ffab2ef46f8,0x7ffab2ef4708,0x7ffab2ef4718
    3⤵
    PID:1928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,7386504014269431637,1721391942348011568,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
    3⤵
    PID:3060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,7386504014269431637,1721391942348011568,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:364
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,7386504014269431637,1721391942348011568,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
    3⤵
    PID:4580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7386504014269431637,1721391942348011568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
    3⤵
    PID:3484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7386504014269431637,1721391942348011568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
    3⤵
    PID:4128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7386504014269431637,1721391942348011568,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:1
    3⤵
    PID:4736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7386504014269431637,1721391942348011568,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
    3⤵
    PID:3228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7386504014269431637,1721391942348011568,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
    3⤵
    PID:4732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,7386504014269431637,1721391942348011568,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6376 /prefetch:8
    3⤵
    PID:4264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
cc824a79f28b8a645a799f23df0b9491

SHA1
f0b40369636e0957130906c68a609b146697b61f

SHA256
ac65a021aad43fa51c9375a41e1a33e7a80368b0bc9c82284b74d1be602e9372

SHA512
1fbc15170884ae6d7adf2a31621b014ed29c41021e837f4a8521a81b1b1d9a3f62c45b4e27b5beb8430575f5db50ee647237df77367a058484379adf398d9161

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
442B

MD5
cfc12b6602aa6c474b1d348fc31d13ff

SHA1
209089b83c396117d9a734df89a436da5754c1d7

SHA256
999f1e9cfae17b7c081b2dce55410178cf6e738baa19ccec4cc132553a33c318

SHA512
366706201275eb7ddf7b27d43ace80e8a27f5451ff495f84052ac43e8ccff6efe1525c18b6ebed42fd0c140cc8ce6cb3a36fe4788ad55bca81277b85c997aafa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
18ad3a99cbd5ddc6b806e98374137f92

SHA1
03b6e4402a81fc0585430539a6d4a208b6ca9020

SHA256
b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f

SHA512
faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
18ad3a99cbd5ddc6b806e98374137f92

SHA1
03b6e4402a81fc0585430539a6d4a208b6ca9020

SHA256
b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f

SHA512
faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
18ad3a99cbd5ddc6b806e98374137f92

SHA1
03b6e4402a81fc0585430539a6d4a208b6ca9020

SHA256
b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f

SHA512
faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
640a2b89f5d6711f69faf87a7fd8bc50

SHA1
c19c874cbcb450519e921038ce00ccda7937dc4b

SHA256
5d1cceedf6281b2d83e8e214556a29f90f8c024949680811b076d7ec0af19d21

SHA512
992faa5c13c2529237db043f1aa156cd1ab6eb87d0665227d0a58e9e25c65208ae06b54f6d28e1636c497736aa4a60f2f908d064d9c57cfa05f4df4f94ba5965

Download Submit