d1add14944ee25075c685db2ef39cf28fa0ca695c4d336831e7af31f01b57e8a

Analysis

max time kernel
207s
max time network
220s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1add14944ee25075c685db2ef39cf28fa0ca695c4d336831e7af31f01b57e8a.exe
Size

643KB
MD5

3ae4d65f40833a6ef8b76d10230348c5
SHA1

c0c3802928ebb16b42e7875a10e550b3b15f4382
SHA256

d1add14944ee25075c685db2ef39cf28fa0ca695c4d336831e7af31f01b57e8a
SHA512

830bec1b16b75da31220b6cbd51820221e78e6e11f4c2e9a52a9a114d1a61962e4df32357104ab38d10c400ce7b5d32b8d113c18de9c20bfef2010c85f187542
SSDEEP

12288:miKU0BFtvsPUkGXgDkmBxAJmKVg8zThh6XQ1HoRUAWfTq3N:IVXtyLGwDJkJxVVzXIIHo7WfTq

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4540	Wtool.exe

Loads dropped DLL 4 IoCs

pid	Process
4540	Wtool.exe
4540	Wtool.exe
3224	IEXPLORE.EXE
3224	IEXPLORE.EXE

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Reporting and NEL-journal	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-63941310-648.pma	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\MANIFEST-000001	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache	msedge.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat	msedge.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\bc8474c2-ec10-4608-8efd-5f66ddb9f7a8.tmp	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\6ccabc95-55c9-4f22-b278-dff0d49c645a.tmp	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_2	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Local State	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\lockfile	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Last Version	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOCK	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\MANIFEST-000001	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\temp-index	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\fb58e51c-e96e-4a15-a863-337648d240aa.tmp	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\MANIFEST-000001	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\c0ed1785-ae50-4998-8027-ac02b224a45c.tmp	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Reporting and NEL	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\2934094d-821b-4426-87d9-313a07f7dadd.tmp	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_3	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000001.dbtmp	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\0910f60e-8d8b-4e14-8a8b-6a590634f214.tmp	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics.pma	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638062239900321406	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOCK	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\3413dcff-0a57-4c81-93f9-6c6347f6e14f.tmp	msedge.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\7b032405-c769-42bc-b0ab-2feabafc84f0.tmp	msedge.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\abcaaa1f-e93a-4b38-bd66-e1fffa1c7f34.tmp	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\DNTException\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\d1e92ca8-2d0d-4f21-8a7a-52c38904f935.tmp	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\data_1	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\e159d82a-3316-44d2-88ea-321eed141d7b.tmp	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_3	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat	msedge.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Wtool.exe	d1add14944ee25075c685db2ef39cf28fa0ca695c4d336831e7af31f01b57e8a.exe
File created	C:\Windows\Wtool.DLL	Wtool.exe
File created	C:\Windows\Wtool.exe	d1add14944ee25075c685db2ef39cf28fa0ca695c4d336831e7af31f01b57e8a.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\UsageStatsInSample = "1"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Edge	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000036a2b8a9194d5a41aa3c17f277f0447a0000000002000000000010660000000100002000000054257f3f421a154b0a139f1e44d741db1a7fce7115c5140d86d18baa0dd17b44000000000e8000000002000020000000b032066ec4e5dedc9abc421a7240c6f90ae774509b4e2c7e809ebe33522e823e1000000020d5f2870f0d57e600136363ac958d4f40000000e4cd5e18299a31512133ee21a34cd7c5c4dc9461555b4d12ed698f237314519cfd13e62685a35855c68af7f0f79e09115d88cee732cb75798e1d4407255426a9	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\IEToEdge\QuietExpirationTime = "133152086503870190"	msedge.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\BLBeacon\version = "92.0.902.67"	msedge.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\extensions.settings\ampmimodbocknpfehkbdjolnnbongejb = "4A2E1D6F85FADD898CC32899D06F7AD2B785C4EB3F90BA6ED067F075D8FD6F69"	msedge.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\SmartScreenPuaEnabled	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Feeds	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\F12	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ie_to_edge_stub.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = 8497dd5115f6d801	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "2609304271"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\User Preferences	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	msedge.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\extensions.settings\kmendfapggjehodndflmmgagdbamhnfd = "F746962A582E705AB3A7C3AFF9BDF91ACEAE0892B7D51DF4C359BFBE24BF28B5"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT	msedge.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Connection Wizard\Completed = 01000000	Wtool.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ie_to_edge_stub.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Feeds\MUID\	msedge.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\extensions.settings	msedge.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\extensions.settings\ihmafllikibpmigkcoadcmckbfhibefp = "9B135614AF8A725BACC1BB5CFD9109CEF03680C16E942BD66B1DA82E67E7E33B"	msedge.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\dr = "1"	msedge.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\software_reporter.prompt_version = "60F014448E14DDAC68AD989D075D857E2ABEB4C578CCCF58133EF51D9D5F0244"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	msedge.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\extensions.settings\nkeimhogjdpnpccoofpliimaahmaaome = "DDE8489871AE7AE8E75E06B524B4426378B74644B36C3FDD7E8049570DDF4518"	msedge.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	msedge.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\Count = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge	msedge.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\homepage = "F75396E7675F3C71682E2056274BEBDDE09B3F559BA1C9836BAECCD2019FBD75"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	Wtool.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Connection Wizard	Wtool.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	msedge.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\StabilityMetrics	msedge.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\extensions.settings\mhjfbmdgcfjbbpaeojofohoefgiehjai = "96FBF5997EADC3B7E6D976195FF95042867981B9D8D2EE2ECE08A35EEC47B9D3"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\iexplore\Flags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3164	msedge.exe
3164	msedge.exe
1608	msedge.exe
1608	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4540	Wtool.exe
Token: SeDebugPrivilege	3224	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1628	IEXPLORE.EXE
1628	IEXPLORE.EXE
1628	IEXPLORE.EXE
1628	IEXPLORE.EXE
1628	IEXPLORE.EXE
1628	IEXPLORE.EXE
1628	IEXPLORE.EXE
1628	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1628	IEXPLORE.EXE
1628	IEXPLORE.EXE
3224	IEXPLORE.EXE
3224	IEXPLORE.EXE
4540	Wtool.exe
4540	Wtool.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 1628	4540	Wtool.exe	81
PID 4540 wrote to memory of 1628	4540	Wtool.exe	81
PID 1628 wrote to memory of 3224	1628	IEXPLORE.EXE	82
PID 1628 wrote to memory of 3224	1628	IEXPLORE.EXE	82
PID 1628 wrote to memory of 3224	1628	IEXPLORE.EXE	82
PID 3224 wrote to memory of 64	3224	IEXPLORE.EXE	83
PID 3224 wrote to memory of 64	3224	IEXPLORE.EXE	83
PID 64 wrote to memory of 1608	64	ie_to_edge_stub.exe	85
PID 64 wrote to memory of 1608	64	ie_to_edge_stub.exe	85
PID 1608 wrote to memory of 2252	1608	msedge.exe	87
PID 1608 wrote to memory of 2252	1608	msedge.exe	87
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 5112	1608	msedge.exe	90
PID 1608 wrote to memory of 3164	1608	msedge.exe	91
PID 1608 wrote to memory of 3164	1608	msedge.exe	91
PID 1608 wrote to memory of 4396	1608	msedge.exe	92
PID 1608 wrote to memory of 4396	1608	msedge.exe	92
PID 1608 wrote to memory of 4396	1608	msedge.exe	92
PID 1608 wrote to memory of 4396	1608	msedge.exe	92
PID 1608 wrote to memory of 4396	1608	msedge.exe	92
PID 1608 wrote to memory of 4396	1608	msedge.exe	92
PID 1608 wrote to memory of 4396	1608	msedge.exe	92
PID 1608 wrote to memory of 4396	1608	msedge.exe	92
PID 1608 wrote to memory of 4396	1608	msedge.exe	92
PID 1608 wrote to memory of 4396	1608	msedge.exe	92
PID 1608 wrote to memory of 4396	1608	msedge.exe	92

C:\Users\Admin\AppData\Local\Temp\d1add14944ee25075c685db2ef39cf28fa0ca695c4d336831e7af31f01b57e8a.exe
"C:\Users\Admin\AppData\Local\Temp\d1add14944ee25075c685db2ef39cf28fa0ca695c4d336831e7af31f01b57e8a.exe"
1⤵
- Drops file in Windows directory
PID:1956

C:\Windows\Wtool.exe
C:\Windows\Wtool.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1628 CREDAT:17410 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10050
      4⤵
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:64
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10050
        5⤵
        Drops file in System32 directory
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of WriteProcessMemory
        
        PID:1608
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff811c846f8,0x7ff811c84708,0x7ff811c84718
        6⤵
        Drops file in System32 directory
        
        PID:2252
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,10266190076115541484,15865541404480780978,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
        6⤵
        Modifies data under HKEY_USERS
        
        PID:5112
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,10266190076115541484,15865541404480780978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        
        PID:3164
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,10266190076115541484,15865541404480780978,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8
        6⤵
        
        PID:4396
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10266190076115541484,15865541404480780978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
        6⤵
        
        PID:4680
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10266190076115541484,15865541404480780978,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
        6⤵
        
        PID:412
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10266190076115541484,15865541404480780978,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
        6⤵
        
        PID:2712
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10266190076115541484,15865541404480780978,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:1
        6⤵
        
        PID:1328
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10266190076115541484,15865541404480780978,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
        6⤵
        
        PID:4380
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10266190076115541484,15865541404480780978,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
        6⤵
        
        PID:3544
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10266190076115541484,15865541404480780978,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
        6⤵
        Modifies data under HKEY_USERS
        
        PID:400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Wtool.DLL

Filesize
577KB

MD5
a568f61f93e49edb965e84c5d6815d32

SHA1
191a72977a7bc27c0fe241761a1cfdba9a40d67c

SHA256
98ee12a87cca6af453b35623372190fb5f2628e07ea267b4c6f2a4c0ec04bdf3

SHA512
81340c74dba845b3278172585e12b7fc39bb2dd32f6737c00428f99b85962d42e6c007cde84c8dfd4128e7590e76b5afdfa78711a6b80836b12c92669225dfbd

Download Submit
C:\Windows\Wtool.DLL

Filesize
577KB

MD5
a568f61f93e49edb965e84c5d6815d32

SHA1
191a72977a7bc27c0fe241761a1cfdba9a40d67c

SHA256
98ee12a87cca6af453b35623372190fb5f2628e07ea267b4c6f2a4c0ec04bdf3

SHA512
81340c74dba845b3278172585e12b7fc39bb2dd32f6737c00428f99b85962d42e6c007cde84c8dfd4128e7590e76b5afdfa78711a6b80836b12c92669225dfbd

Download Submit
C:\Windows\Wtool.DLL

Filesize
577KB

MD5
a568f61f93e49edb965e84c5d6815d32

SHA1
191a72977a7bc27c0fe241761a1cfdba9a40d67c

SHA256
98ee12a87cca6af453b35623372190fb5f2628e07ea267b4c6f2a4c0ec04bdf3

SHA512
81340c74dba845b3278172585e12b7fc39bb2dd32f6737c00428f99b85962d42e6c007cde84c8dfd4128e7590e76b5afdfa78711a6b80836b12c92669225dfbd

Download Submit
C:\Windows\Wtool.DLL

Filesize
577KB

MD5
a568f61f93e49edb965e84c5d6815d32

SHA1
191a72977a7bc27c0fe241761a1cfdba9a40d67c

SHA256
98ee12a87cca6af453b35623372190fb5f2628e07ea267b4c6f2a4c0ec04bdf3

SHA512
81340c74dba845b3278172585e12b7fc39bb2dd32f6737c00428f99b85962d42e6c007cde84c8dfd4128e7590e76b5afdfa78711a6b80836b12c92669225dfbd

Download Submit
C:\Windows\Wtool.DLL

Filesize
577KB

MD5
a568f61f93e49edb965e84c5d6815d32

SHA1
191a72977a7bc27c0fe241761a1cfdba9a40d67c

SHA256
98ee12a87cca6af453b35623372190fb5f2628e07ea267b4c6f2a4c0ec04bdf3

SHA512
81340c74dba845b3278172585e12b7fc39bb2dd32f6737c00428f99b85962d42e6c007cde84c8dfd4128e7590e76b5afdfa78711a6b80836b12c92669225dfbd

Download Submit
C:\Windows\Wtool.exe

Filesize
643KB

MD5
3ae4d65f40833a6ef8b76d10230348c5

SHA1
c0c3802928ebb16b42e7875a10e550b3b15f4382

SHA256
d1add14944ee25075c685db2ef39cf28fa0ca695c4d336831e7af31f01b57e8a

SHA512
830bec1b16b75da31220b6cbd51820221e78e6e11f4c2e9a52a9a114d1a61962e4df32357104ab38d10c400ce7b5d32b8d113c18de9c20bfef2010c85f187542

Download Submit
C:\Windows\Wtool.exe

Filesize
643KB

MD5
3ae4d65f40833a6ef8b76d10230348c5

SHA1
c0c3802928ebb16b42e7875a10e550b3b15f4382

SHA256
d1add14944ee25075c685db2ef39cf28fa0ca695c4d336831e7af31f01b57e8a

SHA512
830bec1b16b75da31220b6cbd51820221e78e6e11f4c2e9a52a9a114d1a61962e4df32357104ab38d10c400ce7b5d32b8d113c18de9c20bfef2010c85f187542

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
55c697e8a9f44bcffd73fc5817e51025

SHA1
25236e6ae3680de22d7428059d1d120ddca82e66

SHA256
ca822d3867509a5019bbd80cbdedc4cb8e18d38af8a416291fb5da8c2c61ca66

SHA512
3bd07154ab4cfd3faa425f9c935b0abb305681bda890038a54a2f58e4dae12cfd70ac2731378390c6205cd4800308f4872049600f4f090909ac6d0d4c17fe7d8

Download Submit
memory/4540-137-0x0000000001170000-0x0000000001207000-memory.dmp

Filesize
604KB

Download