Overview
overview
8Static
static
Final Test...L.xlsx
windows7-x64
1Final Test...L.xlsx
windows10-2004-x64
1Final Tests/PDF.pdf
windows7-x64
1Final Tests/PDF.pdf
windows10-2004-x64
1Final Test...T.pptx
windows7-x64
1Final Test...T.pptx
windows10-2004-x64
1Final Tests/WORD.docx
windows7-x64
4Final Tests/WORD.docx
windows10-2004-x64
1Windows_Re...ox.exe
windows7-x64
1Windows_Re...ox.exe
windows10-2004-x64
6Windows_Re...xe.xml
windows7-x64
1Windows_Re...xe.xml
windows10-2004-x64
1files/7zG.exe
windows7-x64
1files/7zG.exe
windows10-2004-x64
1files/7za.exe
windows7-x64
1files/7za.exe
windows10-2004-x64
1files/ATPad/ATPad.exe
windows7-x64
3files/ATPad/ATPad.exe
windows10-2004-x64
3files/CheckDisk.exe
windows7-x64
4files/CheckDisk.exe
windows10-2004-x64
7files/DISM...FC.exe
windows7-x64
8files/DISM...FC.exe
windows10-2004-x64
1files/repa...rk.cmd
windows7-x64
files/repa...rk.cmd
windows10-2004-x64
1files/smartctl-nc.exe
windows7-x64
1files/smartctl-nc.exe
windows10-2004-x64
1updater.exe
windows7-x64
3updater.exe
windows10-2004-x64
6Analysis
-
max time kernel
98s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2022 18:22
Static task
static1
Behavioral task
behavioral1
Sample
Final Tests/EXCEL.xlsx
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
Final Tests/EXCEL.xlsx
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Final Tests/PDF.pdf
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral4
Sample
Final Tests/PDF.pdf
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Final Tests/POWERPOINT.pptx
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral6
Sample
Final Tests/POWERPOINT.pptx
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Final Tests/WORD.docx
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral8
Sample
Final Tests/WORD.docx
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Windows_Repair_Toolbox.exe
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral10
Sample
Windows_Repair_Toolbox.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Windows_Repair_Toolbox.exe.xml
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral12
Sample
Windows_Repair_Toolbox.exe.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
files/7zG.exe
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral14
Sample
files/7zG.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
files/7za.exe
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral16
Sample
files/7za.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
files/ATPad/ATPad.exe
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral18
Sample
files/ATPad/ATPad.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
files/CheckDisk.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral20
Sample
files/CheckDisk.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
files/DISM_And_SFC.exe
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral22
Sample
files/DISM_And_SFC.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
files/repair_network.cmd
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral24
Sample
files/repair_network.cmd
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
files/smartctl-nc.exe
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral26
Sample
files/smartctl-nc.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
updater.exe
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral28
Sample
updater.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
General
-
Target
Windows_Repair_Toolbox.exe
-
Size
1.8MB
-
MD5
30c98afd286f5dfacc5caf498aa16aa8
-
SHA1
597fcc44f6f2c08d6db479a2a55b4a65b562956c
-
SHA256
0414039379e9024c2ff3adde355515f72a42b025f49a37257f8c9368f6731bdc
-
SHA512
c1e37ac3e3a19c3eb4e4685d87d894a18bdc49e642a2de857669240eed85f2fdc9423642a1b460bd5c4297f9ad82b325eaccf9d256382e7dc73095c8d77f38b2
-
SSDEEP
24576:Tmmu+ebgkhWQq2cPK1wRWeOtCeGr7g2LF/L/Yfixfz/b6qk1nU3R2WAmcMUQJGgy:TdXEZYkh5BQWkyfo
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1284 292 WerFault.exe 82 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 4480 msedge.exe 4480 msedge.exe 4884 msedge.exe 4884 msedge.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe 1368 Windows_Repair_Toolbox.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 632 Process not Found 632 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 4884 msedge.exe 4884 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1368 Windows_Repair_Toolbox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1368 wrote to memory of 4884 1368 Windows_Repair_Toolbox.exe 83 PID 1368 wrote to memory of 4884 1368 Windows_Repair_Toolbox.exe 83 PID 4884 wrote to memory of 4600 4884 msedge.exe 84 PID 4884 wrote to memory of 4600 4884 msedge.exe 84 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4092 4884 msedge.exe 85 PID 4884 wrote to memory of 4480 4884 msedge.exe 86 PID 4884 wrote to memory of 4480 4884 msedge.exe 86 PID 4884 wrote to memory of 3596 4884 msedge.exe 88 PID 4884 wrote to memory of 3596 4884 msedge.exe 88 PID 4884 wrote to memory of 3596 4884 msedge.exe 88 PID 4884 wrote to memory of 3596 4884 msedge.exe 88 PID 4884 wrote to memory of 3596 4884 msedge.exe 88 PID 4884 wrote to memory of 3596 4884 msedge.exe 88 PID 4884 wrote to memory of 3596 4884 msedge.exe 88 PID 4884 wrote to memory of 3596 4884 msedge.exe 88 PID 4884 wrote to memory of 3596 4884 msedge.exe 88 PID 4884 wrote to memory of 3596 4884 msedge.exe 88 PID 4884 wrote to memory of 3596 4884 msedge.exe 88 PID 4884 wrote to memory of 3596 4884 msedge.exe 88 PID 4884 wrote to memory of 3596 4884 msedge.exe 88 PID 4884 wrote to memory of 3596 4884 msedge.exe 88 PID 4884 wrote to memory of 3596 4884 msedge.exe 88 PID 4884 wrote to memory of 3596 4884 msedge.exe 88 PID 4884 wrote to memory of 3596 4884 msedge.exe 88 PID 4884 wrote to memory of 3596 4884 msedge.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\Windows_Repair_Toolbox.exe"C:\Users\Admin\AppData\Local\Temp\Windows_Repair_Toolbox.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://windows-repair-toolbox.com/2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffbf91446f8,0x7ffbf9144708,0x7ffbf91447183⤵PID:4600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1488,4171093744276000394,4611982787009224812,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:23⤵PID:4092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1488,4171093744276000394,4611982787009224812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1488,4171093744276000394,4611982787009224812,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:83⤵PID:3596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1488,4171093744276000394,4611982787009224812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:13⤵PID:2404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1488,4171093744276000394,4611982787009224812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:13⤵PID:4284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,4171093744276000394,4611982787009224812,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5108 /prefetch:83⤵PID:4988
-
-
-
C:\Users\Admin\AppData\Local\Temp\files\smartctl-nc.exe"C:\Users\Admin\AppData\Local\Temp\files\smartctl-nc.exe" -a C:2⤵PID:4420
-
-
C:\Windows\SYSTEM32\CMD.EXE"CMD.EXE" /C bcdedit2⤵PID:1064
-
C:\Windows\system32\bcdedit.exebcdedit3⤵PID:3064
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3276
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3184
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 428 -p 292 -ip 2921⤵PID:4536
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 292 -s 8521⤵
- Program crash
PID:1284