quantum | b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192

Analysis

max time kernel
69s
max time network
71s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2023, 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
Size

75KB
MD5

0706764b3963df092079d3bdef787a1f
SHA1

73c2460d59f3d0637523ca6d35425aae14358ba1
SHA256

b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192
SHA512

3af7ff3b2aa689eb4c410562b5ead74ff77417da941521928391c6fac3dcc6a75f6d866f52b12f67a41564cfa81afcda51857c0f208f9e90e8629e0f0b5d5cb4
SSDEEP

1536:9aX51pVH9hsgNGLs6BLM1frxz/HTfcKKBaJGp:OfJGLs6BwNxnfTKsG

Score

10^/10

quantum ransomware

Malware Config

Extracted

Path

C:\Users\Admin\3D Objects\README_TO_DECRYPT.html

Family

quantum

Ransom Note

<html> <head> <title>Quantum</title> </head> <body> <h1>Your ID:</h1> <pre> 9064d8b148a0f19a9e3598a6e0b0aeb16b26dd98663f9745164eefdf45b6ef3c </pre> <hr/> This message contains an information how to fix the troubles you've got with your network. Files on the workstations in your network were encrypted and any your attempt to change, decrypt or rename them could destroy the content. The only way to get files back is a decryption with Key, provided by the Quantum Locker. During the period your network was under our control, we downloaded a huge volume of information. Now it is stored on our servers with high-secure access. This information contains a lot of sensitive, private and personal data. Publishing of such data will cause serious consequences and even business disruption. It's not a threat, on the contrary - it's a manual how to get a way out. Quantum team doesn't aim to damage your company, our goals are only financial. After a payment you'll get network decryption, full destruction of downloaded data, information about your network vulnerabilities and penetration points. If you decide not to negotiate, in 48 hours the fact of the attack and all your information will be posted on our site and will be promoted among dozens of cyber forums, news agencies, websites etc. To contact our support and start the negotiations, please visit our support chat. It is simple, secure and you can set a password to avoid intervention of unauthorised persons. <a href="http://tijykgureh7kqq5cczzeutaoxvmf6yinpar72o3bxome7b44vwqxadyd.onion/?cid=9064d8b148a0f19a9e3598a6e0b0aeb16b26dd98663f9745164eefdf45b6ef3c">http://tijykgureh7kqq5cczzeutaoxvmf6yinpar72o3bxome7b44vwqxadyd.onion/?cid=9064d8b148a0f19a9e3598a6e0b0aeb16b26dd98663f9745164eefdf45b6ef3c</a> <ul> <li>Password field should be blank for the first login. <li>Note that this server is available via Tor browser only. </ul> P.S. How to get TOR browser - see at https://www.torproject.org </body> </html>

Extracted

Path

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Family

quantum

Ransom Note

Your ID: This message contains an information how to fix the troubles you've got with your network. Files on the workstations in your network were encrypted and any your attempt to change, decrypt or rename them could destroy the content. The only way to get files back is a decryption with Key, provided by the Quantum Locker. During the period your network was under our control, we downloaded a huge volume of information. Now it is stored on our servers with high-secure access. This information contains a lot of sensitive, private and personal data. Publishing of such data will cause serious consequences and even business disruption. It's not a threat, on the contrary - it's a manual how to get a way out. Quantum team doesn't aim to damage your company, our goals are only financial. After a payment you'll get network decryption, full destruction of downloaded data, information about your network vulnerabilities and penetration points. If you decide not to negotiate, in 48 hours the fact of the attack and all your information will be posted on our site and will be promoted among dozens of cyber forums, news agencies, websites etc. To contact our support and start the negotiations, please visit our support chat. It is simple, secure and you can set a password to avoid intervention of unauthorised persons. http://tijykgureh7kqq5cczzeutaoxvmf6yinpar72o3bxome7b44vwqxadyd.onion/?cid=9064d8b148a0f19a9e3598a6e0b0aeb16b26dd98663f9745164eefdf45b6ef3c Password field should be blank for the first login. Note that this server is available via Tor browser only. P.S. How to get TOR browser - see at https://www.torproject.org

URLs

http://tijykgureh7kqq5cczzeutaoxvmf6yinpar72o3bxome7b44vwqxadyd.onion/?cid=9064d8b148a0f19a9e3598a6e0b0aeb16b26dd98663f9745164eefdf45b6ef3c

Signatures

Quantum Ransomware
A rebrand of the MountLocker ransomware first seen in August 2021.
ransomware quantum

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\EnterOpen.tif => \??\c:\Users\Admin\Pictures\EnterOpen.tif.quantum	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
File renamed	C:\Users\Admin\Pictures\FindUse.tif => \??\c:\Users\Admin\Pictures\FindUse.tif.quantum	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe

Drops desktop.ini file(s) 25 IoCs

description	ioc	Process
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
File opened for modification	\??\c:\Users\Admin\OneDrive\desktop.ini	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
File opened for modification	\??\c:\Users\Public\AccountPictures\desktop.ini	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
File opened for modification	\??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
File opened for modification	\??\c:\Users\Admin\3D Objects\desktop.ini	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
File opened for modification	\??\c:\Users\Admin\Documents\desktop.ini	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
File opened for modification	\??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
File opened for modification	\??\c:\Users\Public\Libraries\desktop.ini	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\73f8980c-1254-43b5-91aa-37237e6c4e24.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230222034031.pma	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\.quantum\shell\Open\command	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\.quantum	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\.quantum\shell	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\.quantum\shell\Open	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html"	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4872	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
4872	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
1628	msedge.exe
1628	msedge.exe
4504	msedge.exe
4504	msedge.exe
2408	identity_helper.exe
2408	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	4872	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
Token: SeDebugPrivilege	4872	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 5080	4872	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe	83
PID 4872 wrote to memory of 5080	4872	b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe	83
PID 5080 wrote to memory of 1892	5080	cmd.exe	85
PID 5080 wrote to memory of 1892	5080	cmd.exe	85
PID 4504 wrote to memory of 1888	4504	msedge.exe	89
PID 4504 wrote to memory of 1888	4504	msedge.exe	89
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 4120	4504	msedge.exe	90
PID 4504 wrote to memory of 1628	4504	msedge.exe	91
PID 4504 wrote to memory of 1628	4504	msedge.exe	91
PID 4504 wrote to memory of 4880	4504	msedge.exe	92
PID 4504 wrote to memory of 4880	4504	msedge.exe	92
PID 4504 wrote to memory of 4880	4504	msedge.exe	92
PID 4504 wrote to memory of 4880	4504	msedge.exe	92
PID 4504 wrote to memory of 4880	4504	msedge.exe	92
PID 4504 wrote to memory of 4880	4504	msedge.exe	92
PID 4504 wrote to memory of 4880	4504	msedge.exe	92
PID 4504 wrote to memory of 4880	4504	msedge.exe	92
PID 4504 wrote to memory of 4880	4504	msedge.exe	92
PID 4504 wrote to memory of 4880	4504	msedge.exe	92
PID 4504 wrote to memory of 4880	4504	msedge.exe	92
PID 4504 wrote to memory of 4880	4504	msedge.exe	92
PID 4504 wrote to memory of 4880	4504	msedge.exe	92
PID 4504 wrote to memory of 4880	4504	msedge.exe	92
PID 4504 wrote to memory of 4880	4504	msedge.exe	92
PID 4504 wrote to memory of 4880	4504	msedge.exe	92

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1892	attrib.exe

C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
"C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E56BBA4.bat" "C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\system32\attrib.exe
    attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe"
    3⤵
    - Views/modifies file attributes
    PID:1892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\README_TO_DECRYPT.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff312c46f8,0x7fff312c4708,0x7fff312c4718
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1460,13092631746926340928,1840752809906299572,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1460,13092631746926340928,1840752809906299572,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1460,13092631746926340928,1840752809906299572,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1460,13092631746926340928,1840752809906299572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1460,13092631746926340928,1840752809906299572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1460,13092631746926340928,1840752809906299572,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
  2⤵
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:1668
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff752c05460,0x7ff752c05470,0x7ff752c05480
    3⤵
    PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1460,13092631746926340928,1840752809906299572,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1460,13092631746926340928,1840752809906299572,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1460,13092631746926340928,1840752809906299572,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
  2⤵
  PID:4976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\3D Objects\README_TO_DECRYPT.html

Filesize
2KB

MD5
701afd391301bccef3de9558c8aa86ea

SHA1
5e7c84ee4a8ac22a83b10ff5f0c274f53fc70bec

SHA256
5bf44eec39e6085e9ae20188bdf213a2c2edc8ec4afef09c687ff90b79bda428

SHA512
70a931424cd6d2e5b773124586658f707f9ab5f93fc46ffe807613a556088cb97ad7dae7c4abb08713b79135cc87f545626e676fb04b21db6998d78d908b4f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0820611471c1bb55fa7be7430c7c6329

SHA1
5ce7a9712722684223aced2522764c1e3a43fbb9

SHA256
f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75

SHA512
77ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
425e83cc5a7b1f8edfbec7d986058b01

SHA1
432a90a25e714c618ff30631d9fdbe3606b0d0df

SHA256
060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd

SHA512
4bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
76fd3da8b22a5e9c9016ba81ad77a112

SHA1
d04f15374b089cbd781379d66ec0bfd14058685e

SHA256
23e7dd6a30f8d2a2db75c2b6738322acf71f076299935764b83577a907ea57ab

SHA512
f37502c7c9c2e10e48112290d39004e37e895ca67c8f1ff6b1a0e44c3a3cb97e0906947247eedba1486f2de443d90ad1f339e9c4e6a2fb2a249d991b8938f729

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
dbbd3fd9274506f87a2e3a75310b9cd9

SHA1
e41392634da0b40813fa4143691a3bd452c1f53c

SHA256
23bdb54132c7df783972ce536f9f303412f205adc91566b14d32f9492087864c

SHA512
723e58497ed148b7d84a1df9da65b58c267b003d84d4c9de4d862f7256b56f1abcd897efbb67a9d93a8649a456e02086b270fcaceeee8716df67e0cdc53dbb58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d53ac35ab3976e67caeed75c4d44ffc1

SHA1
c139ab66d75dc06f98ada34b5baf4d5693266176

SHA256
647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437

SHA512
391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0E56BBA4.bat

Filesize
65B

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
84fa3a5ccde6b46ff4698f6b411b51e7

SHA1
c8f24ffab0f60188f6ff0b6075234693a7636476

SHA256
6fb0ff3f898db89d4b2df0fab73c55070973f5cfe67284a905d158a11917f816

SHA512
31f77862a0711d8e64049436052999aa4b27a45ec0b6d1b990bd7c62ff38dbf36dc360ffc699ad431a37e196c30e481f90ae05ba390d8417e4ccfd2f14d7c6f5

Download Submit
C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Filesize
2KB

MD5
701afd391301bccef3de9558c8aa86ea

SHA1
5e7c84ee4a8ac22a83b10ff5f0c274f53fc70bec

SHA256
5bf44eec39e6085e9ae20188bdf213a2c2edc8ec4afef09c687ff90b79bda428

SHA512
70a931424cd6d2e5b773124586658f707f9ab5f93fc46ffe807613a556088cb97ad7dae7c4abb08713b79135cc87f545626e676fb04b21db6998d78d908b4f87

Download Submit
memory/4120-369-0x00007FFF4EC00000-0x00007FFF4EC01000-memory.dmp

Filesize
4KB

Download