39d024d9d590f29e0e522f1e41ac4e5c7bf67ebd261b3fa939b6e0ee883acc59

Resubmissions

12/04/2023, 20:30

230412-zadedagd5s 8

12/04/2023, 20:26

230412-y7t8qaeh72 8

26/03/2023, 16:01

230326-tgmzhahb39 8

Analysis

max time kernel
400s
max time network
1602s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
12/04/2023, 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HURR-DURR 4.0.exe
Size

1.7MB
MD5

709002961b4a3d18185690cf820c4758
SHA1

9e45ade994f2d711f12fd1bdd24c76c29190d919
SHA256

39d024d9d590f29e0e522f1e41ac4e5c7bf67ebd261b3fa939b6e0ee883acc59
SHA512

a759d2c16eb3166714d0422e931458ea1bac942f440bd159f7a130e9edaef2fe13090adb4de0ef65d6f66446d929f2152e879d1949c4860654564e9e8f8be916
SSDEEP

12288:JoSWNTJ4Yo1VFnA4r5rraOVokssOcnh2tbbLqhS8aKxk:JoS2TJJo1V6u5rraOVouOcn4tbbR8aqk

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 12 IoCs

exploit

pid	Process
1796	takeown.exe
3012	takeown.exe
4360	takeown.exe
4700	takeown.exe
4280	icacls.exe
464	icacls.exe
4664	takeown.exe
4528	takeown.exe
4412	icacls.exe
5024	icacls.exe
4916	icacls.exe
780	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Control Panel\International\Geo\Nation	cmd.exe

Modifies file permissions 1 TTPs 12 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4280	icacls.exe
1796	takeown.exe
3012	takeown.exe
5024	icacls.exe
4916	icacls.exe
4412	icacls.exe
780	icacls.exe
464	icacls.exe
4700	takeown.exe
4664	takeown.exe
4528	takeown.exe
4360	takeown.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000e7c381050faf5fb38149b15df8656adbdf4ce5e233e471262c3a047a38e414600ee23b1994f4ab420f99dcc28874765ab2105daf7428a1d826be	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{2D139F3B-515C-48CC-ACD6-2254F5709E96}"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 3df8bf635a45d901	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000f33f7a68eb6a8dff8187a2d2b460e745a34c3cc6cc14c3975818ce48f6f93e2de091d61fc415c293dea4b88fb9a3fa9efca2730712b281f5f65f55bdadc39a4c7454bad09c6d95c194bc110202fc2e26dab9fc64ef0c70551870693a0a3276fba9275d6a479307bffc6de6728c89b33a1f323b156644172091e9435710662ff493ac0e320aa58e55a557923fd46be98247ab8e43ee78ae74906b24dcbf7ee0733a82bec25cc433d9f61ae6802ac36bac5cc506d833ca20c852972fe1e49c40d3d4480c21371049f24256769102af8276d620ea54b8584354e40bf17a59dfb286baa017de60a93f361fab5062e950a910fe5cb4bd8644ae593169e9fa3067e35a33297b482aafce8d45b939b480c642c49719449534ad3831b64f76be8f53650ef58247b05b42676f4a2018ef5f32f8f362f843e5e5b29529605ff489a3c5ba31bc4d04b807829de76680dd09e5b233655497305b4a75893b1b37ba7afbdcee600d29d1ba0d8f8372b078b8ffb767c2e03a976d71c3142487a378f78522b8c3c1a0b571383f89fda186aaa8d76972d11a85983ba820b18ca54af44cd55d00108e18fada7861f4	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 3df8bf635a45d901	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 3df8bf635a45d901	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4404	MicrosoftEdgeCP.exe
4404	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	4724	MicrosoftEdge.exe
Token: SeDebugPrivilege	4724	MicrosoftEdge.exe
Token: SeDebugPrivilege	4724	MicrosoftEdge.exe
Token: SeDebugPrivilege	4724	MicrosoftEdge.exe
Token: SeTakeOwnershipPrivilege	4700	takeown.exe
Token: SeTakeOwnershipPrivilege	4664	takeown.exe
Token: SeTakeOwnershipPrivilege	4528	takeown.exe
Token: SeTakeOwnershipPrivilege	1796	takeown.exe
Token: SeTakeOwnershipPrivilege	3012	takeown.exe
Token: SeTakeOwnershipPrivilege	4360	takeown.exe
Token: SeDebugPrivilege	3600	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3600	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3600	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3600	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3600	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	3600	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3600	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	3600	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3600	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	3600	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4724	MicrosoftEdge.exe
4404	MicrosoftEdgeCP.exe
4404	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 1704	3720	HURR-DURR 4.0.exe	67
PID 3720 wrote to memory of 1704	3720	HURR-DURR 4.0.exe	67
PID 1704 wrote to memory of 4700	1704	cmd.exe	71
PID 1704 wrote to memory of 4700	1704	cmd.exe	71
PID 1704 wrote to memory of 4664	1704	cmd.exe	72
PID 1704 wrote to memory of 4664	1704	cmd.exe	72
PID 1704 wrote to memory of 4528	1704	cmd.exe	73
PID 1704 wrote to memory of 4528	1704	cmd.exe	73
PID 1704 wrote to memory of 1796	1704	cmd.exe	74
PID 1704 wrote to memory of 1796	1704	cmd.exe	74
PID 1704 wrote to memory of 3012	1704	cmd.exe	75
PID 1704 wrote to memory of 3012	1704	cmd.exe	75
PID 1704 wrote to memory of 4360	1704	cmd.exe	76
PID 1704 wrote to memory of 4360	1704	cmd.exe	76
PID 1704 wrote to memory of 4412	1704	cmd.exe	78
PID 1704 wrote to memory of 4412	1704	cmd.exe	78
PID 1704 wrote to memory of 5024	1704	cmd.exe	80
PID 1704 wrote to memory of 5024	1704	cmd.exe	80
PID 1704 wrote to memory of 4916	1704	cmd.exe	81
PID 1704 wrote to memory of 4916	1704	cmd.exe	81
PID 1704 wrote to memory of 780	1704	cmd.exe	82
PID 1704 wrote to memory of 780	1704	cmd.exe	82
PID 1704 wrote to memory of 4280	1704	cmd.exe	83
PID 1704 wrote to memory of 4280	1704	cmd.exe	83
PID 4404 wrote to memory of 3600	4404	MicrosoftEdgeCP.exe	79
PID 4404 wrote to memory of 3600	4404	MicrosoftEdgeCP.exe	79
PID 4404 wrote to memory of 3600	4404	MicrosoftEdgeCP.exe	79
PID 4404 wrote to memory of 3600	4404	MicrosoftEdgeCP.exe	79
PID 4404 wrote to memory of 3600	4404	MicrosoftEdgeCP.exe	79
PID 1704 wrote to memory of 464	1704	cmd.exe	84
PID 1704 wrote to memory of 464	1704	cmd.exe	84
PID 1704 wrote to memory of 1892	1704	cmd.exe	85
PID 1704 wrote to memory of 1892	1704	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\HURR-DURR 4.0.exe
"C:\Users\Admin\AppData\Local\Temp\HURR-DURR 4.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6343.tmp\6344.tmp\6345.bat "C:\Users\Admin\AppData\Local\Temp\HURR-DURR 4.0.exe""
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\windows\system32\winload.exe"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4700
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\windows\system32\winresume.exe"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4664
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\windows\system32\ntoskrnl.exe"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4528
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\windows\system32\hal.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1796
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\windows\system32\ntdll.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3012
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\windows\system32\ci.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4360
- - C:\Windows\system32\icacls.exe
    icacls "C:\windows\system32\winload.exe" /grant everyone:F /t /c
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4412
- - C:\Windows\system32\icacls.exe
    icacls "C:\windows\system32\winresume.exe" /grant everyone:F /t /c
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5024
- - C:\Windows\system32\icacls.exe
    icacls "C:\windows\system32\ntoskrnl.exe" /grant everyone:F /t /c
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4916
- - C:\Windows\system32\icacls.exe
    icacls "C:\windows\system32\hal.dll" /grant everyone:F /t /c
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:780
- - C:\Windows\system32\icacls.exe
    icacls "C:\windows\system32\ntdll.dll" /grant everyone:F /t /c
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4280
- - C:\Windows\system32\icacls.exe
    icacls "C:\windows\system32\ci.dll" /grant everyone:F /t /c├º
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:464
- - C:\Windows\system32\mountvol.exe
    mountvol C:\ /d
    3⤵
    PID:1892

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4724

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3124

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6343.tmp\6344.tmp\6345.bat

Filesize
1003B

MD5
fea29a2bbc979a1a83a9887b62240d6e

SHA1
b6c1ab3b84f50a1aa567c311b77fade00379b006

SHA256
abb42b3699e20f9208261c9ef6105f29be0c1005b47e966b5dd9a78845b6dcb6

SHA512
c8ed4b01d15956e668cf4ce215efd0e3708405a3aa2dff30c4a5e4e5a86959308c832f14a4d19b1c0ef9b1491e24fcf8d3388dc155911784b3b8d5b25f790164

Download Submit
memory/3600-190-0x0000018019CD0000-0x0000018019CD2000-memory.dmp

Filesize
8KB

Download
memory/3600-205-0x0000018019710000-0x0000018019724000-memory.dmp

Filesize
80KB

Download
memory/3600-198-0x000001802A850000-0x000001802A852000-memory.dmp

Filesize
8KB

Download
memory/3600-196-0x000001802A830000-0x000001802A832000-memory.dmp

Filesize
8KB

Download
memory/3600-194-0x000001802A770000-0x000001802A772000-memory.dmp

Filesize
8KB

Download
memory/3600-192-0x0000018019CF0000-0x0000018019CF2000-memory.dmp

Filesize
8KB

Download
memory/4724-158-0x000001D2222A0000-0x000001D2222A1000-memory.dmp

Filesize
4KB

Download
memory/4724-163-0x000001D227360000-0x000001D227362000-memory.dmp

Filesize
8KB

Download
memory/4724-162-0x000001D227330000-0x000001D227332000-memory.dmp

Filesize
8KB

Download
memory/4724-160-0x000001D2225F0000-0x000001D2225F2000-memory.dmp

Filesize
8KB

Download
memory/4724-139-0x000001D222900000-0x000001D222910000-memory.dmp

Filesize
64KB

Download
memory/4724-204-0x000001D2284A0000-0x000001D2284B4000-memory.dmp

Filesize
80KB

Download
memory/4724-121-0x000001D222120000-0x000001D222130000-memory.dmp

Filesize
64KB

Download