f526c8c61dba027fec159faec831515493e650dff52e5e93ee639399b5722a0b

Resubmissions

10/05/2023, 12:30

230510-ppkrwshg2x 3

10/05/2023, 11:10

230510-m9nceaff43 3

10/05/2023, 11:09

230510-m88lyshd8z 3

10/05/2023, 10:51

230510-mxxqbahd4t 3

Analysis

max time kernel
125s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2023, 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

duScriptMac.exe
Size

2.0MB
MD5

0ab68e1f247d12baebc4bce655edf467
SHA1

208a28fd940a42ddb74cd5b238e9fb62cc33ecdf
SHA256

f526c8c61dba027fec159faec831515493e650dff52e5e93ee639399b5722a0b
SHA512

1a9eba7e1c5f5ab3b4052fce17cfec83de6e53541711bd6c3cde1fff1506ff40c8f6eb2d2094d18d90ca9a301ce6906819a32318d7795de317c4ef18e9d37343
SSDEEP

49152:xHI3+Do/oNH4EGYgT+ozD1nQLgBWF+56utpKH:w/R6k+itp

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3728	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3268	msedge.exe
3268	msedge.exe
3280	msedge.exe
3280	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3280 wrote to memory of 4592	3280	msedge.exe	98
PID 3280 wrote to memory of 4592	3280	msedge.exe	98
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 4764	3280	msedge.exe	99
PID 3280 wrote to memory of 3268	3280	msedge.exe	100
PID 3280 wrote to memory of 3268	3280	msedge.exe	100
PID 3280 wrote to memory of 2288	3280	msedge.exe	102
PID 3280 wrote to memory of 2288	3280	msedge.exe	102
PID 3280 wrote to memory of 2288	3280	msedge.exe	102
PID 3280 wrote to memory of 2288	3280	msedge.exe	102
PID 3280 wrote to memory of 2288	3280	msedge.exe	102
PID 3280 wrote to memory of 2288	3280	msedge.exe	102
PID 3280 wrote to memory of 2288	3280	msedge.exe	102
PID 3280 wrote to memory of 2288	3280	msedge.exe	102
PID 3280 wrote to memory of 2288	3280	msedge.exe	102
PID 3280 wrote to memory of 2288	3280	msedge.exe	102
PID 3280 wrote to memory of 2288	3280	msedge.exe	102
PID 3280 wrote to memory of 2288	3280	msedge.exe	102
PID 3280 wrote to memory of 2288	3280	msedge.exe	102
PID 3280 wrote to memory of 2288	3280	msedge.exe	102
PID 3280 wrote to memory of 2288	3280	msedge.exe	102
PID 3280 wrote to memory of 2288	3280	msedge.exe	102
PID 3280 wrote to memory of 2288	3280	msedge.exe	102
PID 3280 wrote to memory of 2288	3280	msedge.exe	102
PID 3280 wrote to memory of 2288	3280	msedge.exe	102
PID 3280 wrote to memory of 2288	3280	msedge.exe	102

C:\Users\Admin\AppData\Local\Temp\duScriptMac.exe
"C:\Users\Admin\AppData\Local\Temp\duScriptMac.exe"
1⤵
PID:4548

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://temp/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9b85546f8,0x7ff9b8554708,0x7ff9b8554718
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,6301723612920743080,12601488944043387994,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,6301723612920743080,12601488944043387994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,6301723612920743080,12601488944043387994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6301723612920743080,12601488944043387994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6301723612920743080,12601488944043387994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
  2⤵
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6301723612920743080,12601488944043387994,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6301723612920743080,12601488944043387994,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:2036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4304

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\du.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:3728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0820611471c1bb55fa7be7430c7c6329

SHA1
5ce7a9712722684223aced2522764c1e3a43fbb9

SHA256
f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75

SHA512
77ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
425e83cc5a7b1f8edfbec7d986058b01

SHA1
432a90a25e714c618ff30631d9fdbe3606b0d0df

SHA256
060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd

SHA512
4bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
dcae552634ab3490939cf5687a95d461

SHA1
b67ee5f04690a5569dc71337972981c9cefe82a1

SHA256
80a3f2bba6fa1a001aea2b9ade1e9de1881a75888de1a0986ee7caf16ea84c16

SHA512
d903f0bf56b495688b7b7bfa68e53a9485285a3b1dd9df07efd59697c1283017b123399d812d897e3e76c0a0586e2386f46bbf1cfc96f40d57981544863a837f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
6b0ebbc1eb89226b6d765681639cb0eb

SHA1
8e76611f745bf7a8afc8c70f13c5529d9b4d159a

SHA256
4c178896b27c39a27334fca1080899cf7d868b3a6067b8c926c29d2efd8cc677

SHA512
66ac53c0a2fbf80083989a7ba0b0add6e199ac80183893af2c367fb078ca6ce0f86e575c2f1c7c9d8a3f788ccba73039cdc3f76883120aea949d929e8ad74e3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
2f45ee468b9d0207d6d1627877aed900

SHA1
03792bfc110c656546e276230d6b6925136c40a9

SHA256
21d61f56c9724f13542109ee1253d7ebe7be056f94d5c5e5fc77a2fbf2d286fc

SHA512
e081509f3ef65f90c87d07089f5dcbeda47a50d8d9ca7bbccc420b9987b28389d7cd143da4f9824030227f2160d713166c6b9a7c09140d24f01905a01c3ce9df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
88cfddc30f9c9dfc8e953f8db11491b4

SHA1
05bfc872bdce55c0167ed5610de8039d1f163872

SHA256
6037a454f63e6a053c19092bd574b26d6f0e404ec5b0575f6b11dfd429620c74

SHA512
53f4dea5fa64ddc606f48a819b5b48f88ef680f614186d5e10542eff4046859612b8cb8788b8d9a2e7c744dee7262fdca65f788185474527e02601f165923a68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d53ac35ab3976e67caeed75c4d44ffc1

SHA1
c139ab66d75dc06f98ada34b5baf4d5693266176

SHA256
647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437

SHA512
391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
85526c5793aa368cad1fb451b5387d22

SHA1
a63b1ed43b952d21d28925f8f1eeb22ae67bfaf3

SHA256
fd3ea103b35101b70d11daeceee75aaa6a559e3da4ba51ab0258fb3f636b44bc

SHA512
cf3fc7d13b69accd8a15ed023c6ee6e7a0b8ac166dfbdd9149dba2b3e2525c40b746f2dd6553e58880d138d152eee7e157ab00eb6679e11fae25de2daf04d1e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
f116d8a986765bd3b47f351b057caac2

SHA1
2040f4ff3c9f260b62ed57a49c5c1bdebc581fb2

SHA256
9f5941363b926a05a7dda58da705d3f735f0c66f1b0149f67bb04775cbefbf65

SHA512
bb38b7f67cd9f5d1ec4f841575745ee425f6a21546105a0b603ede8f6b3923c099a9b7f4a65f11cc1e8f8a106a7b0a0377820df5112ad84efb402af7ec5c4ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\du.bat

Filesize
84B

MD5
1395405804715df7545f5e1fd31d726f

SHA1
fb04616ce3307e546498aafadc1a862067bac4ea

SHA256
3081649251909c25637a2d7a0f9e5edad47332d4ae541fe41834b5bef164f663

SHA512
470e1f9dd4037227d20298edf31d4ca8758c4a334654973666f0aa9f64c03c8c3b422ff7c2f32a1918d82a159a220edbd223ea925bf25b53ed02425072e25680

Download Submit