Resubmissions
10/05/2023, 12:30
230510-ppkrwshg2x 310/05/2023, 11:10
230510-m9nceaff43 310/05/2023, 11:09
230510-m88lyshd8z 310/05/2023, 10:51
230510-mxxqbahd4t 3Analysis
-
max time kernel
125s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
10/05/2023, 11:10
Static task
static1
Behavioral task
behavioral1
Sample
duScriptMac.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
duScriptMac.exe
Resource
win10v2004-20230220-en
General
-
Target
duScriptMac.exe
-
Size
2.0MB
-
MD5
0ab68e1f247d12baebc4bce655edf467
-
SHA1
208a28fd940a42ddb74cd5b238e9fb62cc33ecdf
-
SHA256
f526c8c61dba027fec159faec831515493e650dff52e5e93ee639399b5722a0b
-
SHA512
1a9eba7e1c5f5ab3b4052fce17cfec83de6e53541711bd6c3cde1fff1506ff40c8f6eb2d2094d18d90ca9a301ce6906819a32318d7795de317c4ef18e9d37343
-
SSDEEP
49152:xHI3+Do/oNH4EGYgT+ozD1nQLgBWF+56utpKH:w/R6k+itp
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3728 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3268 msedge.exe 3268 msedge.exe 3280 msedge.exe 3280 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3280 wrote to memory of 4592 3280 msedge.exe 98 PID 3280 wrote to memory of 4592 3280 msedge.exe 98 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 4764 3280 msedge.exe 99 PID 3280 wrote to memory of 3268 3280 msedge.exe 100 PID 3280 wrote to memory of 3268 3280 msedge.exe 100 PID 3280 wrote to memory of 2288 3280 msedge.exe 102 PID 3280 wrote to memory of 2288 3280 msedge.exe 102 PID 3280 wrote to memory of 2288 3280 msedge.exe 102 PID 3280 wrote to memory of 2288 3280 msedge.exe 102 PID 3280 wrote to memory of 2288 3280 msedge.exe 102 PID 3280 wrote to memory of 2288 3280 msedge.exe 102 PID 3280 wrote to memory of 2288 3280 msedge.exe 102 PID 3280 wrote to memory of 2288 3280 msedge.exe 102 PID 3280 wrote to memory of 2288 3280 msedge.exe 102 PID 3280 wrote to memory of 2288 3280 msedge.exe 102 PID 3280 wrote to memory of 2288 3280 msedge.exe 102 PID 3280 wrote to memory of 2288 3280 msedge.exe 102 PID 3280 wrote to memory of 2288 3280 msedge.exe 102 PID 3280 wrote to memory of 2288 3280 msedge.exe 102 PID 3280 wrote to memory of 2288 3280 msedge.exe 102 PID 3280 wrote to memory of 2288 3280 msedge.exe 102 PID 3280 wrote to memory of 2288 3280 msedge.exe 102 PID 3280 wrote to memory of 2288 3280 msedge.exe 102 PID 3280 wrote to memory of 2288 3280 msedge.exe 102 PID 3280 wrote to memory of 2288 3280 msedge.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\duScriptMac.exe"C:\Users\Admin\AppData\Local\Temp\duScriptMac.exe"1⤵PID:4548
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5068
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://temp/1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9b85546f8,0x7ff9b8554708,0x7ff9b85547182⤵PID:4592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,6301723612920743080,12601488944043387994,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:22⤵PID:4764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,6301723612920743080,12601488944043387994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,6301723612920743080,12601488944043387994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:82⤵PID:2288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6301723612920743080,12601488944043387994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:12⤵PID:4916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6301723612920743080,12601488944043387994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:12⤵PID:1744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6301723612920743080,12601488944043387994,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:12⤵PID:1840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6301723612920743080,12601488944043387994,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:12⤵PID:2036
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4304
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\du.bat1⤵
- Opens file in notepad (likely ransom note)
PID:3728
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD50820611471c1bb55fa7be7430c7c6329
SHA15ce7a9712722684223aced2522764c1e3a43fbb9
SHA256f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75
SHA51277ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148
-
Filesize
152B
MD5425e83cc5a7b1f8edfbec7d986058b01
SHA1432a90a25e714c618ff30631d9fdbe3606b0d0df
SHA256060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd
SHA5124bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af
-
Filesize
264KB
MD5dcae552634ab3490939cf5687a95d461
SHA1b67ee5f04690a5569dc71337972981c9cefe82a1
SHA25680a3f2bba6fa1a001aea2b9ade1e9de1881a75888de1a0986ee7caf16ea84c16
SHA512d903f0bf56b495688b7b7bfa68e53a9485285a3b1dd9df07efd59697c1283017b123399d812d897e3e76c0a0586e2386f46bbf1cfc96f40d57981544863a837f
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
2KB
MD56b0ebbc1eb89226b6d765681639cb0eb
SHA18e76611f745bf7a8afc8c70f13c5529d9b4d159a
SHA2564c178896b27c39a27334fca1080899cf7d868b3a6067b8c926c29d2efd8cc677
SHA51266ac53c0a2fbf80083989a7ba0b0add6e199ac80183893af2c367fb078ca6ce0f86e575c2f1c7c9d8a3f788ccba73039cdc3f76883120aea949d929e8ad74e3c
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
4KB
MD52f45ee468b9d0207d6d1627877aed900
SHA103792bfc110c656546e276230d6b6925136c40a9
SHA25621d61f56c9724f13542109ee1253d7ebe7be056f94d5c5e5fc77a2fbf2d286fc
SHA512e081509f3ef65f90c87d07089f5dcbeda47a50d8d9ca7bbccc420b9987b28389d7cd143da4f9824030227f2160d713166c6b9a7c09140d24f01905a01c3ce9df
-
Filesize
5KB
MD588cfddc30f9c9dfc8e953f8db11491b4
SHA105bfc872bdce55c0167ed5610de8039d1f163872
SHA2566037a454f63e6a053c19092bd574b26d6f0e404ec5b0575f6b11dfd429620c74
SHA51253f4dea5fa64ddc606f48a819b5b48f88ef680f614186d5e10542eff4046859612b8cb8788b8d9a2e7c744dee7262fdca65f788185474527e02601f165923a68
-
Filesize
24KB
MD5d53ac35ab3976e67caeed75c4d44ffc1
SHA1c139ab66d75dc06f98ada34b5baf4d5693266176
SHA256647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437
SHA512391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2
-
Filesize
24KB
MD585526c5793aa368cad1fb451b5387d22
SHA1a63b1ed43b952d21d28925f8f1eeb22ae67bfaf3
SHA256fd3ea103b35101b70d11daeceee75aaa6a559e3da4ba51ab0258fb3f636b44bc
SHA512cf3fc7d13b69accd8a15ed023c6ee6e7a0b8ac166dfbdd9149dba2b3e2525c40b746f2dd6553e58880d138d152eee7e157ab00eb6679e11fae25de2daf04d1e1
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
9KB
MD5f116d8a986765bd3b47f351b057caac2
SHA12040f4ff3c9f260b62ed57a49c5c1bdebc581fb2
SHA2569f5941363b926a05a7dda58da705d3f735f0c66f1b0149f67bb04775cbefbf65
SHA512bb38b7f67cd9f5d1ec4f841575745ee425f6a21546105a0b603ede8f6b3923c099a9b7f4a65f11cc1e8f8a106a7b0a0377820df5112ad84efb402af7ec5c4ee3
-
Filesize
84B
MD51395405804715df7545f5e1fd31d726f
SHA1fb04616ce3307e546498aafadc1a862067bac4ea
SHA2563081649251909c25637a2d7a0f9e5edad47332d4ae541fe41834b5bef164f663
SHA512470e1f9dd4037227d20298edf31d4ca8758c4a334654973666f0aa9f64c03c8c3b422ff7c2f32a1918d82a159a220edbd223ea925bf25b53ed02425072e25680