3ed7846a7c6517e3cdd5f964d9092bf4cd12aa949e017557809b1c0919c2746b

General

Target

Electron.zip
Size

4.0MB
MD5

97076579ad60bab9d10873ce2919a6cc
SHA1

d6c75777c0d5fc972f706b67ca9a67b6c9c1edc0
SHA256

3ed7846a7c6517e3cdd5f964d9092bf4cd12aa949e017557809b1c0919c2746b
SHA512

8a69b425b0c90446a675a6e56ce815975a50083d25623e053b769ed922b967528c375d8f247c74eb9c6181d2eb16cb465dbc21887f6044deec313bbc5b477a0d
SSDEEP

98304:fCAG9ljur60nkCXKNLzXhjpsB1uo8rsVF2ImbxXd2Be2WyL:fCXjuO0nkTC4o6RZ2Z

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msedge.exe

pid process

640 msedge.exe
640 msedge.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msedge.exe

pid process

4980 msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

pid	process
640	msedge.exe
640	msedge.exe

pid	process
4980	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4980 wrote to memory of 4960	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 4960	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 1056	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 640	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 640	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 3648	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 3648	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 3648	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 3648	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 3648	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 3648	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 3648	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 3648	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 3648	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 3648	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 3648	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 3648	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 3648	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 3648	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 3648	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 3648	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 3648	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 3648	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 3648	4980	msedge.exe	msedge.exe
PID 4980 wrote to memory of 3648	4980	msedge.exe	msedge.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Electron.zip
1⤵
PID:1764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultdfe5468ehe8c7h4a8fhab9fh26ad84159941
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8747046f8,0x7ff874704708,0x7ff874704718
2⤵
PID:4960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,10482666435456872400,5000574087343296124,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
2⤵
PID:1056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,10482666435456872400,5000574087343296124,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,10482666435456872400,5000574087343296124,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
2⤵
PID:3648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
462f3c1360a4b5e319363930bc4806f6

SHA1
9ba5e43d833c284b89519423f6b6dab5a859a8d0

SHA256
fec64069c72a8d223ed89a816501b3950f5e4f5dd88f289a923c5f961d259f85

SHA512
5584ef75dfb8a1907c071a194fa78f56d10d1555948dffb8afcacaaa2645fd9d842a923437d0e94fad1d1919dcef5b25bf065863405c8d2a28216df27c87a417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
76c68deb4a9c1998bcfa79de95ea0e51

SHA1
7e6c6fee797c9a07749d42b8c2ddf7a69f74ba46

SHA256
c0e3671936ed3e1d5148019630dc664429ca1fb92a9de76bc062b52fae1b35a9

SHA512
76574b7cf10b6721adca5e786c02aa0ee876f5c92922ac7a7bd3153f57ac55f49787f27c370f271d7b90d3c7b4b4b2e4ad3faa2976b81524de803208a6e25b71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
3KB

MD5
c7b48040e77256202b56f4c31c090488

SHA1
aa593c39ae38c1e9c4892e708f14669219dcfe76

SHA256
e3a34b9d596d193e23e2f5500307fb956f88e2ef82d2f2af0eb797d1d0e9a2c7

SHA512
b319ef1ffc42b97805dc02f7068b9e217d320de48046ed5dc455b33041b0338b00bd59b93efb08f52853344cfb5d34aef585ecd45acc8612eaa2514d582a7b32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
3KB

MD5
b420121d97ff76ffe0819354628afc5e

SHA1
c23a2750d07ef80ae6234ce358857125a0f1cbf1

SHA256
493c8e2fe774b5a07950af08d5aa9b92e85a3104ad8ec260abac8b481c19575b

SHA512
01288eb2fce6e4b6330032e01444b5c86472ffbadb3d5a5fcbd2a4338de09b2e65da3c8ca9f0562239e186af81c5bba46886ac6aec7cc53cc05f407a706a68c6

Download Submit
\??\pipe\LOCAL\crashpad_4980_NJSFLJTOAGFBERFA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing