0ef73e1a120d4d6976e8e23488b684f86159c214d30f6dbbc8e716b48674c3ce

General

Target

0ef73e1a120d4d6976e8e23488b684f86159c214d30f6dbbc8e716b48674c3ce.exe
Size

4.7MB
MD5

486ce67349a1f31a1426600888d189a9
SHA1

34d86e06380c2df67608dbf8f6487b5a6dc2d67d
SHA256

0ef73e1a120d4d6976e8e23488b684f86159c214d30f6dbbc8e716b48674c3ce
SHA512

128dd55dcf68b2b4d5d51f45edd1f7ee0e5814584177247cb114dbaec57448c5618584c18860a8bba636574d4420f554a6f8b189315c5babb2307b435bf75adf
SSDEEP

49152:yR2JYSU/rZmbmHSyC9lSiKWltiCEjGRzDB2Cv5EcH9XlM419JXjCQ01:m+bAEEiM41TX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3544	MicrosoftEdgeUpdateTaskMachineUARun.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpdateTaskMachineUARun.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\config\\MicrosoftEdgeUpdateTaskMachineUARun.exe"	0ef73e1a120d4d6976e8e23488b684f86159c214d30f6dbbc8e716b48674c3ce.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4060	schtasks.exe

GoLang User-Agent 5 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	5	Go-http-client/1.1
HTTP User-Agent header	11	Go-http-client/1.1
HTTP User-Agent header	12	Go-http-client/1.1
HTTP User-Agent header	13	Go-http-client/1.1
HTTP User-Agent header	4	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2604	powershell.exe
2604	powershell.exe
2604	powershell.exe
4516	powershell.exe
4516	powershell.exe
4516	powershell.exe
4748	powershell.exe
4748	powershell.exe
4748	powershell.exe
2172	powershell.exe
2172	powershell.exe
2172	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2604	2472	0ef73e1a120d4d6976e8e23488b684f86159c214d30f6dbbc8e716b48674c3ce.exe	66
PID 2472 wrote to memory of 2604	2472	0ef73e1a120d4d6976e8e23488b684f86159c214d30f6dbbc8e716b48674c3ce.exe	66
PID 2604 wrote to memory of 4060	2604	powershell.exe	68
PID 2604 wrote to memory of 4060	2604	powershell.exe	68
PID 2472 wrote to memory of 4516	2472	0ef73e1a120d4d6976e8e23488b684f86159c214d30f6dbbc8e716b48674c3ce.exe	69
PID 2472 wrote to memory of 4516	2472	0ef73e1a120d4d6976e8e23488b684f86159c214d30f6dbbc8e716b48674c3ce.exe	69
PID 2472 wrote to memory of 4748	2472	0ef73e1a120d4d6976e8e23488b684f86159c214d30f6dbbc8e716b48674c3ce.exe	71
PID 2472 wrote to memory of 4748	2472	0ef73e1a120d4d6976e8e23488b684f86159c214d30f6dbbc8e716b48674c3ce.exe	71
PID 2472 wrote to memory of 2172	2472	0ef73e1a120d4d6976e8e23488b684f86159c214d30f6dbbc8e716b48674c3ce.exe	73
PID 2472 wrote to memory of 2172	2472	0ef73e1a120d4d6976e8e23488b684f86159c214d30f6dbbc8e716b48674c3ce.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0ef73e1a120d4d6976e8e23488b684f86159c214d30f6dbbc8e716b48674c3ce.exe
"C:\Users\Admin\AppData\Local\Temp\0ef73e1a120d4d6976e8e23488b684f86159c214d30f6dbbc8e716b48674c3ce.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN MicrosoftEdgeUpdateTaskMachineUARun.exe /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN MicrosoftEdgeUpdateTaskMachineUARun.exe /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe
    3⤵
    - Creates scheduled task(s)
    PID:4060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "" "Set-ItemProperty -Path \"C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe\" -Name CreationTime -Value \"06/13/2022 3:16 PM\""
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "" "Set-ItemProperty -Path \"C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe\" -Name LastWriteTime -Value \"06/13/2022 3:16 PM\""
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "" "Set-ItemProperty -Path \"C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe\" -Name LastAccessTime -Value \"06/13/2022 3:16 PM\""
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2172

C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe
C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe
1⤵
- Executes dropped EXE
PID:3544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
c6b0a774fa56e0169ed7bb7b25c114dd

SHA1
bcdba7d4ecfff2180510850e585b44691ea81ba5

SHA256
b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9

SHA512
42295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
07ceb05f856c31fa07c89285fc711fb1

SHA1
f62e025bc022deff55f134444665b765b869b5f4

SHA256
c8a65daff00a593a964542bc1b3abac7dd09a8c3915093757905461b5d0871a4

SHA512
13034b82a68eafaf05074f1efefd53bd956f4128062685f70f9c8b84cab3bb976f894c29bbd329e28f0dc1c1733478dd361303ecae7f05fc7043ee313f9af8db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
554d25277dc6aa025cb38ccad2e2936c

SHA1
f9488dae7a35ddb497ced6849da17a9fa6949d48

SHA256
33f2651796b368ecf3b9b1171b5883ca1849476ee4c96672772481a54deaa1bb

SHA512
34b7eeac0a1eb821ef23ad7a41409dfbce444f49d66f1addd6fb1b84ed214895c85af03e4a2e59e46d125083e252f3e1154c5cdb97e9a9dc4c5a836a4c754a76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7c8b9587937db3409bad781cb3632cd6

SHA1
4dd407ab8ed571aa3348b08a0137bfc251153864

SHA256
60d62be96f45d6fd995022c0394cf725eb9451c1780d6c4a741d8f4931d8e583

SHA512
c2fd88a7c54ee006fc65a4a91db6ead4ad69dd2e49c0cbbd5ec9260d282372d502c4063155ca14740f9d01a1864f956e7c5904f7d25482b845a13c696b37d7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s4rl1h2l.wng.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe

Filesize
1128.2MB

MD5
a44763dc3ab9327a5f0580e5c6bff6fb

SHA1
44c7ad0df3233a4d6c621d4d18283a6da0cb3328

SHA256
accec6ac85eebd8e37ccbf4bec4e78ab4128877426eb692e98be30d930c1e702

SHA512
a9ba5699b16ece052b94c3a20ea57c54e4700a26e96fb65f46df4f45fb6eb64458e713090b99447e7034d8d2882a67069ca7780cb56f66e086ddcf6efd189ad8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe

Filesize
714.6MB

MD5
0fa97d6dd11c84161303f096fa78c659

SHA1
8d8fab830983a0608795a53839b708cded337286

SHA256
a9b2d4969450286f020ee728c0916b997f8e64788c24775e203c34a104a8c499

SHA512
7106a95f668c4b33d5035555fa6d4b8b19e550ddaeeec5c7b934e23ecfaadf2d7f570e735de73baa77190f3562d987fc8536914c8277c542ad2b51aad6b8b3e2

Download Submit
memory/2172-218-0x0000016AA6ED0000-0x0000016AA6EE0000-memory.dmp

Filesize
64KB

Download
memory/2172-216-0x0000016AA6ED0000-0x0000016AA6EE0000-memory.dmp

Filesize
64KB

Download
memory/2604-142-0x0000024B3C850000-0x0000024B3C860000-memory.dmp

Filesize
64KB

Download
memory/2604-127-0x0000024B3C890000-0x0000024B3C8B2000-memory.dmp

Filesize
136KB

Download
memory/2604-141-0x0000024B3C850000-0x0000024B3C860000-memory.dmp

Filesize
64KB

Download
memory/2604-130-0x0000024B3CA40000-0x0000024B3CAB6000-memory.dmp

Filesize
472KB

Download
memory/4516-155-0x000001E3207D0000-0x000001E3207E0000-memory.dmp

Filesize
64KB

Download
memory/4516-154-0x000001E3207D0000-0x000001E3207E0000-memory.dmp

Filesize
64KB

Download
memory/4748-181-0x00000123F0B60000-0x00000123F0B70000-memory.dmp

Filesize
64KB

Download
memory/4748-180-0x00000123F0B60000-0x00000123F0B70000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads