dcrat | cd83427b301bad7fc71f23cb121a4c41483b2f0278c54e9595583e8f2865f004

Resubmissions

14-06-2023 00:49

230614-a6lm7acd45 10

14-06-2023 00:49

230614-a6ejwacd44 10

14-06-2023 00:21

230614-and6dscd27 10

Analysis

max time kernel
306s
max time network
311s
platform
windows10-1703_x64
resource
win10-20230220-ja
resource tags

arch:x64arch:x86image:win10-20230220-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
14-06-2023 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Allergies List and Allowed Substances.numb05151.pdf.scr
Size

920.3MB
MD5

491c5ac82977262ef24bd22ad312c622
SHA1

1f0555370f07e94182059701f63e940429757157
SHA256

ea770032c44e773b9c9865d4ff3bfb10f76b003ace1bbfbe45755ffff227e5fe
SHA512

a9974fe623a979e12d8493200f36aa4aab5763ea97ed4d5924fb1f579038d686bb10d789d576343ce4ca4c8a4657ed9404b7ffb52f701f6f880eb75e766f6734
SSDEEP

393216:rc8yiMPNWZV4nXF12elEA7YKsHES/Sl50l:rcOMPNWTM2elpBtSwW

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2936-117-0x0000000000D80000-0x00000000036E6000-memory.dmp	dcrat
behavioral1/memory/4656-8709-0x0000000000400000-0x00000000004D0000-memory.dmp	dcrat

.NET Reactor proctector 35 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/2936-117-0x0000000000D80000-0x00000000036E6000-memory.dmp	net_reactor
behavioral1/memory/2936-119-0x000000001E4F0000-0x000000001E646000-memory.dmp	net_reactor
behavioral1/memory/2936-121-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-120-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-123-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-125-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-127-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-129-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-131-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-133-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-135-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-137-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-139-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-141-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-143-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-145-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-147-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-149-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-151-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-153-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-155-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-157-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-159-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-161-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-163-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-165-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-167-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-169-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-171-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-173-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-177-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-175-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-179-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-181-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor
behavioral1/memory/2936-183-0x000000001E4F0000-0x000000001E640000-memory.dmp	net_reactor

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ipinfo.io
10 ipinfo.io
Suspicious use of SetThreadContext 1 IoCs

Processes:

Allergies List and Allowed Substances.numb05151.pdf.scr

description pid process target process

PID 2936 set thread context of 4656 2936 Allergies List and Allowed Substances.numb05151.pdf.scr MSBuild.exe

flow	ioc
9	ipinfo.io
10	ipinfo.io

description	pid	process	target process
PID 2936 set thread context of 4656	2936	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe

Drops file in Windows directory 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exebrowser_broker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 5652d694569ed901	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = c7407ea65a45d901	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = c7407ea65a45d901	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\NextUpdateDate = "393520974"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = c7407ea65a45d901	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000a3119176dbb50b5a2d65df2f248309f753a54b2bbfca338688b69f8f2cdf5ee14aa1c82ce0a685a80db28f7b5a736fa54bcc6b7574ec7210a0aebb19	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000000728779c248d8e362903aa255554559c032005f7616ee885ff7b8e6adb0ca53c870aeed696c68df8cc5fa6351e650ee553a6182c58c669cd55a	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = d0811ffa889ed901	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$blogger	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 0746c09a569ed901	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

Allergies List and Allowed Substances.numb05151.pdf.scrMSBuild.exe

pid	process
2936	Allergies List and Allowed Substances.numb05151.pdf.scr
2936	Allergies List and Allowed Substances.numb05151.pdf.scr
4656	MSBuild.exe
4656	MSBuild.exe
4656	MSBuild.exe
4656	MSBuild.exe
4656	MSBuild.exe
4656	MSBuild.exe
4656	MSBuild.exe
4656	MSBuild.exe
4656	MSBuild.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

MSBuild.exe

pid process

4656 MSBuild.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

3592 MicrosoftEdgeCP.exe
3592 MicrosoftEdgeCP.exe

pid	process
4656	MSBuild.exe

pid	process
3592	MicrosoftEdgeCP.exe
3592	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

Allergies List and Allowed Substances.numb05151.pdf.scrMSBuild.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	2936	Allergies List and Allowed Substances.numb05151.pdf.scr
Token: SeDebugPrivilege	4656	MSBuild.exe
Token: SeDebugPrivilege	4284	MicrosoftEdge.exe
Token: SeDebugPrivilege	4284	MicrosoftEdge.exe
Token: SeDebugPrivilege	4284	MicrosoftEdge.exe
Token: SeDebugPrivilege	4284	MicrosoftEdge.exe
Token: SeDebugPrivilege	708	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	708	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	708	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	708	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2616	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2616	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

4284 MicrosoftEdge.exe
3592 MicrosoftEdgeCP.exe
3592 MicrosoftEdgeCP.exe

pid	process
4284	MicrosoftEdge.exe
3592	MicrosoftEdgeCP.exe
3592	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Allergies List and Allowed Substances.numb05151.pdf.scrMicrosoftEdgeCP.exe

description	pid	process	target process
PID 2936 wrote to memory of 4084	2936	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 2936 wrote to memory of 4084	2936	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 2936 wrote to memory of 4084	2936	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 2936 wrote to memory of 4656	2936	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 2936 wrote to memory of 4656	2936	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 2936 wrote to memory of 4656	2936	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 2936 wrote to memory of 4656	2936	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 2936 wrote to memory of 4656	2936	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 2936 wrote to memory of 4656	2936	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 2936 wrote to memory of 4656	2936	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 2936 wrote to memory of 4656	2936	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 3592 wrote to memory of 708	3592	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3592 wrote to memory of 708	3592	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3592 wrote to memory of 708	3592	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3592 wrote to memory of 708	3592	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3592 wrote to memory of 708	3592	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3592 wrote to memory of 708	3592	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

C:\Users\Admin\AppData\Local\Temp\Allergies List and Allowed Substances.numb05151.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Allergies List and Allowed Substances.numb05151.pdf.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:4084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4284

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4112

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:708

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RIZDY293\edgecompatviewlist[1].xml
Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\C6B23N4H\suggestions[1].ja-JP
Filesize
17KB

MD5
f0e8351230b562572b4b315a1a55004f

SHA1
1cc73361100ce15353f2571a03a5d5a364be87d2

SHA256
650de9892142b102c0cd1f9deca25f93d83c0bb8b5434580c77dd4214a82e1a5

SHA512
3d7dd1a72a000041fe308828c714ac48c463e0022cad3495296d0eb72a0fc85127b3c46cdc0015da25d41e9d22eba887980c301663f37ad86e7ccbc452934d46

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\Windows\3720402701\2219095117.pri
Filesize
207KB

MD5
e2b88765ee31470114e866d939a8f2c6

SHA1
e0a53b8511186ff308a0507b6304fb16cabd4e1f

SHA256
523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e

SHA512
462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d

Download Submit
memory/2936-117-0x0000000000D80000-0x00000000036E6000-memory.dmp

Filesize
41.4MB

Download
memory/2936-118-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/2936-119-0x000000001E4F0000-0x000000001E646000-memory.dmp

Filesize
1.3MB

Download
memory/2936-121-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-120-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-123-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-125-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-127-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-129-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-131-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-133-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-135-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-137-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-139-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-141-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-143-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-145-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-147-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-149-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-151-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-153-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-155-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-157-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-159-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-161-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-163-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-165-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-167-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-169-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-171-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-173-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-177-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-175-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-179-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-181-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-183-0x000000001E4F0000-0x000000001E640000-memory.dmp

Filesize
1.3MB

Download
memory/2936-1122-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/4656-8709-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4656-8710-0x0000000005BB0000-0x00000000060AE000-memory.dmp

Filesize
5.0MB

Download
memory/4656-8711-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/4656-8712-0x00000000057F0000-0x000000000580C000-memory.dmp

Filesize
112KB

Download
memory/4656-8713-0x00000000059E0000-0x0000000005A30000-memory.dmp

Filesize
320KB

Download
memory/4656-8714-0x0000000005810000-0x0000000005826000-memory.dmp

Filesize
88KB

Download
memory/4656-8715-0x0000000005840000-0x000000000584C000-memory.dmp

Filesize
48KB

Download
memory/4656-8716-0x0000000005860000-0x000000000586E000-memory.dmp

Filesize
56KB

Download
memory/4656-8717-0x0000000005870000-0x000000000587E000-memory.dmp

Filesize
56KB

Download
memory/4656-8718-0x0000000005AD0000-0x0000000005B62000-memory.dmp

Filesize
584KB

Download
memory/4656-8719-0x00000000061B0000-0x0000000006216000-memory.dmp

Filesize
408KB

Download
memory/4656-8720-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/4656-8721-0x0000000006C00000-0x0000000006DC2000-memory.dmp

Filesize
1.8MB

Download
memory/4656-8722-0x0000000006F60000-0x000000000706E000-memory.dmp

Filesize
1.1MB

Download
memory/4656-8723-0x00000000077A0000-0x0000000007CCC000-memory.dmp

Filesize
5.2MB

Download
memory/4656-8724-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/4656-8725-0x0000000007FD0000-0x0000000008018000-memory.dmp

Filesize
288KB

Download
memory/4656-8824-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download