0198b7c285a13c98123bbcf85d1b072bcc00f225f6d30867f4ab3be1ea927da8

Analysis

max time kernel
62s
max time network
45s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2023 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

anti_recoil.exe
Size

1.8MB
MD5

c0e5b07cbf2d02c54f39ce6aad676dc7
SHA1

4100b839d867b252ffa991f91fb9e403b8e41256
SHA256

0198b7c285a13c98123bbcf85d1b072bcc00f225f6d30867f4ab3be1ea927da8
SHA512

7e87ca707772bcfd2121f350a001c36a5eda420e39f4612ef2d36f0b00734837bf5435421a1f005bf88ce4c6f83c79f10c46e8f7d9a793b9f970f88b8a64d87f
SSDEEP

24576:+tjkC9sS0W1PJY7BaSjwI1nTmtO2WC780/TaSX88:w0MSNnWXWC71TaSX

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2124	msedge.exe
2124	msedge.exe
2492	msedge.exe
2492	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4496	helppane.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4496	helppane.exe
4496	helppane.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 2492	4496	helppane.exe	96
PID 4496 wrote to memory of 2492	4496	helppane.exe	96
PID 2492 wrote to memory of 4400	2492	msedge.exe	97
PID 2492 wrote to memory of 4400	2492	msedge.exe	97
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 948	2492	msedge.exe	99
PID 2492 wrote to memory of 2124	2492	msedge.exe	98
PID 2492 wrote to memory of 2124	2492	msedge.exe	98
PID 2492 wrote to memory of 3440	2492	msedge.exe	100
PID 2492 wrote to memory of 3440	2492	msedge.exe	100
PID 2492 wrote to memory of 3440	2492	msedge.exe	100
PID 2492 wrote to memory of 3440	2492	msedge.exe	100
PID 2492 wrote to memory of 3440	2492	msedge.exe	100
PID 2492 wrote to memory of 3440	2492	msedge.exe	100
PID 2492 wrote to memory of 3440	2492	msedge.exe	100
PID 2492 wrote to memory of 3440	2492	msedge.exe	100
PID 2492 wrote to memory of 3440	2492	msedge.exe	100
PID 2492 wrote to memory of 3440	2492	msedge.exe	100
PID 2492 wrote to memory of 3440	2492	msedge.exe	100
PID 2492 wrote to memory of 3440	2492	msedge.exe	100
PID 2492 wrote to memory of 3440	2492	msedge.exe	100
PID 2492 wrote to memory of 3440	2492	msedge.exe	100
PID 2492 wrote to memory of 3440	2492	msedge.exe	100
PID 2492 wrote to memory of 3440	2492	msedge.exe	100
PID 2492 wrote to memory of 3440	2492	msedge.exe	100
PID 2492 wrote to memory of 3440	2492	msedge.exe	100

C:\Users\Admin\AppData\Local\Temp\anti_recoil.exe
"C:\Users\Admin\AppData\Local\Temp\anti_recoil.exe"
1⤵
PID:4484

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528882
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8d0846f8,0x7ffd8d084708,0x7ffd8d084718
    3⤵
    PID:4400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,12973798806421567683,11204419591890126767,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,12973798806421567683,11204419591890126767,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
    3⤵
    PID:948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,12973798806421567683,11204419591890126767,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
    3⤵
    PID:3440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12973798806421567683,11204419591890126767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
    3⤵
    PID:968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12973798806421567683,11204419591890126767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
    3⤵
    PID:3284
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12973798806421567683,11204419591890126767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
    3⤵
    PID:4928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12973798806421567683,11204419591890126767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
    3⤵
    PID:888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3423d7e71b832850019e032730997f69

SHA1
bbc91ba3960fb8f7f2d5a190e6585010675d9061

SHA256
53770e40359b9738d8898520d7e4a57c28498edddbadf76ec4a599837aa0c649

SHA512
03d5fee4152300d6c5e9f72c059955c944c7e6d207e433e9fdd693639e63ea699a01696d7bbf56d2033fd52ad260c9ae36a2c5c888112d81bf7e04a3f273e65d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
600B

MD5
0d3ac73e1fd481dead2e8f1471c3b678

SHA1
a505518479870553bcb6c926ff54df03066b5431

SHA256
147864f34d6e9e1a10754601609393d7751e5f2f6cc16beef123a3c64d37a126

SHA512
67402bd18a8b606a9ce763a2b7a0874de8ddc3653bcd048acbbebed76c63049afafd4864da643ff3bfa88bd32acb92f908ea2c8fe47bbd62d069ac6519adc5fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
248B

MD5
aa5c9ef101e0cca61678dcaed524270e

SHA1
94f9882349038ee458e04301b6ec123b0952860f

SHA256
cf77a8227d134ac5fec1aff2b71ab2d8ff3f89b588639ee06904b6578eabf404

SHA512
81717f814dbccb17f1dab5c07b48c63a43ab326bd764e7ffef704567a99356bdf66bc47e3a06b3cf9ae9c0d09e872d5d7415fff1282d7ef759278832a8fdfe1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aeee1102385e1c9a699fefb4d01a8999

SHA1
86116851a0639ccd904899c6fb94244a90059606

SHA256
1dfaebd74cea59cc7e1cb816d63568de06bf8fe86f693dc4560d824ca0f1a509

SHA512
12bd15aab3923e42915130008f04583648be3a442db0d17810dacafcb5adc2cfcc833d99ce3de1263916e71c738bd176693391fece318dd9e61fac17f00c3e9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
39b769d59032b3ea303aa945c7ba3d97

SHA1
afc65a06f628c0515bd5c891bb2aae8c7ca1e1b4

SHA256
737a55f384a05e71190b3254703c11430bc0f7b26ebc075b4f357b3e4f5b5949

SHA512
cab3fcf26bb812db0a2c476b2d85b3b052061277e0d4e55ebc1a1094f61d30b278c0cf3d60ebe4818e7d1b39867ecbd5b66549ab9b9d784bb3157a8f0a94049e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
abd65d08d82c49029498834da40c7576

SHA1
7e75eaa5666383f4844fd7ca1a2e7d9e4ef502c9

SHA256
a4e576ea63453d3a0ce9d81beaf08023e9cd0723b8142a14a883ff1ea21d2b96

SHA512
47a3c461fa71987a2ffe01e785278d4af2b12e5816497e6295fac43314dc234ee9de2fcf05997600469724308086991dc36f34da016b04f896258f3c6f1bf2a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e3970c7b57d1c801698124fec25f70a1

SHA1
09f97898bfbd27dc24aa9b20203db876cbc449e0

SHA256
1e15ae6d62b4e6cb6a7c493858f4a1109cdf5ca3e3897767e5e3c25290ce1eb2

SHA512
a6580de1eb98712fde2102b1af9ae8a0f4ba13833782ab11d47d8ff8336d3f420aec9b6c60dfa61266d6a8e58a376ba6aa8ec3e286d0a35970b53a1f62f0062d

Download Submit
memory/4484-137-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/4484-133-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/4484-135-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/4484-134-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/4484-332-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download