hxxp://85[.]217[.]144[.]143/files/akhrygshdfhdfjgs[.]c[.]exe

Analysis

max time kernel
155s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18-07-2023 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://85.217.144.143/files/akhrygshdfhdfjgs.c.exe

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{EAE0B4B1-4F46-438D-B528-6A0E3CB3F047}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4680	msedge.exe
4680	msedge.exe
1552	msedge.exe
1552	msedge.exe
1480	identity_helper.exe
1480	identity_helper.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 3016	1552	msedge.exe	81
PID 1552 wrote to memory of 3016	1552	msedge.exe	81
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 2820	1552	msedge.exe	84
PID 1552 wrote to memory of 4680	1552	msedge.exe	83
PID 1552 wrote to memory of 4680	1552	msedge.exe	83
PID 1552 wrote to memory of 4508	1552	msedge.exe	82
PID 1552 wrote to memory of 4508	1552	msedge.exe	82
PID 1552 wrote to memory of 4508	1552	msedge.exe	82
PID 1552 wrote to memory of 4508	1552	msedge.exe	82
PID 1552 wrote to memory of 4508	1552	msedge.exe	82
PID 1552 wrote to memory of 4508	1552	msedge.exe	82
PID 1552 wrote to memory of 4508	1552	msedge.exe	82
PID 1552 wrote to memory of 4508	1552	msedge.exe	82
PID 1552 wrote to memory of 4508	1552	msedge.exe	82
PID 1552 wrote to memory of 4508	1552	msedge.exe	82
PID 1552 wrote to memory of 4508	1552	msedge.exe	82
PID 1552 wrote to memory of 4508	1552	msedge.exe	82
PID 1552 wrote to memory of 4508	1552	msedge.exe	82
PID 1552 wrote to memory of 4508	1552	msedge.exe	82
PID 1552 wrote to memory of 4508	1552	msedge.exe	82
PID 1552 wrote to memory of 4508	1552	msedge.exe	82
PID 1552 wrote to memory of 4508	1552	msedge.exe	82
PID 1552 wrote to memory of 4508	1552	msedge.exe	82
PID 1552 wrote to memory of 4508	1552	msedge.exe	82
PID 1552 wrote to memory of 4508	1552	msedge.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://85.217.144.143/files/akhrygshdfhdfjgs.c.exe
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ffc100446f8,0x7ffc10044708,0x7ffc10044718
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2256,16658022876539825217,17022001397295424978,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2256,16658022876539825217,17022001397295424978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2740 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2256,16658022876539825217,17022001397295424978,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2276 /prefetch:2
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,16658022876539825217,17022001397295424978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,16658022876539825217,17022001397295424978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,16658022876539825217,17022001397295424978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 /prefetch:8
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,16658022876539825217,17022001397295424978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,16658022876539825217,17022001397295424978,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,16658022876539825217,17022001397295424978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,16658022876539825217,17022001397295424978,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,16658022876539825217,17022001397295424978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2256,16658022876539825217,17022001397295424978,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f6f47b83c67fe32ee32811d6611d269c

SHA1
b32353d1d0ed26e0dd5b5f1f402ffd41a105d025

SHA256
ac1866f15ff34d1df4dafa761dbb7dc2c712fe01ac0e171706ef29e205549cbc

SHA512
6ee068efa9fbd3c972169427be2f6377a1204bf99b61579e4d78643e89e729ad65f2abcc70007fd0dd38428e7cd39010a253d6f9cd5e90409e207ddaf5d6720d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bd93f0fb81869b653ab40e961d4f6361

SHA1
ba77b9b5993845354ae17e427dd1a3c380695e78

SHA256
3a30e68a39331cd15e0edaea01c919391a6524ff388f7d098a7ed7adb6f2758c

SHA512
a2dc7bc838fde428cf1229ea091ac310f9789cc561e41b712d73315c0095194d190e394ec56810c61d3704747e4d9ba7e3f332c2fb20ca544435b06da47de08f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
70094c2cc59fb41fa4b31fddefe0ebca

SHA1
08ba13a1051f63c1baa368b6b740b865f4ff29b9

SHA256
14ba675bf6a8909eb51b551b4dfab13fd58ab16a48d4c1f7d220da71fcbc9a3e

SHA512
ace9e8f949fc7c15d06b3449206aab4d12a5fadecc61cba87bfc52e5bc61bb11dc6b47ec556225cdda3eb7fcc59e115c45419ccb8f9c7ccd841b6477d78fa9d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5544c64f2a8f49dabc19eb84267b1c9b

SHA1
c5b78d63a8bab1c7b985f7ea2f268d0d7809071e

SHA256
a1fcfee2974a77e76a7431a2069db301861ab42dd41769cead8697f41f5a497f

SHA512
38c80d7c810441fc87beff38929473088cf426b0a25a30820d8a060f493350d99bb8521b314afe00578ea54648fce2aa4e55880a83a4f1048c56307991726565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
df6d83ca46c17abcbdc95722de1a0437

SHA1
37fbda8deb31cdb4b6c2a4956eeaadb029386996

SHA256
5895d758a5096901206c69e442b0c12f763c4dfc9141b6824c954e5d820be95c

SHA512
c9f5ec49324bb3390472859fbfed1372ccd05f68c75c04dccf40c0583f99b7e7985421a2863c1d1fe888447b77aaf181a61f753a74ca973016c15a29545073ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsu3D71.tmp

Filesize
14KB

MD5
c01eaa0bdcd7c30a42bbb35a9acbf574

SHA1
0aee3e1b873e41d040f1991819d0027b6cc68f54

SHA256
32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

SHA512
d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
85dfc4d0d408bd1c1a75351d8b32ba74

SHA1
1cc71545f0e3f2c43d36199f07da320fe819d642

SHA256
b5c05ec7e9aa3a6cc2fe2fa243256a3c8999f1d53b96037c70252c9618c08021

SHA512
01acb61192bb4e2e87e7b39e5ca1405067633fb7adc39a941e60e0d099b310626650e07c6857b8affddbd21d4591b20d114e284235a22b0d3c9c528c88592d58

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
4549e025fd11419ad468f19df69bd5c7

SHA1
7561b15e5f8e78489efac413a7208dffd4aecff2

SHA256
64a7ddceb685cadfc5937a8329f60aaa17d502cfacce8b5910ecff168a65464a

SHA512
e0b5590c09d1c61ce5438070336c821aaf57d9a912a91dd7e745a0ac72e120f8a16d6674f27456f08b582d9656c96a85bfecd3882425cacb04e3ca26fc2adb7b

Download Submit