Analysis
-
max time kernel
1718s -
max time network
1726s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
07/08/2023, 17:51
Static task
static1
Behavioral task
behavioral1
Sample
Geradores_3.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Geradores_3.exe
Resource
win10v2004-20230703-en
General
-
Target
Geradores_3.exe
-
Size
1.2MB
-
MD5
27c261e6b9cf5cbf049e873dd4a69ca0
-
SHA1
d5f54cea7934881c22531ea65e2ddb7062683dd2
-
SHA256
6949492e68b7c20221d0ad5102bbbcacba1a1705eb5e1cadeae54f9c53c5d256
-
SHA512
7fe3929d586d4d7c708eaa8b955ce5cd77b368a18bdd7ef5219b629290fb037483fb44487217436723874adde9f200b0d329a2333944dd1506b1147fa9594ca8
-
SSDEEP
24576:svMZvMNyvvMNyQdngwtlaHxN8KUWVe6tw2wvKhLnekqjVnlqud+/2P+AdjvM:duNBNhdngwwHv5VbtHw1kqXfd+/9Au
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3748 msedge.exe 3748 msedge.exe 4472 msedge.exe 4472 msedge.exe 2824 identity_helper.exe 2824 identity_helper.exe 4212 msedge.exe 4212 msedge.exe 4212 msedge.exe 4212 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 944 Geradores_3.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4472 wrote to memory of 2120 4472 msedge.exe 93 PID 4472 wrote to memory of 2120 4472 msedge.exe 93 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 836 4472 msedge.exe 94 PID 4472 wrote to memory of 3748 4472 msedge.exe 95 PID 4472 wrote to memory of 3748 4472 msedge.exe 95 PID 4472 wrote to memory of 3016 4472 msedge.exe 96 PID 4472 wrote to memory of 3016 4472 msedge.exe 96 PID 4472 wrote to memory of 3016 4472 msedge.exe 96 PID 4472 wrote to memory of 3016 4472 msedge.exe 96 PID 4472 wrote to memory of 3016 4472 msedge.exe 96 PID 4472 wrote to memory of 3016 4472 msedge.exe 96 PID 4472 wrote to memory of 3016 4472 msedge.exe 96 PID 4472 wrote to memory of 3016 4472 msedge.exe 96 PID 4472 wrote to memory of 3016 4472 msedge.exe 96 PID 4472 wrote to memory of 3016 4472 msedge.exe 96 PID 4472 wrote to memory of 3016 4472 msedge.exe 96 PID 4472 wrote to memory of 3016 4472 msedge.exe 96 PID 4472 wrote to memory of 3016 4472 msedge.exe 96 PID 4472 wrote to memory of 3016 4472 msedge.exe 96 PID 4472 wrote to memory of 3016 4472 msedge.exe 96 PID 4472 wrote to memory of 3016 4472 msedge.exe 96 PID 4472 wrote to memory of 3016 4472 msedge.exe 96 PID 4472 wrote to memory of 3016 4472 msedge.exe 96 PID 4472 wrote to memory of 3016 4472 msedge.exe 96 PID 4472 wrote to memory of 3016 4472 msedge.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\Geradores_3.exe"C:\Users\Admin\AppData\Local\Temp\Geradores_3.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:944
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff89b0d46f8,0x7ff89b0d4708,0x7ff89b0d47182⤵PID:2120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,10712697410631423959,5224399846664166782,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:22⤵PID:836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,10712697410631423959,5224399846664166782,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,10712697410631423959,5224399846664166782,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:82⤵PID:3016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10712697410631423959,5224399846664166782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:4128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10712697410631423959,5224399846664166782,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵PID:1052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10712697410631423959,5224399846664166782,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:12⤵PID:4236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10712697410631423959,5224399846664166782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:12⤵PID:4652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,10712697410631423959,5224399846664166782,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:82⤵PID:3280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,10712697410631423959,5224399846664166782,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10712697410631423959,5224399846664166782,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:12⤵PID:2112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10712697410631423959,5224399846664166782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:12⤵PID:4968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10712697410631423959,5224399846664166782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:12⤵PID:4808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,10712697410631423959,5224399846664166782,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3156 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4212
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5056
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1344
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask1⤵PID:4500
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD53423d7e71b832850019e032730997f69
SHA1bbc91ba3960fb8f7f2d5a190e6585010675d9061
SHA25653770e40359b9738d8898520d7e4a57c28498edddbadf76ec4a599837aa0c649
SHA51203d5fee4152300d6c5e9f72c059955c944c7e6d207e433e9fdd693639e63ea699a01696d7bbf56d2033fd52ad260c9ae36a2c5c888112d81bf7e04a3f273e65d
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD50bc544305b237e6855ba969e822a2953
SHA14551e48eb02c8b1c0b1df1cfc2d6e72d24a292c4
SHA256f5949a2e5c03104bd75b83c5013b8e54649f10b5f59e6fdff8278a8da831133e
SHA5120765c7c36e9d118897c53875a306f2bbc70d6caa8d37a3f84ca5a884687dd84323624e5f2f78dfa20eead816fa88602f8f434fca641d2321c9c96b205da32e1b
-
Filesize
5KB
MD5ec6c17907fa0176ac548650e8210a191
SHA13466ff00cb4f35c852521aa36a74c35fd37fdba9
SHA256ad571f56e1fc8fec0d33b6df792ffad8bdcc3b62b4a9114f0213758809bb3f9c
SHA512882717ecc3b69b709789ffeea5c3cd56f365556e4575baf895578f29546c8fc68724a29376f34b44a6709ac5a7b2336bbe8f5d428af421dca5f742b4baef1ed8
-
Filesize
24KB
MD50e78f9a3ece93ae9434c64ea2bff51dc
SHA1a0e4c75fe32417fe2df705987df5817326e1b3b9
SHA2565c8ce4455f2a3e5f36f30e7100f85bdd5e44336a8312278769f89f68b8d60e68
SHA5129d1686f0b38e3326ad036c8b218b61428204910f586dccf8b62ecbed09190f7664a719a89a6fbc0ecb429aecf5dd0ec06de44be3a1510369e427bde0626fd51d
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD54ae05744a5f5bdafbe1147aaee7fadae
SHA1684291eba38956c110ddf0f8372c3e9579668dc4
SHA2567a6c2aa15d3734fb66ba4de78fc56ccf87c5af378cbc8fafea0d0d47d2e6a5fb
SHA5128dd161431e6e0de8cf5264a3f7614dd4b5f53501e565b892b205c1fcbe407aa4f402f028d40e19591fdad2c8f9953536345694dda2436effc06743282166ff76