be0219b47ed088e3ad97037177d8c55e4ad9e902ad7646c0b9e64ae1ecabe98a

Resubmissions

17/08/2023, 12:48

230817-p1vfgaba51 3

17/08/2023, 12:44

230817-pyz8yahc99 3

Analysis

max time kernel
1686s
max time network
1693s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2023, 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edi.bat
Size

343B
MD5

1afa892b415dd6bdde6a8b47a4bba8bf
SHA1

8d70c9a141b6c8c23d798dfcc2f1f1ea617021f4
SHA256

be0219b47ed088e3ad97037177d8c55e4ad9e902ad7646c0b9e64ae1ecabe98a
SHA512

9c2d5f8cfbcfbaacf9acb63dc12327be562c8f4653ffd7e53897f445afd138c784660d483655ca9a189417026499ac14d6d202e312036aab31cbb79104902851

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
4144	timeout.exe
1408	timeout.exe
1320	timeout.exe
1572	timeout.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4056	msedge.exe
4056	msedge.exe
4564	msedge.exe
4564	msedge.exe
1148	identity_helper.exe
1148	identity_helper.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3804 wrote to memory of 1320	3804	cmd.exe	83
PID 3804 wrote to memory of 1320	3804	cmd.exe	83
PID 3804 wrote to memory of 1572	3804	cmd.exe	84
PID 3804 wrote to memory of 1572	3804	cmd.exe	84
PID 3804 wrote to memory of 4144	3804	cmd.exe	85
PID 3804 wrote to memory of 4144	3804	cmd.exe	85
PID 3804 wrote to memory of 1408	3804	cmd.exe	88
PID 3804 wrote to memory of 1408	3804	cmd.exe	88
PID 3804 wrote to memory of 4564	3804	cmd.exe	91
PID 3804 wrote to memory of 4564	3804	cmd.exe	91
PID 4564 wrote to memory of 4880	4564	msedge.exe	93
PID 4564 wrote to memory of 4880	4564	msedge.exe	93
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 816	4564	msedge.exe	95
PID 4564 wrote to memory of 4056	4564	msedge.exe	94
PID 4564 wrote to memory of 4056	4564	msedge.exe	94
PID 4564 wrote to memory of 2392	4564	msedge.exe	96
PID 4564 wrote to memory of 2392	4564	msedge.exe	96
PID 4564 wrote to memory of 2392	4564	msedge.exe	96
PID 4564 wrote to memory of 2392	4564	msedge.exe	96
PID 4564 wrote to memory of 2392	4564	msedge.exe	96
PID 4564 wrote to memory of 2392	4564	msedge.exe	96
PID 4564 wrote to memory of 2392	4564	msedge.exe	96
PID 4564 wrote to memory of 2392	4564	msedge.exe	96
PID 4564 wrote to memory of 2392	4564	msedge.exe	96
PID 4564 wrote to memory of 2392	4564	msedge.exe	96

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\edi.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:1320
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1572
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4144
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youareanidiot.cc/
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6ebb46f8,0x7ffa6ebb4708,0x7ffa6ebb4718
    3⤵
    PID:4880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,6285455637777120529,15221239524127816281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,6285455637777120529,15221239524127816281,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
    3⤵
    PID:816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,6285455637777120529,15221239524127816281,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
    3⤵
    PID:2392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,6285455637777120529,15221239524127816281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
    3⤵
    PID:1316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,6285455637777120529,15221239524127816281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
    3⤵
    PID:1272
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,6285455637777120529,15221239524127816281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:8
    3⤵
    PID:4488
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,6285455637777120529,15221239524127816281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,6285455637777120529,15221239524127816281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
    3⤵
    PID:3664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,6285455637777120529,15221239524127816281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
    3⤵
    PID:3872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,6285455637777120529,15221239524127816281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
    3⤵
    PID:3760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,6285455637777120529,15221239524127816281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
    3⤵
    PID:848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,6285455637777120529,15221239524127816281,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4600 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fc99b0086d7714fd471ed4acc862ccc0

SHA1
39a3c43c97f778d67413a023d66e8e930d0e2314

SHA256
45ef01f81605bfd96126d5520c5aa0304c7fa7d5fdb3e4d5b2dd2bf84e2afd96

SHA512
c308fa3eda9235d67a506a5f058fefb9a769ec01d7b0d4f5a2397892cc4f8155301c55c1fac23bebacdd087ab3f47f1eacc9ff88eff4115a7d67aa7b1d6581a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
6c8e6bde8eb533ed3891cb0662576cdc

SHA1
1aca57b6d2b2fb8ce1764c1ee7ddd9702e3e7a44

SHA256
5905bc35c6620ed2f988d13d56e9c8025d1212bb71571fc7e7a32ebf91f62c1d

SHA512
7e512f74c7172351d5760a05a98a773ea3ce0ce2b3031f23733aee8a9a84c79654f6f93335b09015a4aa71e941699f74543438929b0e09d12d41e4fa6411a639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
184B

MD5
b88f247eb29ab18ceefffcc93358b1df

SHA1
7695a17a01bf978f93603de7349ca8e52bec87c4

SHA256
5a36b6618062d5914e152044e662f742f99f433655d106e7e59d2b005d5702c3

SHA512
82ec3d18f129fd6d8691c7890ce7268b8211b1b21486e37dc43bb9000ceb29f79f429c0c9a933d0356a415823f53502ab08c5eb2af4fae272b337b31ec70e558

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2337dfb347b29c2cabc5c7d59ef20bda

SHA1
5293d8e20633c07dce97450aeb6230c566b29ebe

SHA256
d7e0d810759b4005806575151c73664705853b308e590582d2f03a3bd22831b6

SHA512
d19c43d68c48906b05952fc9998a479e91c1b429e9b200f33df9a7e9bea839eae67ee0f40fb2064a1f0073ba005ab62bde390fa4cfba45eb4689953f49dfaabb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4e1af62fe42ba7107119d8a6291ee6c0

SHA1
d244d0f82bb4425c2b053e5b2017c3833d4ba61d

SHA256
eb5195ac6d23d498f89c33687fcf4374d8c6b7f0a9d4a9547137abee2b4eaadd

SHA512
ab0800dbf0b110125a489f3b67e64efef49086ec44481f36ac3e019b08020b4312743bf3211779ded933c2e36a79f84424072b900bcef24f3e71e783a98b59d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
96f00bbd6a174879c58220f95f0115f5

SHA1
d3d7f82b0bf27daf1b3903bfe050c2d05422050f

SHA256
644442e740a8c0bb20f712f6f84f5bf4a81bb29d4e9446b2832ca65618961107

SHA512
e7c5e90eb85aee7b81b9c163f618ad3789a48b256040f6f00eee7fce52c60e1ff491bf0538b9c846fb115b73163710e46a45ce056e3b41ca59d88c421502ccea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b503cf00700042f96a3ea4b1eb1a2f7f

SHA1
763a00981800f8cec2df085c416979faef5a9f8e

SHA256
f68e61e88a0f7aa374f70c57d8066144647cdcc96bc18b42f687444c42d46409

SHA512
e0b15e973d539c50352a0f793f09ab1b9fd348ff4b947146d23ec21a186569c0aab061d06ee75850f9d3789c786a58eeb5316614cb4c54aa8d7349500a0f976f

Download Submit