Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2023 14:09
Static task
static1
Behavioral task
behavioral1
Sample
Bank_Confirmation.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Bank_Confirmation.exe
Resource
win10v2004-20231127-en
General
-
Target
Bank_Confirmation.exe
-
Size
882KB
-
MD5
f82b121e447bb312a0c383d78a90490f
-
SHA1
a2570c68231136bb0d7b260f906d1e5a78c25f48
-
SHA256
d61fdb59b0176c8e329052c1b577dd366f17f206b79769bf3ae56ed6d52575de
-
SHA512
cfcf833f59f3f47aea75ea62b79d5ca57fcad8e56943bb60cd4af0212baf3c6720d9f991a3dd8964a9e272b2b82f0416fa5d06988e90dc9fda2a0e56d649dc31
-
SSDEEP
12288:r6zcyAwHWZJOLMZ7vgg24T4xT0Wm6y7+uSm0POeB83mAQuaPc19LW1lVmt1XS/2E:r6TH2gK0xxm64+ut1F2fuaG35Cy
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bezzleauto.com - Port:
587 - Username:
[email protected] - Password:
kex#-rHjHM4qKk52 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 34 IoCs
Processes:
resource yara_rule behavioral2/memory/3436-2-0x0000000004D80000-0x0000000004E28000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-5-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-4-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-7-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-9-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-11-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-17-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-15-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-19-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-13-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-21-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-23-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-25-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-27-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-29-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-31-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-37-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-39-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-43-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-47-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-51-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-53-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-49-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-55-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-59-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-61-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-63-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-57-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-65-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-45-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-67-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-41-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-35-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 behavioral2/memory/3436-33-0x0000000004D80000-0x0000000004E23000-memory.dmp family_zgrat_v1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Bank_Confirmation.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Control Panel\International\Geo\Nation Bank_Confirmation.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Bank_Confirmation.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pdf = "C:\\Users\\Admin\\AppData\\Roaming\\pdf.exe" Bank_Confirmation.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Bank_Confirmation.exedescription pid process target process PID 3436 set thread context of 4372 3436 Bank_Confirmation.exe Bank_Confirmation.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 2716 ipconfig.exe 4212 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
Bank_Confirmation.exepowershell.exemsedge.exemsedge.exeBank_Confirmation.exeidentity_helper.exepid process 3436 Bank_Confirmation.exe 3672 powershell.exe 3672 powershell.exe 3616 msedge.exe 3616 msedge.exe 2924 msedge.exe 2924 msedge.exe 4372 Bank_Confirmation.exe 4372 Bank_Confirmation.exe 4372 Bank_Confirmation.exe 2372 identity_helper.exe 2372 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Bank_Confirmation.exepowershell.exeBank_Confirmation.exedescription pid process Token: SeDebugPrivilege 3436 Bank_Confirmation.exe Token: SeDebugPrivilege 3672 powershell.exe Token: SeDebugPrivilege 4372 Bank_Confirmation.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe 2924 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Bank_Confirmation.execmd.execmd.exepowershell.exemsedge.exedescription pid process target process PID 3436 wrote to memory of 3504 3436 Bank_Confirmation.exe cmd.exe PID 3436 wrote to memory of 3504 3436 Bank_Confirmation.exe cmd.exe PID 3436 wrote to memory of 3504 3436 Bank_Confirmation.exe cmd.exe PID 3504 wrote to memory of 2716 3504 cmd.exe ipconfig.exe PID 3504 wrote to memory of 2716 3504 cmd.exe ipconfig.exe PID 3504 wrote to memory of 2716 3504 cmd.exe ipconfig.exe PID 3436 wrote to memory of 3672 3436 Bank_Confirmation.exe powershell.exe PID 3436 wrote to memory of 3672 3436 Bank_Confirmation.exe powershell.exe PID 3436 wrote to memory of 3672 3436 Bank_Confirmation.exe powershell.exe PID 3436 wrote to memory of 3780 3436 Bank_Confirmation.exe cmd.exe PID 3436 wrote to memory of 3780 3436 Bank_Confirmation.exe cmd.exe PID 3436 wrote to memory of 3780 3436 Bank_Confirmation.exe cmd.exe PID 3780 wrote to memory of 4212 3780 cmd.exe ipconfig.exe PID 3780 wrote to memory of 4212 3780 cmd.exe ipconfig.exe PID 3780 wrote to memory of 4212 3780 cmd.exe ipconfig.exe PID 3672 wrote to memory of 2924 3672 powershell.exe msedge.exe PID 3672 wrote to memory of 2924 3672 powershell.exe msedge.exe PID 2924 wrote to memory of 1780 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 1780 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3132 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3616 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 3616 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 4468 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 4468 2924 msedge.exe msedge.exe PID 2924 wrote to memory of 4468 2924 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe"C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release2⤵
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /release3⤵
- Gathers network information
PID:2716 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACcAaAB0AHQAcABzADoALwAvAGcAbwBvAGcAbABlAC4AYwBvAG0AJwA=2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.com/3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd620a46f8,0x7ffd620a4708,0x7ffd620a47184⤵PID:1780
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,10073214045048441226,8727874088357302916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:3616 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,10073214045048441226,8727874088357302916,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:24⤵PID:3132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,10073214045048441226,8727874088357302916,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:84⤵PID:4468
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10073214045048441226,8727874088357302916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:14⤵PID:116
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10073214045048441226,8727874088357302916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:14⤵PID:2788
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10073214045048441226,8727874088357302916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:14⤵PID:4324
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,10073214045048441226,8727874088357302916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:84⤵PID:4460
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,10073214045048441226,8727874088357302916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:2372 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10073214045048441226,8727874088357302916,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:14⤵PID:3780
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10073214045048441226,8727874088357302916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:14⤵PID:3504
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10073214045048441226,8727874088357302916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:14⤵PID:4980
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10073214045048441226,8727874088357302916,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:14⤵PID:5096
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew2⤵
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew3⤵
- Gathers network information
PID:4212 -
C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exeC:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4372
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2916
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:492
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
927B
MD5ef1b4e3bfd6facbbb8d6a12f5f5e32de
SHA18f3ef66bf86f1697c520303c78b11d58165d146f
SHA256c652040e1a2f251b1b9e69419d6a53a91e850ea48491b3c54c2ff4a4a2907cd1
SHA512b6329c2a18217008c5e3544313cd1c7135468c5fb45e5104b9fa2f55a1f14804e66b6b9afcaa8e813cb522f536c06dba32f3afd469c4958a7c57d7df4c0e7315
-
Filesize
152B
MD5a556bb6f129e6bd2dcfb5e29b7483f3c
SHA154f04d95d772d4837334739544f6871c10f24110
SHA256c88e30f34c1dd579de34700a10a25c92e55f09b47be34ef7742a01aea47f222c
SHA512405908519a2b51c42c380ebb160557fb551bbec0c015c7a6fa61acc01eaa32a6ae20895aeaa1879a4aea3b0cc6ec1754d30610a3e343105a0ea4350156a6fb2d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize192B
MD57d146a03a51490c64385d5259fc60515
SHA1e5c4206eea81c737e7f3532da6df7b8102f7e806
SHA256987fee1e9289dd54ad3d72f6b622fcd4466a372422535b9b2faa869e37e20154
SHA512ce7960c5f5bb2e6a9156eb488b165d1e424511bf7504c394d6dc6f6fc08f06007b5ae1dd81fe43a6efda492101fc7fdb3989a6823ddabc787d3d1dca3a851c18
-
Filesize
1KB
MD51f683193c6316e43242f6c8b4d791f34
SHA15a19f4d2f44cb405276ae484156bd3a447ca6c57
SHA25696a7a9a9a80e47768538e6cbb46aeb2e1c5deafd2983039acdc8914b6032d34e
SHA5129e279bdf41c0d498def97d5a46105a599937e1b18962177473388a12f06d467b936cfac790d89e8eedd30b540356380748278ef7e516b83bae8d2ee0c3e788b1
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD5ba5c88eeea0e1f99e3bf1926d940147d
SHA128245a63c7c71f64b6fde4e73bf6524a71b6074e
SHA256ab094293619f003e7f1b414ecbc7f6c0d75b743fddaf09741dd1720c45f93bdf
SHA51268825dd23dd556112fcf4434d4d84261a49979ac6ee943467aad49ea39cb733413f4131d08f7ed2ae5b2e9a42a81260f259c251b9f3f9b1ac72e64d6f423d41b
-
Filesize
5KB
MD5ed55e21a0e775ecd5588882825314498
SHA11f30439a36345681e2f9881e581b8b5ef6367068
SHA256f7a31f9ac36ade75fcdcc0230b38b3cf7515e75cac01cc2a3921a4dc821e7101
SHA5128bf244b537b3044ca7cbd36259e5686f6bcfb8829a0e7a1a39d35bcadda18113283cd17d321f0d61dc30e8f7fa3d740d5fc0405be6b326c9ddffbe152c8078ed
-
Filesize
24KB
MD5aa3db81e5ed16930c40f0a83dd947008
SHA1594657b7812f4eb6b515b885f6004c366f38d1cf
SHA256becaf8dcc2fd6c3fade9787edc3848cc901fd0690a4b9e1dd29ca24e1449bd71
SHA512faef7417672e0919285c95e480226b82d7272a5057ed8342557bd995631d5332f497b82ffd1f5577d37e8972ef4b30c6441974b2197df1dc19bb1a4cf907e4c2
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5f53516c505f3d66fa0564f98bbe51606
SHA1ac27ae52faf442a75eb4f21e8075598a3d762610
SHA256546262fb7d768fe9704ff6b866d89a55f5d5ff8bb227359085025cda9bfb0053
SHA512d7969b9558e19257efd03dd9078e736841b5190d00ab6fa0df2e3bdc89e893fb0f830fc6e2083057be5c6f1cdbdd387998db825448ad3a8db129ca33cfaab8cb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e