Analysis
-
max time kernel
148s -
max time network
87s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2023 14:12
Static task
static1
Behavioral task
behavioral1
Sample
Bank_Confirmation.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Bank_Confirmation.exe
Resource
win10v2004-20231130-en
General
-
Target
Bank_Confirmation.exe
-
Size
882KB
-
MD5
f82b121e447bb312a0c383d78a90490f
-
SHA1
a2570c68231136bb0d7b260f906d1e5a78c25f48
-
SHA256
d61fdb59b0176c8e329052c1b577dd366f17f206b79769bf3ae56ed6d52575de
-
SHA512
cfcf833f59f3f47aea75ea62b79d5ca57fcad8e56943bb60cd4af0212baf3c6720d9f991a3dd8964a9e272b2b82f0416fa5d06988e90dc9fda2a0e56d649dc31
-
SSDEEP
12288:r6zcyAwHWZJOLMZ7vgg24T4xT0Wm6y7+uSm0POeB83mAQuaPc19LW1lVmt1XS/2E:r6TH2gK0xxm64+ut1F2fuaG35Cy
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bezzleauto.com - Port:
587 - Username:
[email protected] - Password:
kex#-rHjHM4qKk52 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 34 IoCs
Processes:
resource yara_rule behavioral2/memory/2828-2-0x00000000059A0000-0x0000000005A48000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-4-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-5-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-7-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-13-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-11-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-15-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-9-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-17-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-19-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-23-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-27-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-25-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-21-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-29-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-31-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-33-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-35-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-37-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-43-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-49-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-55-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-53-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-51-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-47-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-57-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-63-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-67-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-65-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-61-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-59-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-45-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-41-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 behavioral2/memory/2828-39-0x00000000059A0000-0x0000000005A43000-memory.dmp family_zgrat_v1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Bank_Confirmation.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation Bank_Confirmation.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Bank_Confirmation.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pdf = "C:\\Users\\Admin\\AppData\\Roaming\\pdf.exe" Bank_Confirmation.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Bank_Confirmation.exedescription pid process target process PID 2828 set thread context of 3520 2828 Bank_Confirmation.exe Bank_Confirmation.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 1936 ipconfig.exe 3144 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
Bank_Confirmation.exepowershell.exemsedge.exemsedge.exeBank_Confirmation.exeidentity_helper.exepid process 2828 Bank_Confirmation.exe 4544 powershell.exe 4544 powershell.exe 3044 msedge.exe 3044 msedge.exe 1064 msedge.exe 1064 msedge.exe 3520 Bank_Confirmation.exe 3520 Bank_Confirmation.exe 3520 Bank_Confirmation.exe 1956 identity_helper.exe 1956 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Bank_Confirmation.exepowershell.exeBank_Confirmation.exedescription pid process Token: SeDebugPrivilege 2828 Bank_Confirmation.exe Token: SeDebugPrivilege 4544 powershell.exe Token: SeDebugPrivilege 3520 Bank_Confirmation.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Bank_Confirmation.execmd.execmd.exepowershell.exemsedge.exedescription pid process target process PID 2828 wrote to memory of 1012 2828 Bank_Confirmation.exe cmd.exe PID 2828 wrote to memory of 1012 2828 Bank_Confirmation.exe cmd.exe PID 2828 wrote to memory of 1012 2828 Bank_Confirmation.exe cmd.exe PID 1012 wrote to memory of 1936 1012 cmd.exe ipconfig.exe PID 1012 wrote to memory of 1936 1012 cmd.exe ipconfig.exe PID 1012 wrote to memory of 1936 1012 cmd.exe ipconfig.exe PID 2828 wrote to memory of 4544 2828 Bank_Confirmation.exe powershell.exe PID 2828 wrote to memory of 4544 2828 Bank_Confirmation.exe powershell.exe PID 2828 wrote to memory of 4544 2828 Bank_Confirmation.exe powershell.exe PID 2828 wrote to memory of 4784 2828 Bank_Confirmation.exe cmd.exe PID 2828 wrote to memory of 4784 2828 Bank_Confirmation.exe cmd.exe PID 2828 wrote to memory of 4784 2828 Bank_Confirmation.exe cmd.exe PID 4784 wrote to memory of 3144 4784 cmd.exe ipconfig.exe PID 4784 wrote to memory of 3144 4784 cmd.exe ipconfig.exe PID 4784 wrote to memory of 3144 4784 cmd.exe ipconfig.exe PID 4544 wrote to memory of 1064 4544 powershell.exe msedge.exe PID 4544 wrote to memory of 1064 4544 powershell.exe msedge.exe PID 1064 wrote to memory of 5028 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 5028 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 1572 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 3044 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 3044 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 2220 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 2220 1064 msedge.exe msedge.exe PID 1064 wrote to memory of 2220 1064 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe"C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release2⤵
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /release3⤵
- Gathers network information
PID:1936 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACcAaAB0AHQAcABzADoALwAvAGcAbwBvAGcAbABlAC4AYwBvAG0AJwA=2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.com/3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,11141261262085209160,12899308913404607548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:3044 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,11141261262085209160,12899308913404607548,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:24⤵PID:1572
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,11141261262085209160,12899308913404607548,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:84⤵PID:2220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11141261262085209160,12899308913404607548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:14⤵PID:4528
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11141261262085209160,12899308913404607548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:14⤵PID:1816
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,11141261262085209160,12899308913404607548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4196 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:1956 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,11141261262085209160,12899308913404607548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4196 /prefetch:84⤵PID:4340
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11141261262085209160,12899308913404607548,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:14⤵PID:1368
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11141261262085209160,12899308913404607548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:14⤵PID:2856
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11141261262085209160,12899308913404607548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:14⤵PID:5104
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11141261262085209160,12899308913404607548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:14⤵PID:1356
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11141261262085209160,12899308913404607548,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:14⤵PID:4148
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11141261262085209160,12899308913404607548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:14⤵PID:4100
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11141261262085209160,12899308913404607548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1740 /prefetch:14⤵PID:3780
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew2⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew3⤵
- Gathers network information
PID:3144 -
C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exeC:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3520
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4c1d46f8,0x7fff4c1d4708,0x7fff4c1d47181⤵PID:5028
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4852
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2252
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
927B
MD5ef1b4e3bfd6facbbb8d6a12f5f5e32de
SHA18f3ef66bf86f1697c520303c78b11d58165d146f
SHA256c652040e1a2f251b1b9e69419d6a53a91e850ea48491b3c54c2ff4a4a2907cd1
SHA512b6329c2a18217008c5e3544313cd1c7135468c5fb45e5104b9fa2f55a1f14804e66b6b9afcaa8e813cb522f536c06dba32f3afd469c4958a7c57d7df4c0e7315
-
Filesize
152B
MD526f8219c59547d181c1f9070c2f5b050
SHA1cbe34c1b41c0d86e1dff1a0bd82b6c803085a39f
SHA2563f534bb6f67e07afe3baf85bf750122c2e00b86df6aa258e5752dc6c946fc2d2
SHA5121600ed7fb809d9f4fd571b99e606ac92f0054f684b6b7a3b72ede39d5edaf458cf551c568ca1bf967326bfbdaf2f7178906fb8d15d82c52049fb6c74205c9f92
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD524f8e1716a642ab349484819545309b0
SHA18f1c32c022ea87d1471255d1fcf6cf307d216f9f
SHA25687b1db9b0a51c5f03fce3850d057801d14f2bc819fd2e997630ff81494b62841
SHA512c47e86d935cf41851841631c824199bd2e1f736b7dd2d3ceb95d669dad8de61f7b6aa9767d56bf7d623fa1cfba22ce61c906a5fe31b9f995be4f7a7c9f11d45f
-
Filesize
5KB
MD56e73345284fdedc6290f2c7c8bcb94e1
SHA1ce5f0065d72fedfad59e707a75e7cb363195954a
SHA256b488449c89cb6fb533c6755ae89adc2ee17db835399b28daced68c787afe96c2
SHA5122427bb84e59099a9fc5ce52c22b1493c755245df3066fdea5ee8259803e8721e6a7083d3ca2c0d33973268fb0e89e92cf16dcd71ac4a34c90f15cb0f987bac77
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
4KB
MD5c17d7456f262063e2272f9036b4e2255
SHA18ea34393e89f8fbfb44488c11fa8d23cb3fa0d7d
SHA2563342a9d1141a1b183841b3ef88a60451b8fb76dd3277bbeecd9301601e84d8af
SHA51225c983fc8505692680a5601493428dc1e5d5599cdb97fb3260042c68aefb64700843f3af5ada585da29c9248673299dcabf9bef7748a16667c01fed45f9c5a9d
-
Filesize
4KB
MD50bde16b857f2c16432b2322c552a6782
SHA1d6b30114021995ee64967fbb5c575a650334fb9a
SHA2569da526217a9de5e33f992b04284805155bbc833839a62b57e02b75b67f50c9a5
SHA5123368a4794af45920972f9c490165b3a2edf1cbdb4325c9ba39cb8ea4d83fa2eff2579d1bb521a0f7ee29e92815dad87c4df9ee560a31ca5f4fc30a45561f7169
-
Filesize
4KB
MD5f5e5d1daad319c3d5417eff56dec1230
SHA1b6edd727c28c13cc7bc25140514dd2bb679b61d5
SHA256e7b5b6ee6c869d23c30deb9bd459ab60319eacd290c7ccf7576bc7a7de66eb5d
SHA51277bc3b99c2aeb2e7a4b029e1591e6923e805510d15e7d1b81ddcd69c05f933318b28d6a7d252df41068aa8509d15beab6ac5f249555aba490b58722bb6493130
-
Filesize
4KB
MD5961d4df62bc45ee4b53e49b2ec9769e8
SHA1c765449c9aa330e1482f9d46358cf9d9e351a832
SHA256e796d63f5d50ea5d2be5200d31de90939f94aa1d81bf8a0866147ba1ea2f10e2
SHA5128e88f52863f10cd85b37f1346eec4fae40447417b5868b76be1aaf53a0696107c1a29bbab5f8e27d3764a56ce41e69923e1e4d3a1e0f1bba0f4a7c6f7a36900e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e