32a2fdf66457a69b023a3fc8102b22f516527860b0d7e201b5bcfe8e353101f6

Analysis

max time kernel
7s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 07:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5ceeb666d873e799309cf0eb1a032375.exe
Size

23KB
MD5

5ceeb666d873e799309cf0eb1a032375
SHA1

82704f0fa3d31797ce255af089eb841d581347f7
SHA256

32a2fdf66457a69b023a3fc8102b22f516527860b0d7e201b5bcfe8e353101f6
SHA512

fbba83f440da9fef7f69ce91deecb39f007d9977d5c0f2513bdd1626d1d0f5b3d21c34669885e6885f36d15361736da9acc3354899e029887446b485b56fa50d
SSDEEP

384:uYH4AozzLBt9kyQJTL387ZYJLWHzbfCiqis9Qlcffyq6e8:szzFt9kyGTL3C0L4bfQisKl4qV

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 4784	396	5ceeb666d873e799309cf0eb1a032375.exe	99
PID 396 wrote to memory of 4784	396	5ceeb666d873e799309cf0eb1a032375.exe	99
PID 4784 wrote to memory of 3228	4784	msedge.exe	98
PID 4784 wrote to memory of 3228	4784	msedge.exe	98
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1200	4784	msedge.exe	106
PID 4784 wrote to memory of 1272	4784	msedge.exe	100
PID 4784 wrote to memory of 1272	4784	msedge.exe	100

C:\Users\Admin\AppData\Local\Temp\5ceeb666d873e799309cf0eb1a032375.exe
"C:\Users\Admin\AppData\Local\Temp\5ceeb666d873e799309cf0eb1a032375.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=5ceeb666d873e799309cf0eb1a032375.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,3647260815621019401,5409740861845216431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
    3⤵
    PID:1272
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,3647260815621019401,5409740861845216431,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
    3⤵
    PID:4820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3647260815621019401,5409740861845216431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
    3⤵
    PID:3224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3647260815621019401,5409740861845216431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
    3⤵
    PID:5016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,3647260815621019401,5409740861845216431,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
    3⤵
    PID:1200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3647260815621019401,5409740861845216431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
    3⤵
    PID:5068
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,3647260815621019401,5409740861845216431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
    3⤵
    PID:4044
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,3647260815621019401,5409740861845216431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
    3⤵
    PID:2144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3647260815621019401,5409740861845216431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
    3⤵
    PID:3260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3647260815621019401,5409740861845216431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
    3⤵
    PID:4708
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3647260815621019401,5409740861845216431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
    3⤵
    PID:5264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3647260815621019401,5409740861845216431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
    3⤵
    PID:5256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3647260815621019401,5409740861845216431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
    3⤵
    PID:5540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3647260815621019401,5409740861845216431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
    3⤵
    PID:5616
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,3647260815621019401,5409740861845216431,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5892 /prefetch:2
    3⤵
    PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=5ceeb666d873e799309cf0eb1a032375.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  PID:5456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0x100,0x104,0xfc,0x108,0x7ffca19846f8,0x7ffca1984708,0x7ffca1984718
1⤵
PID:3228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffca19846f8,0x7ffca1984708,0x7ffca1984718
1⤵
PID:5476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1386433ecc349475d39fb1e4f9e149a0

SHA1
f04f71ac77cb30f1d04fd16d42852322a8b2680f

SHA256
a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc

SHA512
fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
3b783d315424275d04b2d67524bafa93

SHA1
9d09f6183d32e42406373e7ebcfa1de70858719f

SHA256
c0cf775bf55e8d35eee5a2882b3e8ef2b8675b63cea994ec8d54eaeb6340ee49

SHA512
be9a86673e5318d37ff670ecbe25e886975e11f22c7670300f70a79fdfaaede2c379c5fd116a7de13457f42d2081cc8d962f389872e32a66f732abfe5ba3e8c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bcd9f18c34926d0a1252116427292095

SHA1
2fb6101aaaaafe5a3b4e9cbe123d6f63b51e1b50

SHA256
8b67e1cc1266e7d668bff98bbfb5ad0725af95bd60dae6457e23ff26d2bea46c

SHA512
266e81e537f2294d89ac76c817eb9749bb228d3bcdbaaffb9578d4b2183bffa545605e96d40eac58968a48eb22552d3945e58aade435c21be80a216e10d19999

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e664066e3aa135f185ed1c194b9fa1f8

SHA1
358ff3c6ad0580b8ae1e5ef2a89a4e597c2efdc5

SHA256
86e595be48dbc768a52d7ea62116036c024093e1302aced8c29dd6a2d9935617

SHA512
58710818b5f664006a5aa418da6c8cd3f709c2265bc161f81b9dfe6cdb8304fabaa4ce9deba419fe4281623feeeaa0321f481ae5855d347c6d8cf95968ee905e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
e78b83446f5a4f62c40db47247407e3a

SHA1
f9f9169725811518ae7542941fbc884aff5261ad

SHA256
ddcab7ca050af85c2616114e051f9c35e524cd5e8815528282a6b17d1fada891

SHA512
1f981d74fddced76b8898107563504e06778c061ecf29c85c91010744751496958b8ba3399ce8d3d46ccc30e17357a024a480fd74cbfbcd1041c24ee74522454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c8fd.TMP

Filesize
203B

MD5
5c2630c146b74fbaa55345002487acf1

SHA1
e3ed1c1319726c3fa63820748533f6cd1034fc58

SHA256
1b2b782bebbba9afc40b35dae4852d1206d9d20ef4c1a8f545e90bf715b6396c

SHA512
a4958dc43ca26e77379f0f3fd3f5d3892c9097b7253033dabb48ab2a5cbc41fc554ee20c1d28d729b99eb82e64558004300edc69e13eb8b0ed42dd05c40daf51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ced8eb2b-3991-476a-b4bc-fa75d3807ffc.tmp

Filesize
5KB

MD5
a0533c5efda28e631fc8ea7d2135d939

SHA1
bf2920872beace3cb072a5dbe15b5e292617102c

SHA256
683b1d1ffbcb0c2f0887e39633db45ca39abac93375a859251f673d667ddd06f

SHA512
817429057c3f862f59182d6f633a8c92e73505682396a9d435b7b8d48d69ee60e80ad6b7403f8ffa245c743c69ce63c52a916a83dec35d9cb93d72070e00df43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4e550f30c86dffc2b4cebc4d1ff729e6

SHA1
1c627e458ca1067a9977b6da587d66ec704de220

SHA256
e6b31758dc87262025ea9eb07e2d7b2f5a453285e1d97176ab4d75c265508ed5

SHA512
3bf418046acfa0c9a8131e29568ae6c30a3bafa8c56706c67ee6024af2e4e4325cda38cd75f6dad9371abc9aa4f23eb8639c8282ac98b8315d3f797930934389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1621e639aadd86364dcac8a4c955b538

SHA1
6e478730d86b1b92d111ddaaf1d5667229229f31

SHA256
8a5cae622a14246b6ffba6c2db7e605112f30bfeead4739afa9d06951792f731

SHA512
f39076a7bf0d416669badb286d4814ebd1b576e3b653fe3c33d6bd50f33c4a15647f102979305233f7cc9894fd4c24430107fa0f24b94a1ccbb1e609151d79ec

Download Submit