hxxps://cdn[.]discordapp[.]com/attachments/1207564743984808008/1207729237419761674/bean-battles-malware[.]7z[.]001?ex=65e0b480&is=65ce3f80&hm=d0af70e1e478bc4bbb63e4d0b5635dbd55e8ed8729e858e737a8ca179e7b20c2&

Analysis

max time kernel
98s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 22:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1207564743984808008/1207729237419761674/bean-battles-malware.7z.001?ex=65e0b480&is=65ce3f80&hm=d0af70e1e478bc4bbb63e4d0b5635dbd55e8ed8729e858e737a8ca179e7b20c2&

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2012	7z2401-x64.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2401-x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	7z2401-x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 21 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3791175113-1062217823-1177695025-1000\{9453AD2C-1288-4F10-9DAA-8AE1B3011857}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2401-x64.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 184151.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3324	msedge.exe
3324	msedge.exe
5100	msedge.exe
5100	msedge.exe
4944	identity_helper.exe
4944	identity_helper.exe
4780	msedge.exe
4780	msedge.exe
2344	msedge.exe
2344	msedge.exe
3196	msedge.exe
3196	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2012	7z2401-x64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 4116	5100	msedge.exe	85
PID 5100 wrote to memory of 4116	5100	msedge.exe	85
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 2844	5100	msedge.exe	88
PID 5100 wrote to memory of 3324	5100	msedge.exe	87
PID 5100 wrote to memory of 3324	5100	msedge.exe	87
PID 5100 wrote to memory of 2628	5100	msedge.exe	86
PID 5100 wrote to memory of 2628	5100	msedge.exe	86
PID 5100 wrote to memory of 2628	5100	msedge.exe	86
PID 5100 wrote to memory of 2628	5100	msedge.exe	86
PID 5100 wrote to memory of 2628	5100	msedge.exe	86
PID 5100 wrote to memory of 2628	5100	msedge.exe	86
PID 5100 wrote to memory of 2628	5100	msedge.exe	86
PID 5100 wrote to memory of 2628	5100	msedge.exe	86
PID 5100 wrote to memory of 2628	5100	msedge.exe	86
PID 5100 wrote to memory of 2628	5100	msedge.exe	86
PID 5100 wrote to memory of 2628	5100	msedge.exe	86
PID 5100 wrote to memory of 2628	5100	msedge.exe	86
PID 5100 wrote to memory of 2628	5100	msedge.exe	86
PID 5100 wrote to memory of 2628	5100	msedge.exe	86
PID 5100 wrote to memory of 2628	5100	msedge.exe	86
PID 5100 wrote to memory of 2628	5100	msedge.exe	86
PID 5100 wrote to memory of 2628	5100	msedge.exe	86
PID 5100 wrote to memory of 2628	5100	msedge.exe	86
PID 5100 wrote to memory of 2628	5100	msedge.exe	86
PID 5100 wrote to memory of 2628	5100	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1207564743984808008/1207729237419761674/bean-battles-malware.7z.001?ex=65e0b480&is=65ce3f80&hm=d0af70e1e478bc4bbb63e4d0b5635dbd55e8ed8729e858e737a8ca179e7b20c2&
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd67a746f8,0x7ffd67a74708,0x7ffd67a74718
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,16748450352162772311,4625488195980529374,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,16748450352162772311,4625488195980529374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,16748450352162772311,4625488195980529374,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16748450352162772311,4625488195980529374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16748450352162772311,4625488195980529374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,16748450352162772311,4625488195980529374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,16748450352162772311,4625488195980529374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16748450352162772311,4625488195980529374,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16748450352162772311,4625488195980529374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2184,16748450352162772311,4625488195980529374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16748450352162772311,4625488195980529374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2184,16748450352162772311,4625488195980529374,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16748450352162772311,4625488195980529374,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16748450352162772311,4625488195980529374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16748450352162772311,4625488195980529374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16748450352162772311,4625488195980529374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2184,16748450352162772311,4625488195980529374,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2184,16748450352162772311,4625488195980529374,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16748450352162772311,4625488195980529374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16748450352162772311,4625488195980529374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16748450352162772311,4625488195980529374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16748450352162772311,4625488195980529374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2184,16748450352162772311,4625488195980529374,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3520 /prefetch:8
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2184,16748450352162772311,4625488195980529374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6796 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3196
- C:\Users\Admin\Downloads\7z2401-x64.exe
  "C:\Users\Admin\Downloads\7z2401-x64.exe"
  2⤵
  - Executes dropped EXE
  - Registers COM server for autorun
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4064

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bcaf436ee5fed204f08c14d7517436eb

SHA1
637817252f1e2ab00275cd5b5a285a22980295ff

SHA256
de776d807ae7f2e809af69746f85ea99e0771bbdaaed78a764a6035dabe7f120

SHA512
7e6cf2fdffdcf444f6ef4a50a6f9ef1dfb853301467e3f4784c9ee905c3bf159dc3ee9145d77dbf72637d5b99242525eb951b91c020e5f4e5cfcfd965443258c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\04b7f811-baa5-49a0-ab26-6a5e697a94b5.tmp

Filesize
5KB

MD5
0fb4c8b4c9e1e415a564ec79aa359c33

SHA1
975cff47f077d7252c185d1fcad1dba5c8648dad

SHA256
32601b6be52e2c5b5417662b94aba436763a0bd58fc1ae18e065ea26a6c1840d

SHA512
b85680ca1ccfbe91b9a9a6386fed4412093e06250e19c8a1b5d7d126171af1eef68b3452b05cae7f40f2668cfce0536cea8bb3df84dbe2bf6886bb893d0e440c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3962f7d717f6f387c21c9cee0dcfeb83

SHA1
72b673e172b65098d344b10b9dedbad35a8a504d

SHA256
d31264c2f50d5a099155ca30526b711301da228537ef058e0e2c4c7a419b0e93

SHA512
6eea82304b6ef6648bbf6ee8f034d6796510984e07bdd7ec07510fe5045b10a1e19b6836e992be92e75122ca25eac15ce4a68e9a63613d8a54dd6303c07ffd69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
626B

MD5
20495f755635bb59f1d5d6d8c2c6ec33

SHA1
f3fcca011418b5b644d85188cb877e6a990db5da

SHA256
a63250a52678a5a3640d419fa41278411d7bee0fa8059d168cb778eb72ca3b45

SHA512
eb10cc2dfd9d562927259da4d1e5aac64777284f22811704e8ac448e5bb3c8dcb94a488d6d41a727aed9a6930abaf409a79f9f9298f82e268e4dcae87c739477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a887751e9bef7f86b83ef93e27d7c246

SHA1
c367aac7bb6e1203e7b6eaa41abd3e2e30e3072b

SHA256
0605e5007ad55f3a48a4c1dcdb75c19746b3a1a798e127872071eab3a1ec9613

SHA512
e769653b6732dd5d75c76abeb52cd9e4e841c56b6c0f1fb4f6b5c6f720abb764b5d3c4eb7c86378526b2a0aebba4cfcadb2ac55d9dd8d7669498efcec9432df2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
396823c7d84c5b3bd957a200ca20537d

SHA1
78d5146860a8db643fd189d79beac1b134e5cd1b

SHA256
0520d02f5761d7507f6c9142c1ab5643ee856cf589ba2b2b7875120f2f549549

SHA512
9c32218c2fabf6b34d3daad656b0ef98b57244594bc68e86e0fa1a10ca3ce2de9494747674099cddaafc7ed05b32e2e3007c29e54168c30c67d475f916497e07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a47c4ed5bfffea33cc3a50339b6ecd19

SHA1
75f61b4be4e510e155bb1dfdfecea85170f3d18f

SHA256
24227268f42217c1858b73fd5b07b238ba829d93fc5076c2ede0ea04327bb1e2

SHA512
4410a6a86303842555e8c2672c38e2cd1c1b5f079956b6d2853081af66c7f5cede75644f7739c219f18a780ebf1cb210ff9b8d915aba6271e820e17620fc68ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
b0ba6f0eee8f998b4d78bc4934f5fd17

SHA1
589653d624de363d3e8869c169441b143c1f39ad

SHA256
4b5ee509e727accbd11493dda2c1d512e7dbfaff66c4f5f7ea9c2d2ccd06151f

SHA512
e9a165da246c6b80fc38431538203cf03f95794184ff63f00c9500f8919a2028b803f64b670e685185eed72df0509e3185c9b434fdbf2bc7af36021d46bd08d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
70829a1d1f7e150c72291009f1011caa

SHA1
1ac6732b158822d48a5086e452707828e495b28e

SHA256
599565a2c7b471fd2f7d312127e1335a07515989524982ce41d9b7acaa93e994

SHA512
a4fab8276e3d45cb0df065e97372edd2f8db278b1476b4262f112c5b18b26c70532ce3eb779d70d2d39d97adfd8bac68c1a3ebc6bc4382a0c77946c5a8ff00f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a852f2b7760353654ab77134e508613f

SHA1
d931b6d488e41a26df17185e64121c4069684d19

SHA256
d86d6c5acbda884ffa331e4d7aff40967c4754c0f163774956f24e36d2694c8e

SHA512
cde4a6d6d3e5da9aaf466137887e39511d0514fe54c23fac2f4843e5170d2218e657ca3b714e3cccbeef69efee6b3af1054b11373c642a71d4aca767084487d0

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 184151.crdownload

Filesize
1.5MB

MD5
de644b4e1086f1315c422f359133543b

SHA1
54be86d121879b0e5d86604297c57a926d665fa8

SHA256
17a507cce4066c4be7db53d64d9a9e11dfecfd4f2411393690506e591b5895cd

SHA512
714d41254352d91834a4b648d613e9b4452b93b097b5781ec5bf3ec7c310a489d3a1c409b2f0a6946822b96f6943b579910d26a5f4324b320d485e856dbdcb1a

Download Submit
C:\Users\Admin\Downloads\bean-battles-malware.7z.001

Filesize
24.0MB

MD5
f7c44f0227ca463e42d7de02d053cea9

SHA1
9dc3e4569ad376cde806b02bc816104661df3899

SHA256
d30d4e0a01cca6767251507123643492bb6235928e1c7e0b8fb04c0b683d43f9

SHA512
919594c552070f2e64b5fced24af0f6a8951cb16097adc09bdcc10423a37795a4e890c66388dd3c4d2b8c7b0ff6b3a70826c3ff78ab25267ef2b71e4a728e263

Download Submit