275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f

Analysis

max time kernel
34s
max time network
43s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2024 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eicar.com.txt
Size

68B
MD5

44d88612fea8a8f36de82e1278abb02f
SHA1

3395856ce81f2b7382dee72602f798b642f14140
SHA256

275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f
SHA512

cc805d5fab1fd71a4ab352a9c533e65fb2d5b885518f4e565e68847223b8e6b85cb48f3afad842726d99239c9e36505c64b0dc9a061d9e507d833277ada336ab

Score

1^/10

Malware Config

Signatures

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4452	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3040	msedge.exe
3040	msedge.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4452	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 772	4924	msedge.exe	96
PID 4924 wrote to memory of 772	4924	msedge.exe	96
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3740	4924	msedge.exe	98
PID 4924 wrote to memory of 3040	4924	msedge.exe	97
PID 4924 wrote to memory of 3040	4924	msedge.exe	97
PID 4924 wrote to memory of 4104	4924	msedge.exe	99
PID 4924 wrote to memory of 4104	4924	msedge.exe	99
PID 4924 wrote to memory of 4104	4924	msedge.exe	99
PID 4924 wrote to memory of 4104	4924	msedge.exe	99
PID 4924 wrote to memory of 4104	4924	msedge.exe	99
PID 4924 wrote to memory of 4104	4924	msedge.exe	99
PID 4924 wrote to memory of 4104	4924	msedge.exe	99
PID 4924 wrote to memory of 4104	4924	msedge.exe	99
PID 4924 wrote to memory of 4104	4924	msedge.exe	99
PID 4924 wrote to memory of 4104	4924	msedge.exe	99
PID 4924 wrote to memory of 4104	4924	msedge.exe	99
PID 4924 wrote to memory of 4104	4924	msedge.exe	99
PID 4924 wrote to memory of 4104	4924	msedge.exe	99
PID 4924 wrote to memory of 4104	4924	msedge.exe	99
PID 4924 wrote to memory of 4104	4924	msedge.exe	99
PID 4924 wrote to memory of 4104	4924	msedge.exe	99
PID 4924 wrote to memory of 4104	4924	msedge.exe	99
PID 4924 wrote to memory of 4104	4924	msedge.exe	99
PID 4924 wrote to memory of 4104	4924	msedge.exe	99
PID 4924 wrote to memory of 4104	4924	msedge.exe	99

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\eicar.com.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:4452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault1c30c986h5933h45b1h9c57h1252dfa393fe
1⤵
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9d66f46f8,0x7ff9d66f4708,0x7ff9d66f4718
  2⤵
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,1635570956935645030,5218439010857844941,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,1635570956935645030,5218439010857844941,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,1635570956935645030,5218439010857844941,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:4104

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal
1⤵
PID:2456

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal
1⤵
PID:4960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
854f73d7b3f85bf181d2f2002afd17db

SHA1
53e5e04c78d1b81b5e6c400ce226e6be25e0dea8

SHA256
54c176976e1c56f13af90be9b8b678f17f36a943210a30274be6a777cf9a8dc4

SHA512
de14899cfaad4c312804a7fe4dcb3e9221f430088cb8bf5a9b941ac392a0bbad4e6ca974e258e34617bbffff3bf6490fa90d8c6921616f44186e267ddaa02971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c1ac14f6cd19a96be339446f8b02d8b9

SHA1
3cb6b9a5521ac74fb0c6e4d83863372ba75a0c9f

SHA256
64ab493f5c00bf9544a1ee5e0bbb8c921f6064bb4b342d2fee5eeccad972220d

SHA512
631ad1f55509638a6278a3aebc2b6cf765db8dfe7fddf14a3e99e029d7791d67fd3329a62b97f2c78351ae8fcc1664d0ad7247dad12ed9a2c893305a2b74debd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
cdddbc8c0e348aa74c646ecdfa613241

SHA1
9f713a5d35559d99392f31a07c26f8f0a37f1ee0

SHA256
937d50736946d25bd2a95880f9b11d2659484b1ac56c7440b3b22817860c7e85

SHA512
d5cbaba24d577b7950118d1e674b3aca7579e65851112d7c0dc05dac2735f9c4bcea21e575b7cf9fb4b606c7ed3c2411866c2e04ad6ccef3ffba67a17f7f99b2

Download Submit