Resubmissions
19-12-2024 08:32
241219-kfqvbsxmgl 1019-12-2024 08:29
241219-kd1azswrh1 1019-12-2024 08:22
241219-j9qkzsxkhl 1019-12-2024 08:18
241219-j7clcaxkbl 619-12-2024 08:10
241219-j2wf9swmgz 719-12-2024 07:51
241219-jqbbyswnbq 819-12-2024 07:51
241219-jp8aaswnbm 319-12-2024 07:46
241219-jmcqlswmcm 319-12-2024 07:46
241219-jl6bjavrby 319-12-2024 07:46
241219-jlylpavray 3Analysis
-
max time kernel
200s -
max time network
207s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
07-03-2024 11:20
General
-
Target
b28242123ed2cf6000f0aa036844bd29.dll
-
Size
87KB
-
MD5
b28242123ed2cf6000f0aa036844bd29
-
SHA1
915f41a6c59ed743803ea0ddde08927ffd623586
-
SHA256
fd563cf7c0c862ab910cf558b5a123354b616e84902d277edf09f378ff6f9786
-
SHA512
08e5966ca90f08c18c582e6c67d71186a6f9c025fc9f78020e1ce202814de094171111b7f3623d81f7371acdf92206446f7c0425e08e8f5f5b6fd969007d9fca
-
SSDEEP
1536:0A1KsVHBnVJ0T1rFTQHUPx+nVP7ZSRILMZoXyqqEbzPCAdt6rFTc:0A1rVIrFTOUsnVP7sRILgAPCvrFTc
Malware Config
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 6 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Modifies registry class 2 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 4563⤵
- Program crash
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7fff74fa3cb8,0x7fff74fa3cc8,0x7fff74fa3cd81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff74fa3cb8,0x7fff74fa3cc8,0x7fff74fa3cd81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1812,16238468950618540058,13844124163952598281,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1828 /prefetch:21⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,1126897661000199014,18331974579482906305,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:21⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,1126897661000199014,18331974579482906305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:31⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1812,16238468950618540058,13844124163952598281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:31⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,1126897661000199014,18331974579482906305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2428 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,1126897661000199014,18331974579482906305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,1126897661000199014,18331974579482906305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:11⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1036 -ip 10361⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,1126897661000199014,18331974579482906305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,1126897661000199014,18331974579482906305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,1126897661000199014,18331974579482906305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,1126897661000199014,18331974579482906305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,1126897661000199014,18331974579482906305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3336 /prefetch:81⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,1126897661000199014,18331974579482906305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:81⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,1126897661000199014,18331974579482906305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1884,1126897661000199014,18331974579482906305,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3244 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1884,1126897661000199014,18331974579482906305,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3380 /prefetch:81⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,1126897661000199014,18331974579482906305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,1126897661000199014,18331974579482906305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,1126897661000199014,18331974579482906305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,1126897661000199014,18331974579482906305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,1126897661000199014,18331974579482906305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,1126897661000199014,18331974579482906305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,1126897661000199014,18331974579482906305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,1126897661000199014,18331974579482906305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,1126897661000199014,18331974579482906305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7160 /prefetch:81⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,1126897661000199014,18331974579482906305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,1126897661000199014,18331974579482906305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1692 /prefetch:81⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,1126897661000199014,18331974579482906305,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7028 /prefetch:21⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Temp1_NoMoreRansom.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_NoMoreRansom.zip\[email protected]"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected]"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AV.EXE"C:\Users\Admin\AppData\Local\Temp\AV.EXE"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Modifies system certificate store
-
-
C:\Users\Admin\AppData\Local\Temp\AV2.EXE"C:\Users\Admin\AppData\Local\Temp\AV2.EXE"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 5163⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\DB.EXE"C:\Users\Admin\AppData\Local\Temp\DB.EXE"2⤵
- Adds policy Run key to start application
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\eventvwrb.exeC:\Windows\SysWOW64\eventvwrb.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /flushdns4⤵
- Gathers network information
-
-
-
C:\Windows\SysWOW64\cmd.exe/c C:\Users\Admin\AppData\Local\Temp\~unins7265.bat "C:\Users\Admin\AppData\Local\Temp\DB.EXE"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\EN.EXE"C:\Users\Admin\AppData\Local\Temp\EN.EXE"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\EN.EXE > nul3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\SB.EXE"C:\Users\Admin\AppData\Local\Temp\SB.EXE"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff74fa3cb8,0x7fff74fa3cc8,0x7fff74fa3cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,10152866044416088975,12680931547897539927,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,10152866044416088975,12680931547897539927,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,10152866044416088975,12680931547897539927,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2484 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10152866044416088975,12680931547897539927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10152866044416088975,12680931547897539927,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,10152866044416088975,12680931547897539927,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1572 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4636 -ip 46361⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5a5bdb027c2c187bc940de04fcd2a4738
SHA1279afc5f288466bd163f252ea30ec79e7e883460
SHA256fef652cdcf911b1e18099e0c98458d1c0c16c0661f654f3c1685c294b34c3d03
SHA51258ce364164d04e1ca117e4b5feac32b155ea76772d7cb57fa2dce96a83dd3b2827485f134d53b7cb6f75e2264bc08a14d8c16edc92a5a8a4a3d4c6c3c5622efd
-
Filesize
152B
MD562d7c25a571a1eb38f21573ea8755f94
SHA13e4eecf2966c21abebc3dcd428fe611ac2a890ce
SHA25609ce18bff721083fabd3d1f2c2247ddb88a2998cb033f73a88f77f3fd785406f
SHA51247b35a21c5057dffc80e4b8a00df9aea5b90d92a16e5143e4608aa235af379e801f7ef5fa8d2156488d6a6e501c6e111b6f9d7bad1cf6da581c96c731d3711e6
-
Filesize
1KB
MD59dff81a735500987428d4e01ce46866d
SHA1c63d41953a37519f49eff26232b3d9bf241126d7
SHA256fe5816519e04e4f2c458896e0d7221a02f40639ca3b28f0480b9c43e08385d7d
SHA5123d5d96203972b7098e207cb681c3a2fbf40a668be131f8e983aaaddd552460de6c064e33bbaf34a7f892ecebdac3168cf0adabdb355b19a2af015d9f440e1de6
-
Filesize
28KB
MD57b203017b99adf3658313e222b052ee3
SHA19ec162b5fef54687998ea3daea1d14197e2e3dd7
SHA25617dfd5fbc2697a3908858d69c9e2180f6629d79816e5e9d98494fa908c327993
SHA51235e8287eca129f9be247011d56e16e19ea861b51d9c90dc135a46e19e17ca87f70a742f30c27b8e1750aaf8a2ebfaaf0c2cbd421dd29b8be4efe604d330b745a
-
Filesize
20KB
MD579d0fd7a5ea65b6786f8e2093c4da036
SHA156813417d0ffa844646369421e28fd6c922cf8c2
SHA256b82ae4acaf1c1bfe6fc7277aec673cbf1fd759693ec08c950fd9b0ba1c51add4
SHA512089ba53d6b57405f181b8eebad85d6f4d0012f39cf2ee2f46975b6d83ce928e5b5908615ba9732fc28a051db9cb7976719b358f6d61c8ecd2ada5ae264a79ffb
-
Filesize
865B
MD5bb8beb6dce1c78c6ca9571107b7a0bb6
SHA180eb62e2f8e2e150658d29016909f745065dc2f7
SHA256e7c2e42b6c7680dd8bdddd7c2f3053def15e4c9afd5cd1bd443a15a5e5b8f96a
SHA51205a27de9cba9c1fe9299368a6d7b6f672444d8f189c12c387734c172c99ca1a95c08ccf4cbd83c46acc037f341902241dbc53b41b1f0a4db1da9460af8c9b0fe
-
Filesize
865B
MD56947e49738b7171e183633168d01b539
SHA1780419797b16c390d3c1c6f7d80d06031fc37e53
SHA256c954a4d5b3a92612ab6aebb690715c83f7fc070ffcc78fa4f3bb19e0fe1d28fb
SHA512e274e2101ac5f47550045f19e0748679c8b177aac49afe57adb50c9769f5bfe80cd69736e4608b3da09bf86f8f120e88eb2ca3743526afee782f83050a72e36f
-
Filesize
865B
MD54cdc62420c56ecb0b71822ebb70b7e7f
SHA1eb38e78e3d9555c0e0c53514a6d0104869a538e6
SHA256dc72cb7edadb18e57d00d68b6caac36eb755a8461346cbe7b908a1865c2b8fab
SHA512e60d7c95463140a0eabe1fbe2598696c1a3fafd3af2a3cc614a4a39754560834caab5cae223b5dda564fe8bb3b564e65f18074dbf04687a7d6d47af2bd41e7a1
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
7KB
MD550d38492fe8e5704644da5ddd20ee037
SHA1a95a48521045345fa360a1ed9ecb1596d452f45c
SHA256a9f06b168965104dd0dd21aba30944c6746c93f31939d4ad4d1f5fb16370455a
SHA5122f47c195094da66fe28c167eaa063a7fa55dddb7de515ba37b1a9a2fb4ab3120a1dbfa614abcc334e8c5f07ebeb0aa7b93690f9fca5e1f7fdb3f07d848c892ed
-
Filesize
7KB
MD5c22a7a7fd4c80e85c9f3fc4838cd88a1
SHA1f04e948b8641aeb22ccca3226ca5e5602227b8cd
SHA256b83988455b5001a00f00469a2e3816e4832ec389ba564955e8bc57635db95605
SHA512b5c55114a925f85190cf10d317e6d983a8c1dd776d29f305f725e09f26bc131ce76e5250a780de5364a3a7747c06d09730f5554f03e90ee33c58c66155de9ef1
-
Filesize
1KB
MD5347237c8c4938a2c3cd7c25afc6690c1
SHA196ef947249f6342d08930c4fb1917466d0c5cbd9
SHA256a5b0f9740abfe51f517cd096e4951635cbf3f172a9e72d1944ac64ccaec2e9d1
SHA512305b8e5baa2cea60b8907e649e345c724914ace0d9af9143b2a2a1943d0f42b82ece1deabdb1c103e04af0434ca01c803e3293aef53c4c42983435f7663100b6
-
Filesize
1KB
MD573e339701a8182ab124fe61170d5c74b
SHA1343b72717860094970493697a81a1c8c7a527d11
SHA256d6b48940ab69b99e8cee1e5659d4392631297e7ee090b6056ddd92942b9348ce
SHA512d46d241a4df1336df946dc9a6fa4b062e87fdcbb9f38fd543b026019a601de666eef832cbe16d897c0497d3fe74e7eec198af4e87cb9946da668f8446353f2f8
-
Filesize
1KB
MD5b120b6ee6e79e5c0a20c5c8142932aca
SHA12a89c0f25816c9290de6b90f9a3cf6aed4ea7920
SHA256fcfa44f0bc8bf6aec282c5c2be8364efa282b471de2ce371301803258fc4d26e
SHA51265e6b4eff7c29bec328c127794a0bd0da5263ec6bd5148ad0f233595d9dc15fc4b4b4e7e758c6931f0214e66a3f2b194253535edcf179326edabf2946f9fea74
-
Filesize
1KB
MD5829c46512a87743848721c76361fe087
SHA19f6a27b9157486f6950e00df073c078d53fe713b
SHA256b642cb11467bb3d137fa2d53747c563a1f50d28cd6165fa245dc8554c70d65f0
SHA5126c652270a3914369d3d22d519195d2fc26289b7245a00a98deb8f23314a94fc29f570f6da194854ae6c460c8b786d07eb72c3aec274ec25bc41da765699a3549
-
Filesize
1KB
MD5087520099c960d6e6e513e84edd8a0ac
SHA17e3d33d0a13c498e9092aca677a1d83a52b81461
SHA2569166d97c36a82fc817e7838fdf92eff01373038a15b7a70dc29c2f6afe00a242
SHA512a8bc6aedeb5c5e1cd126dfe6554a1eda8aa17e5b083cf97d9f7aa9b8c8432f2849e56aa2f85e686e1cae2f3d008bd453ac4194119a8113d0e13901b46a2df7a6
-
Filesize
1KB
MD5f6d8b1ae696838adbb1f34c45f28a4ba
SHA1dfcc866fe184e3c174047ed9c739e72c579c2b37
SHA2561130275969f58802cf42aae7ab0329d2b60017471c30bd53267adccd33c9cd28
SHA5126cf7b5a8e544a77270f8a9b0d588c20ad271bb62e28c03be7e6d109fe89dcae0e2d7f734c4155e5ce7ac8303ca76355571d2b631605f9d4663a31345788f93cb
-
Filesize
1KB
MD5cf74438516de23186a3495c42b3a1884
SHA128323538676bf790f73dac08c95cb015d0ea9d1a
SHA25675e5509844eb5380de47db55326b127ade7439475b1b356bbd98ceb8ee6ed453
SHA512b08a30ca24722b5f7bb3d13abd7963c836e09f088e1ad54b0cb9fd456d9692bf222d817aae64a640e3a3c22eb81643a3ee32816a88263323fc3126b0437c36d4
-
Filesize
533B
MD57dc0f752c4908a1a5fc72d3692d0661c
SHA15f4755d3971bdf984b3a9a5babade102153cd66e
SHA256ee449b18e3ca1d189c0882cf85df0497ccefb1bfd51ba96d0c7a604a1e7396fe
SHA5125bca04e715812e3bb61ed9925bfe8f23a6a950fb6794397935caa110ee1c43a05dac3ea77391e465a528ac89edaf0206dd07b87cc855f934f191091619af2f58
-
Filesize
12KB
MD5092c330f9628f7685db2529bf2985e1d
SHA1ab4f21c16e90bb775f2ed8dfbdf9f96baa0dbcf5
SHA256e659c3458709b7c0e5e2a0a3eba424250c0f87c5f7d7109607e078d31a8b720b
SHA512e7a83745924346357130e1e03965f6631f1b6da3b6de43a0a73ecaf704f67b933ac8139115b7174098f6b0aac923ba55c0ba142ed0cbd0b2c58c29ecd59fa92c
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
1.1MB
MD5f284568010505119f479617a2e7dc189
SHA1e23707625cce0035e3c1d2255af1ed326583a1ea
SHA25626c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1
SHA512ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf
-
Filesize
368KB
MD5014578edb7da99e5ba8dd84f5d26dfd5
SHA1df56d701165a480e925a153856cbc3ab799c5a04
SHA2564ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529
SHA512bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068
-
Filesize
243KB
MD5c6746a62feafcb4fca301f606f7101fa
SHA1e09cd1382f9ceec027083b40e35f5f3d184e485f
SHA256b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6
SHA512ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642
-
Filesize
6KB
MD5621f2279f69686e8547e476b642b6c46
SHA166f486cd566f86ab16015fe74f50d4515decce88
SHA256c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38
SHA512068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e
-
Filesize
149KB
MD5fe731b4c6684d643eb5b55613ef9ed31
SHA1cfafe2a14f5413278304920154eb467f7c103c80
SHA256e7953daad7a68f8634ded31a21a31f0c2aa394ca9232e2f980321f7b69176496
SHA512f7756d69138df6d3b0ffa47bdf274e5fd8aab4fff9d68abe403728c8497ac58e0f3d28d41710de715f57b7a2b5daa2dd7e04450f19c6d013a08f543bd6fc9c2e
-
Filesize
224KB
MD59252e1be9776af202d6ad5c093637022
SHA16cc686d837cd633d9c2e8bc1eaba5fc364bf71d8
SHA256ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6
SHA51298b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea
-
Filesize
49B
MD59e0a2f5ab30517809b95a1ff1dd98c53
SHA15c1eefdf10e67d1e9216e2e3f5e92352d583c9ce
SHA25697ac9fee75a1f7b63b3115e9c4fb9dda80b1caba26d2fb51325670dee261fe32
SHA512e959cc1fd48fb1cccf135a697924c775a3812bab211fc7f9b00c5a9d617261d84c5d6f7cb548774c1e8f46811b06ca39c5603d0e10cbcb7b805f9abbe49b9b42
-
Filesize
101KB
MD56954a4e4195f9303cbf6a893351685d3
SHA138e658d881e806adbe5a9af4e8fe8865c82144db
SHA25616a80dd0ab2e7e9545be64832cbbd681d08134689e0e81b003dd65bf4afaa049
SHA512a33f243ea2fc9485d65988aab14e38b12d3e404b03234ed5767870c04a179a88d32dcc631018366ce423f9f7bbd10d0c074b84ed530ce200ad9c24905a5faced
-
Filesize
1010B
MD56e630504be525e953debd0ce831b9aa0
SHA1edfa47b3edf98af94954b5b0850286a324608503
SHA2562563fe2f793f119a1bae5cca6eab9d8c20409aa1f1e0db341c623e1251244ef5
SHA512bbcf285309a4d5605e19513c77ef077a4c451cbef04e3cbdfec6d15cc157a9800a7ff6f70964b0452ddb939ff50766e887904eda06a9999fdedf5b2e8776ebd2
-
Filesize
400KB
-
Filesize
400KB
-
Filesize
400KB
-
Filesize
400KB
-
Filesize
4KB
-
Filesize
268KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
824KB
-
Filesize
1.9MB
-
Filesize
40KB
-
Filesize
5.7MB
-
Filesize
64KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
64KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
12KB
-
Filesize
4KB
-
Filesize
588KB
-
Filesize
588KB
-
Filesize
588KB
-
Filesize
588KB
-
Filesize
196KB
-
Filesize
588KB
-
Filesize
588KB
-
Filesize
276KB