0b432f20d54647f077811ecb1df4dbc64fb17fbd6a9e0cce4ac9437d5f7891fb

Resubmissions

18-03-2024 22:36

240318-2h9hwsba88 10

Analysis

max time kernel
1694s
max time network
1700s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18-03-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware/SporaRansomware.exe
Size

24KB
MD5

4a4a6d26e6c8a7df0779b00a42240e7b
SHA1

8072bada086040e07fa46ce8c12bf7c453c0e286
SHA256

7ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02
SHA512

c7a7b15d8dbf8e8f8346a4dab083bb03565050281683820319906da4d23b97b39e88f841b30fc8bd690c179a8a54870238506ca60c0f533d34ac11850cdc1a95
SSDEEP

384:akN70EPxIDesCUxvDuzbKGxc5X4LtOFV4U7vqydPNdG2l2Zk1mvlCnqA+PQ+O9G:vZPxIuQunKGxJ44OdPNc2lEfCnqA+PQ+

Score

10^/10

evasion ransomware spyware stealer

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3980 3664 cmd.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1336 bcdedit.exe
996 bcdedit.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	3664	cmd.exe

pid	process
1336	bcdedit.exe
996	bcdedit.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SporaRansomware.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	SporaRansomware.exe

Drops startup file 1 IoCs

Processes:

SporaRansomware.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\USBD1-44XZT-ZTZTX-HTXRT-ZYYYY.HTML	SporaRansomware.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4516 vssadmin.exe

pid	process
4516	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
2664	msedge.exe
2664	msedge.exe
4536	msedge.exe
4536	msedge.exe
4716	identity_helper.exe
4716	identity_helper.exe
5884	msedge.exe
5884	msedge.exe
5884	msedge.exe
5884	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4536 msedge.exe
4536 msedge.exe
4536 msedge.exe
4536 msedge.exe
4536 msedge.exe
4536 msedge.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

WMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3792	WMIC.exe
Token: SeSecurityPrivilege	3792	WMIC.exe
Token: SeTakeOwnershipPrivilege	3792	WMIC.exe
Token: SeLoadDriverPrivilege	3792	WMIC.exe
Token: SeSystemProfilePrivilege	3792	WMIC.exe
Token: SeSystemtimePrivilege	3792	WMIC.exe
Token: SeProfSingleProcessPrivilege	3792	WMIC.exe
Token: SeIncBasePriorityPrivilege	3792	WMIC.exe
Token: SeCreatePagefilePrivilege	3792	WMIC.exe
Token: SeBackupPrivilege	3792	WMIC.exe
Token: SeRestorePrivilege	3792	WMIC.exe
Token: SeShutdownPrivilege	3792	WMIC.exe
Token: SeDebugPrivilege	3792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3792	WMIC.exe
Token: SeRemoteShutdownPrivilege	3792	WMIC.exe
Token: SeUndockPrivilege	3792	WMIC.exe
Token: SeManageVolumePrivilege	3792	WMIC.exe
Token: 33	3792	WMIC.exe
Token: 34	3792	WMIC.exe
Token: 35	3792	WMIC.exe
Token: 36	3792	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3792	WMIC.exe
Token: SeSecurityPrivilege	3792	WMIC.exe
Token: SeTakeOwnershipPrivilege	3792	WMIC.exe
Token: SeLoadDriverPrivilege	3792	WMIC.exe
Token: SeSystemProfilePrivilege	3792	WMIC.exe
Token: SeSystemtimePrivilege	3792	WMIC.exe
Token: SeProfSingleProcessPrivilege	3792	WMIC.exe
Token: SeIncBasePriorityPrivilege	3792	WMIC.exe
Token: SeCreatePagefilePrivilege	3792	WMIC.exe
Token: SeBackupPrivilege	3792	WMIC.exe
Token: SeRestorePrivilege	3792	WMIC.exe
Token: SeShutdownPrivilege	3792	WMIC.exe
Token: SeDebugPrivilege	3792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3792	WMIC.exe
Token: SeRemoteShutdownPrivilege	3792	WMIC.exe
Token: SeUndockPrivilege	3792	WMIC.exe
Token: SeManageVolumePrivilege	3792	WMIC.exe
Token: 33	3792	WMIC.exe
Token: 34	3792	WMIC.exe
Token: 35	3792	WMIC.exe
Token: 36	3792	WMIC.exe
Token: SeBackupPrivilege	3144	vssvc.exe
Token: SeRestorePrivilege	3144	vssvc.exe
Token: SeAuditPrivilege	3144	vssvc.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SporaRansomware.exemsedge.execmd.exe

description	pid	process	target process
PID 3700 wrote to memory of 3792	3700	SporaRansomware.exe	WMIC.exe
PID 3700 wrote to memory of 3792	3700	SporaRansomware.exe	WMIC.exe
PID 3700 wrote to memory of 3792	3700	SporaRansomware.exe	WMIC.exe
PID 3700 wrote to memory of 4536	3700	SporaRansomware.exe	msedge.exe
PID 3700 wrote to memory of 4536	3700	SporaRansomware.exe	msedge.exe
PID 4536 wrote to memory of 3332	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 3332	4536	msedge.exe	msedge.exe
PID 3980 wrote to memory of 4516	3980	cmd.exe	vssadmin.exe
PID 3980 wrote to memory of 4516	3980	cmd.exe	vssadmin.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2988	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2664	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 2664	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 1004	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 1004	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 1004	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 1004	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 1004	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 1004	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 1004	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 1004	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 1004	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 1004	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 1004	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 1004	4536	msedge.exe	msedge.exe
PID 4536 wrote to memory of 1004	4536	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Ransomware\SporaRansomware.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\SporaRansomware.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\SysWOW64\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\USBD1-44XZT-ZTZTX-HTXRT-ZYYYY.HTML
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca5da46f8,0x7ffca5da4708,0x7ffca5da4718
3⤵
PID:3332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,12708624292935063371,1036968422176451442,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
3⤵
PID:2988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,12708624292935063371,1036968422176451442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,12708624292935063371,1036968422176451442,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
3⤵
PID:1004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12708624292935063371,1036968422176451442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
3⤵
PID:4452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12708624292935063371,1036968422176451442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
3⤵
PID:2936

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,12708624292935063371,1036968422176451442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
3⤵
PID:4124

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,12708624292935063371,1036968422176451442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12708624292935063371,1036968422176451442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2272 /prefetch:1
3⤵
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12708624292935063371,1036968422176451442,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
3⤵
PID:3736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12708624292935063371,1036968422176451442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
3⤵
PID:5208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12708624292935063371,1036968422176451442,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
3⤵
PID:5216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,12708624292935063371,1036968422176451442,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1256 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5884

C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:4516

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
2⤵
- Modifies boot configuration data using bcdedit
PID:1336

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Modifies boot configuration data using bcdedit
PID:996

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:732

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f35bb0615bb9816f562b83304e456294

SHA1
1049e2bd3e1bbb4cea572467d7c4a96648659cb4

SHA256
05e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71

SHA512
db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1eb86108cb8f5a956fdf48efbd5d06fe

SHA1
7b2b299f753798e4891df2d9cbf30f94b39ef924

SHA256
1b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40

SHA512
e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
4dc5b383e0284bc7ff0db72cee63b351

SHA1
b0220825398934baf5bd215f317093f99b2204cd

SHA256
1d7f9f1a6e92a7175e60558ae8284a07c37151b49660946f52d565fdb3e10e5a

SHA512
40e952f0bc4478815803546c6c9883e821b03014c4f897a5bd4f6c38f7b1841d5d101000b3228fa04d41fafcac37130afa5d99b3e4e39863c58e1a0dafc379ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
ded56525d3e7acb58398eaf59882470d

SHA1
71e4870e37ad36e10d2d4b86a083726a3addde2f

SHA256
b1bfb47e12be331c98c8a5d6cf4f888abb8c7cf0f496cd5d7f8962b46747a685

SHA512
c4c1ecce48f10925e74bbdaad38e1dbfadc5a7a6916c169e4d50467a9908f834c5ff1a0344cc73b3346302d4a4903b4d90ef2b5cf2de3d403765009a18b712ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
ec4e08c388f3408de95e13bafd7cf731

SHA1
553bc920489a0cc81b346ef846095450c08a16c0

SHA256
7aebb7c595c6edc1e8d796f52dc74a459b8c92c5bb2eb5e4513b5217ae7c6495

SHA512
250574de6dee1d50d4f07bf9e9a1183c23a9bc4ca1bd7b080cd3068c4482d9fc2705956f36fd89f39c54e3c279d6ca6e9ec44e648850ffa52ba1b9dac0efdcfe

Download Submit
C:\Users\Admin\AppData\Roaming\USBD1-44XZT-ZTZTX-HTXRT-ZYYYY.HTML
Filesize
8KB

MD5
89ca7538ca80df8d671760a8c84aeab2

SHA1
3662d891390540978e740aa9b3e43c0101e73a34

SHA256
cf772df0abe3df9950267d67058358edfbe78b266b203fd0deea32a47104055d

SHA512
5c4a88a472a603867164c82eda15349310993ce4e6ca8c38ce7707cb54dc90687046894b8b26de44713145e6f1409db18bae333e70199b1a1b67d8a59d545f45

Download Submit
C:\Users\Admin\AppData\Roaming\USBD1-44XZT-ZTZTX-HTXRT-ZYYYY.KEY
Filesize
1KB

MD5
624f33681028d101c5596d1967c0eef7

SHA1
fa3cc4e9051eaf2896f1184cbdabd7967c433324

SHA256
c1c1ceee63d15f149f8cf40809d930639205533b77a28d1c3d27427bf7c17bce

SHA512
7cb5310abd8d6301ed838f57bfb4d60d6e74cc9df9bbdf5e53d413cf34ca2c109d05b2e9139d481473e4c70a3adbdfa262de0b3d0065acae72f103397ed703f4

Download Submit
C:\Users\Admin\AppData\Roaming\USBD1-44XZT-ZTZTX-HTXRT-ZYYYY.LST
Filesize
2KB

MD5
6f5298d50c722766adf9bd15e5f9b02c

SHA1
5f146c7f66f5ba2e128aaa5d38865a299a850f5d

SHA256
d518bf9d0faaa0c04861d034c118dd12f6dafb80efe4e705efbb42bd464fa5ec

SHA512
d0681522f4a3021240d355e69804f1ef17b5858e35ffc72576b7c990353fbcb61de07c28979658d0bb798ba0d15b0aff7761f882e73fbbdc13a463bad0d19f48

Download Submit
\??\pipe\LOCAL\crashpad_4536_CMYOFHXFDHVFGQAU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3700-0-0x0000000000400000-0x0000000000407200-memory.dmp

Filesize
28KB

Download
memory/3700-142-0x0000000000400000-0x0000000000407200-memory.dmp

Filesize
28KB

Download