0ecb58eff1dd7994f3af2aa57dafb3f86cc802c7cd152b9f19cdfe7e5aea9cc9

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$APPDATA/ȫַ!.lnk
Size

362B
MD5

9656c04d91ae3066cc07235e06fa0b32
SHA1

b2fcbbaaee9cdfe744909a5b6b20f88fd26ae118
SHA256

b5ed69a6cd004197ebef1742aa3c27d5d7d78cdb15b3129957ec89fe65666f0a
SHA512

93a28b9d2f0b99bc56001837183f69f7ceebe372b44ed1640c5fe35ba6b3c5616aea04326e865ae206868f0c12e04b42c1b183b19d90f0d6d65fb841340dcf63

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4700	msedge.exe
4700	msedge.exe
2564	msedge.exe
2564	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 2564	5088	cmd.exe	89
PID 5088 wrote to memory of 2564	5088	cmd.exe	89
PID 2564 wrote to memory of 3980	2564	msedge.exe	91
PID 2564 wrote to memory of 3980	2564	msedge.exe	91
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 2092	2564	msedge.exe	93
PID 2564 wrote to memory of 4700	2564	msedge.exe	94
PID 2564 wrote to memory of 4700	2564	msedge.exe	94
PID 2564 wrote to memory of 3996	2564	msedge.exe	95
PID 2564 wrote to memory of 3996	2564	msedge.exe	95
PID 2564 wrote to memory of 3996	2564	msedge.exe	95
PID 2564 wrote to memory of 3996	2564	msedge.exe	95
PID 2564 wrote to memory of 3996	2564	msedge.exe	95
PID 2564 wrote to memory of 3996	2564	msedge.exe	95
PID 2564 wrote to memory of 3996	2564	msedge.exe	95
PID 2564 wrote to memory of 3996	2564	msedge.exe	95
PID 2564 wrote to memory of 3996	2564	msedge.exe	95
PID 2564 wrote to memory of 3996	2564	msedge.exe	95
PID 2564 wrote to memory of 3996	2564	msedge.exe	95
PID 2564 wrote to memory of 3996	2564	msedge.exe	95
PID 2564 wrote to memory of 3996	2564	msedge.exe	95
PID 2564 wrote to memory of 3996	2564	msedge.exe	95
PID 2564 wrote to memory of 3996	2564	msedge.exe	95
PID 2564 wrote to memory of 3996	2564	msedge.exe	95
PID 2564 wrote to memory of 3996	2564	msedge.exe	95
PID 2564 wrote to memory of 3996	2564	msedge.exe	95

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$APPDATA\ȫַ!.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.1122i.com/?ie
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8058846f8,0x7ff805884708,0x7ff805884718
    3⤵
    PID:3980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,18064599741539544640,13487041019526267817,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
    3⤵
    PID:2092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,18064599741539544640,13487041019526267817,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,18064599741539544640,13487041019526267817,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
    3⤵
    PID:3996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18064599741539544640,13487041019526267817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
    3⤵
    PID:3324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18064599741539544640,13487041019526267817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
    3⤵
    PID:3520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18064599741539544640,13487041019526267817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
    3⤵
    PID:4696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,18064599741539544640,13487041019526267817,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2320 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
47b2c6613360b818825d076d14c051f7

SHA1
7df7304568313a06540f490bf3305cb89bc03e5c

SHA256
47a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac

SHA512
08d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e0811105475d528ab174dfdb69f935f3

SHA1
dd9689f0f70a07b4e6fb29607e42d2d5faf1f516

SHA256
c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c

SHA512
8374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
b3099f3500bbd8beca16c39db899b175

SHA1
afd6d07cc12874b1424e96bd490b4fed4eb8f1a9

SHA256
2716818d59fd7620b947cd78e175e2570536472176de62fbae7d3534a952595b

SHA512
2e0a5f44633211e4571eab2d0c6cd764527e3dcff15be52315be1a72c91589ee12dd7c7531469499889871bc957dabccfa674524cb33322ee42f7fbb7a437cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
702B

MD5
0e2e9a2ef8562b58cc2485c8aef961a3

SHA1
89d0132c6e63070cdcccfc01856ed5ec6b62c14e

SHA256
1606507c493f18368152d0c942df7e2c26a9dae05d1e2d8a193c8b8fac58d444

SHA512
520de065689e51837e4525d113d502f57c71ab3e2ae4364f8fa1647c82c781b08e2811ce8d6f485b61535f2e0073f363c7aee2d2f8284931fc7503382f328adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1dc646456fc359beb5419dd6f16f038a

SHA1
414d9b92e0772e3203787ea02a9fe7793694341c

SHA256
d46176b3cdec89cfdb85af6c6727f585a8cfe62c0a1c3a877afd314705ada6d2

SHA512
e0e240238ca45ddd6b636bd84f997963f6066f6bb2d1b3d8fcb023b1e858cc92f3891cb45ded6e7cd04f28a2303b0fd17305c30f837f89a9daba5ae3231c84d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
908097ba16d67603acd978484d99dce4

SHA1
15bbe6703f6866c4be7f1dae72289aa16ac7f353

SHA256
cbdea67817ca3dcd0736b135571212d1146fab647011945ef4a586e19f7a680b

SHA512
b6fde614f547a00af8ee3937ec192eb664fa77277b9372e3aa4b5c9b4eb36e149a0cacea30fe97bbd83d22e91702ef85e60adf79726b5f6eb38a6381f8976e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d0e93c14ce926eeee09a3f186e8b6f85

SHA1
8a1998497515291a7c3d3fdafe76fd4644005cc9

SHA256
ac91027667e07d5f47b1d52def5cdf0567dfe0fd6149b7b31d48202c056ca938

SHA512
0a9cdb79a7203e4d5885045bd97f3e8a0859e8895fe64b3e542719f37a6ed4c9e3776e02ff75fca8118bf01cf0e90da95d1edb131053d3a647a212bf1c61f8c9

Download Submit