Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-03-2024 10:40
Static task
static1
Behavioral task
behavioral1
Sample
231120-2wnhksbd2z.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
231120-2wnhksbd2z.exe
Resource
win10v2004-20240226-en
General
-
Target
231120-2wnhksbd2z.exe
-
Size
135KB
-
MD5
511aa2f2fe6196e032ec7fef83bb8d95
-
SHA1
ce874f517d335a1e1ab0df99111df1d3adbc0d21
-
SHA256
f2c9ae3735430b930a81148c0bb470fcb733e456a2a942f859a1b59c4a7b2150
-
SHA512
78a4771ab5e531420a45338ae27a5a4dad11b50385964a739e7ecec2c55d3ee47cde148dfc1e82ce7e8b8eb8a04a7f9b784cdd640e490a84bc8ce621d2f8d1c0
-
SSDEEP
3072:VV2vxw88jLtbMmJ2RqRADLK1iJ1/NvdOgecZlw/C:VV2v503kRqRuL0iJ1FdLec9
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
231120-2wnhksbd2z.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\_HELP_instructions.bmp" 231120-2wnhksbd2z.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies Control Panel 2 IoCs
Processes:
231120-2wnhksbd2z.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\Desktop\WallpaperStyle = "0" 231120-2wnhksbd2z.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\Desktop\TileWallpaper = "0" 231120-2wnhksbd2z.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid process 3716 msedge.exe 3716 msedge.exe 4140 msedge.exe 4140 msedge.exe 3244 identity_helper.exe 3244 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe 4140 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
231120-2wnhksbd2z.exemsedge.exedescription pid process target process PID 3104 wrote to memory of 4140 3104 231120-2wnhksbd2z.exe msedge.exe PID 3104 wrote to memory of 4140 3104 231120-2wnhksbd2z.exe msedge.exe PID 4140 wrote to memory of 3016 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 3016 4140 msedge.exe msedge.exe PID 3104 wrote to memory of 1652 3104 231120-2wnhksbd2z.exe cmd.exe PID 3104 wrote to memory of 1652 3104 231120-2wnhksbd2z.exe cmd.exe PID 3104 wrote to memory of 1652 3104 231120-2wnhksbd2z.exe cmd.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 1428 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 3716 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 3716 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 4036 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 4036 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 4036 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 4036 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 4036 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 4036 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 4036 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 4036 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 4036 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 4036 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 4036 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 4036 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 4036 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 4036 4140 msedge.exe msedge.exe PID 4140 wrote to memory of 4036 4140 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\231120-2wnhksbd2z.exe"C:\Users\Admin\AppData\Local\Temp\231120-2wnhksbd2z.exe"1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_HELP_instructions.html2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff84c3346f8,0x7ff84c334708,0x7ff84c3347183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,7599731819629497230,9799093400502395121,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,7599731819629497230,9799093400502395121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,7599731819629497230,9799093400502395121,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7599731819629497230,9799093400502395121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7599731819629497230,9799093400502395121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,7599731819629497230,9799093400502395121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,7599731819629497230,9799093400502395121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7599731819629497230,9799093400502395121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7599731819629497230,9799093400502395121,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7599731819629497230,9799093400502395121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7599731819629497230,9799093400502395121,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:13⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\231120-2wnhksbd2z.exe"2⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD55c6aef82e50d05ffc0cf52a6c6d69c91
SHA1c203efe5b45b0630fee7bd364fe7d63b769e2351
SHA256d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32
SHA51277ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57c6136bc98a5aedca2ea3004e9fbe67d
SHA174318d997f4c9c351eef86d040bc9b085ce1ad4f
SHA25650c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2
SHA5122d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD582ba7c9ae11e6041aac1570151889fdc
SHA13051dd7258c9ef6f0ea0e5ede4b420c0b6e947d7
SHA256a644eb704779cf9d959a0f7576fa95b5dbf5e76a2c5df3b2e44cb13adae124f9
SHA512d21d62abd7b17c5a934c2e3974e3497c4f4c45bf81ee2ffe88f08348999599ea1da0656dcea2abce8a16ccd53b93e86589797c99bc80bd1764318eca7a41890a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD58319ff5db6fdeb9114a9d474045c0cf1
SHA195d375d683655eec680b71d3cd281bc432875445
SHA256d9ced27f136cdfb30d9ccb664c21e75d8b4fd212ddc37814c7ef8e6fbf40268f
SHA512eee19d8a2ec1784466d778b19e6d9c1b29574cb08d1f9e8531a13a9c98442c620e83dbd021c62026150237eb9339cd881621e5302db5df13b0a709592285d407
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD54c61fcdc67e5f9c59142b0bb0b9aec8c
SHA1b7536f291a953faa71fbef4e331c5b1c2cd400df
SHA256ae3a012cdc72d4aeb37ef6fae53f72f7b3640680c37b490aa0b0b579f639db32
SHA512543533bd71f72574e75fb1657f64b3de2682dcf265400f8343b4f50abf93c50577d7dce7f302993e1a6766d9726d2fd0f4ce0fcf59f958875ccc50b7c52f1ddc
-
C:\Users\Admin\Music\_4_HELP_instructions.htmlFilesize
9KB
MD5455bb7bf11f80e3eec09b463f149bb7f
SHA1dfdb9edaf6f0da4b26ecf62da38ee657f94520e0
SHA256384bb8fd581d927c7b4b34461ead89d81a948a014c39e614922f6f4f5d01518e
SHA512656a67fdd7f95d8cd952e703d316158df8e1571bc8355a16aee3be8a0f3aee869b8e4f8b4f8660ba18ecc7b484ffaf43142ca58094cbf14aaa1eea23bd24c7c9
-
\??\pipe\LOCAL\crashpad_4140_JBZTJZMMAQDRIVTUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3104-11-0x0000000002890000-0x00000000028B6000-memory.dmpFilesize
152KB
-
memory/3104-269-0x0000000002890000-0x00000000028B6000-memory.dmpFilesize
152KB
-
memory/3104-275-0x0000000002890000-0x00000000028B6000-memory.dmpFilesize
152KB
-
memory/3104-10-0x0000000002890000-0x00000000028B6000-memory.dmpFilesize
152KB
-
memory/3104-0-0x00000000777E2000-0x00000000777E3000-memory.dmpFilesize
4KB
-
memory/3104-9-0x0000000002890000-0x00000000028B6000-memory.dmpFilesize
152KB
-
memory/3104-5-0x0000000002890000-0x00000000028B6000-memory.dmpFilesize
152KB
-
memory/3104-3-0x0000000000220000-0x0000000000246000-memory.dmpFilesize
152KB
-
memory/3104-2-0x0000000002860000-0x0000000002861000-memory.dmpFilesize
4KB
-
memory/3104-1-0x0000000002890000-0x00000000028B6000-memory.dmpFilesize
152KB