b24905212d252e59b612b5410ed7acdb6a6a5605d90b9d46ef69fe8da061e3c2

Analysis

max time kernel
91s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xua.exe
Size

1.5MB
MD5

bae71a4f2d169e0e695fe005994023bf
SHA1

e71400bc71aa8bb4a31969f8adc13d44c91ab30a
SHA256

b24905212d252e59b612b5410ed7acdb6a6a5605d90b9d46ef69fe8da061e3c2
SHA512

6d9aca09792c094ecc20a45f97272e544c3d314b23721a8be31bc4ff3d9aaa113d23ff74fff837c4725f694556e958eb11df199b8be6c13ee924e3f54406807d
SSDEEP

24576:4ZsK+6D7ys/ae3Nd/GbvYqzXNBX9CGVlT7+nXqpxox+0+sAsxx0MSNKaiW:9K+6DeUae9d/QYqJjDN7+aA+0+dsxx0

Score

1^/10

Malware Config

Signatures

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4320	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2164	msedge.exe
2164	msedge.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4320	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 1920	1520	msedge.exe	107
PID 1520 wrote to memory of 1920	1520	msedge.exe	107
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 4916	1520	msedge.exe	108
PID 1520 wrote to memory of 2164	1520	msedge.exe	109
PID 1520 wrote to memory of 2164	1520	msedge.exe	109
PID 1520 wrote to memory of 3028	1520	msedge.exe	110
PID 1520 wrote to memory of 3028	1520	msedge.exe	110
PID 1520 wrote to memory of 3028	1520	msedge.exe	110
PID 1520 wrote to memory of 3028	1520	msedge.exe	110
PID 1520 wrote to memory of 3028	1520	msedge.exe	110
PID 1520 wrote to memory of 3028	1520	msedge.exe	110
PID 1520 wrote to memory of 3028	1520	msedge.exe	110
PID 1520 wrote to memory of 3028	1520	msedge.exe	110
PID 1520 wrote to memory of 3028	1520	msedge.exe	110
PID 1520 wrote to memory of 3028	1520	msedge.exe	110
PID 1520 wrote to memory of 3028	1520	msedge.exe	110
PID 1520 wrote to memory of 3028	1520	msedge.exe	110
PID 1520 wrote to memory of 3028	1520	msedge.exe	110
PID 1520 wrote to memory of 3028	1520	msedge.exe	110
PID 1520 wrote to memory of 3028	1520	msedge.exe	110
PID 1520 wrote to memory of 3028	1520	msedge.exe	110
PID 1520 wrote to memory of 3028	1520	msedge.exe	110
PID 1520 wrote to memory of 3028	1520	msedge.exe	110
PID 1520 wrote to memory of 3028	1520	msedge.exe	110
PID 1520 wrote to memory of 3028	1520	msedge.exe	110

C:\Users\Admin\AppData\Local\Temp\xua.exe
"C:\Users\Admin\AppData\Local\Temp\xua.exe"
1⤵
PID:1600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultebd1f68ch5b8eh4377h8fdbh2e057046c66f
1⤵
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd27f146f8,0x7ffd27f14708,0x7ffd27f14718
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,7476476034015954160,14947156860208928499,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,7476476034015954160,14947156860208928499,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2524 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,7476476034015954160,14947156860208928499,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:3028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\ConvertUnlock.cmd" "
1⤵
PID:3204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\ConvertUnlock.cmd" "
1⤵
PID:3768

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ConvertUnlock.cmd
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:4320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e0811105475d528ab174dfdb69f935f3

SHA1
dd9689f0f70a07b4e6fb29607e42d2d5faf1f516

SHA256
c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c

SHA512
8374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ae9aa4f3ea8d9a6a3201cdaa14751e2b

SHA1
2673cbcd6f61a9008f1ddad5951d7a426a198b9d

SHA256
f3fd52d3c4f888b00aba00eaebc1017822cbab000742ac9217e5a7b99c538f08

SHA512
3c77e08b6cd1e502c7f7a3c9a89be84082c74fa2537011b14ceca4c5ae2c074f21fe7a48a275296ef8066877f94e3b66ce56bc4afdc2711d8b0a8918976d410e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
1544f5e7810c2ff369fbb5ac8e2d39c4

SHA1
5f549c2b200b51674a55162b4dfe2786f6f551d0

SHA256
e6064029eb42c6d8439472b057c96eaeb921678d77c788eb3d59a5fe200a52a7

SHA512
ff2f915277738dfbf6f3b1155b496f62436bfe005febf9cd9fe5608330da5b55120e829832ceac22197957725b53b22eb0058db27cdd9d2d07eb2d2b7fed6485

Download Submit