Analysis
-
max time kernel
561s -
max time network
587s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
20-04-2024 07:35
General
-
Target
pssuspend.exe
-
Size
383KB
-
MD5
1b9f1a75593dfc670fa7c54659ab5796
-
SHA1
c9f0c40e012f8cfe20b1e5cd6a9a7b078e89a00b
-
SHA256
95a922e178075fb771066db4ab1bd70c7016f794709d514ab1c7f11500f016cd
-
SHA512
ab7b26ce5487af2a337cabfa16908ddf72bf1f6942675760e7decee874dd0f72fd47aa42bc442fe11f71fab03106c75db0234199974c7de84d1ed3f12a9b4788
-
SSDEEP
6144:V/M1xPjrG1x+YgoglDni32wAO5GeLCfCsip9631L5qMbYd:W3PG1x+1+pBLCfCjGNqGY
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\pssuspend.exe"C:\Users\Admin\AppData\Local\Temp\pssuspend.exe"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffced4546f8,0x7ffced454708,0x7ffced4547182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,8130206538947610472,14455823145348865325,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,8130206538947610472,14455823145348865325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,8130206538947610472,14455823145348865325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8130206538947610472,14455823145348865325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8130206538947610472,14455823145348865325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8130206538947610472,14455823145348865325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8130206538947610472,14455823145348865325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,8130206538947610472,14455823145348865325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3564 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,8130206538947610472,14455823145348865325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3564 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8130206538947610472,14455823145348865325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8130206538947610472,14455823145348865325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8130206538947610472,14455823145348865325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,8130206538947610472,14455823145348865325,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3812 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfmFilesize
16KB
MD5aba706bb11cb1b6f63ff716943edbc16
SHA108bf5d187b30573b62a695689d1b3a921c9fc1b3
SHA256aa99348bb7ef5299275f7fb4b70250f800a6f6af4fd269129731887f3ef709c6
SHA5127f5af6803dcca1e5e106a8efd039d7545a5b1f424df7f67421f26b8be931dc2f6eb91402240fcdf30f1f71ec678dac07159d80383a82164ae7193eed6654f33f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD55e2f0fe48e7ee1aad1c24db5c01c354a
SHA15bfeb862e107dd290d87385dc9369bd7a1006b36
SHA256f13b3ebe8d71bd0086d5bb82364c35f59a95d32b39753af251e8639360e291a9
SHA512140d026437fd5e8a874cd00b03950c8f010e1a0732a0a1cc5bdde477e7f8315ccb95790bb4c15b8dbaab9468ad532eb885b6c429300a64e39412d976d079324e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57e0880992c640aca08737893588a0010
SHA16ceec5cb125a52751de8aeda4bab7112f68ae0fe
SHA2568649a39877c190ec740a5422284ec5f9ff509b30b2d7896635476873dd8824e2
SHA51252bd0a38ca7f43b26731966035045b1cbd8b60b2d81bdf9aad791cf444da8af8b722ebf3cb364a6e660bebdf23084eb0e30bc23562575b704801669817549f8a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD527cacc8bfccced1136a6fff83b57d083
SHA18c46ae86cadabe5c46607880fa48451e587eb2b9
SHA2560cf2a97c457c81532441978a55891c428d9ad727c7421ae27dd9f7c202c6a4e5
SHA512bca66a04761c06f6d3b8ec9609223f9cc8bf9f8a4b16c151eadbbf990ad2d92177bdcf15005b7fcd6b21c47f4fe2eaa01acd2761e1e6fb26a887a249cf84f89e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5069cf5b3aa33179c40ea6235b2d9c470
SHA1391d629ddc4d5d759b48357704837edb7ae68e08
SHA256c00afab9c9a6a430ef70fb529f2166cbcec69e0b831c1d9fe5e8da4cc3d49e8e
SHA512db3a7ba2d51550b71ab89acd1e0827f8e10ef02fa6c125fceccf5b34a85493270a384785125513d48c4ea570f1483611320549f23f82e9c9671e5b21443573fe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD566914b5007514b4baf58787efab86bbd
SHA1ba45cfb39b3104aea8b15b180e0d956f7852d002
SHA256ecf145c49eb07baf7f629644b7f987e23d6d7d059cc05b16bc83f7ab9dd1e4b9
SHA512226f5f22cd7c7f928649d1de12a7aaccbfce91024c12a3e78503d1b2473e088c53f0dec0b6680b63e8819ab78c62878df22af988eb07510408f9f67a5bb44df7
-
\??\pipe\LOCAL\crashpad_4556_DCDZRGUBNEGCMWLCMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4448-170-0x0000022247A60000-0x0000022247A61000-memory.dmpFilesize
4KB
-
memory/4448-176-0x0000022247A60000-0x0000022247A61000-memory.dmpFilesize
4KB
-
memory/4448-167-0x0000022247A60000-0x0000022247A61000-memory.dmpFilesize
4KB
-
memory/4448-168-0x0000022247A60000-0x0000022247A61000-memory.dmpFilesize
4KB
-
memory/4448-169-0x0000022247A60000-0x0000022247A61000-memory.dmpFilesize
4KB
-
memory/4448-150-0x000002223F450000-0x000002223F460000-memory.dmpFilesize
64KB
-
memory/4448-171-0x0000022247A60000-0x0000022247A61000-memory.dmpFilesize
4KB
-
memory/4448-172-0x0000022247A60000-0x0000022247A61000-memory.dmpFilesize
4KB
-
memory/4448-173-0x0000022247A60000-0x0000022247A61000-memory.dmpFilesize
4KB
-
memory/4448-174-0x0000022247A60000-0x0000022247A61000-memory.dmpFilesize
4KB
-
memory/4448-175-0x0000022247A60000-0x0000022247A61000-memory.dmpFilesize
4KB
-
memory/4448-166-0x0000022247A40000-0x0000022247A41000-memory.dmpFilesize
4KB
-
memory/4448-177-0x0000022247690000-0x0000022247691000-memory.dmpFilesize
4KB
-
memory/4448-178-0x0000022247680000-0x0000022247681000-memory.dmpFilesize
4KB
-
memory/4448-180-0x0000022247690000-0x0000022247691000-memory.dmpFilesize
4KB
-
memory/4448-183-0x0000022247680000-0x0000022247681000-memory.dmpFilesize
4KB
-
memory/4448-186-0x00000222475C0000-0x00000222475C1000-memory.dmpFilesize
4KB
-
memory/4448-134-0x000002223F350000-0x000002223F360000-memory.dmpFilesize
64KB
-
memory/4448-198-0x00000222477C0000-0x00000222477C1000-memory.dmpFilesize
4KB
-
memory/4448-200-0x00000222477D0000-0x00000222477D1000-memory.dmpFilesize
4KB
-
memory/4448-201-0x00000222477D0000-0x00000222477D1000-memory.dmpFilesize
4KB
-
memory/4448-202-0x00000222478E0000-0x00000222478E1000-memory.dmpFilesize
4KB