wshrat | 9eb2dc6ae95f6631e25eb8679a25eb330f1a7c463d3ccf31c53a6daa1346f007

Resubmissions

01-05-2024 18:33

240501-w7fn8aff45 10

01-05-2024 18:30

240501-w5ts3adc6s 6

01-05-2024 18:18

240501-wxwbxsda71 6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2024 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pending_Invoice_Bank_Details.html
Size

10KB
MD5

0def2826514ff6887d5a2a6cc7db4b5b
SHA1

b6c964e67855f076e90fe5c339b02fa2fe423ddd
SHA256

9eb2dc6ae95f6631e25eb8679a25eb330f1a7c463d3ccf31c53a6daa1346f007
SHA512

cdfc1c5039bf03430d112109813915c89d6dd05592fc0b9a0e3d80e157ad7b404f55d0a1aaed2d1be1ffcdc1fb1c5513949ec713b9d22046cf9ca3de4f85d50a
SSDEEP

192:/TO8OGVCARwH8izhrnV9fxRQdjSecSc6i0bKVC:/TBCARwcizhrnV9fxRQxSecStbKVC

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

http://masterokrwh.duckdns.org:8426

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 33 IoCs

flow	pid	Process
50	4352	WScript.exe
51	4352	WScript.exe
52	4836	wscript.exe
53	4836	wscript.exe
56	4836	wscript.exe
58	4836	wscript.exe
61	1088	WScript.exe
62	1088	WScript.exe
63	2464	WScript.exe
64	2464	WScript.exe
65	2448	WScript.exe
66	2448	WScript.exe
67	4836	wscript.exe
68	4836	wscript.exe
69	4836	wscript.exe
70	4836	wscript.exe
72	4836	wscript.exe
75	4836	wscript.exe
76	4836	wscript.exe
78	4836	wscript.exe
79	4836	wscript.exe
80	4836	wscript.exe
86	4836	wscript.exe
87	4836	wscript.exe
88	4836	wscript.exe
89	4836	wscript.exe
90	4836	wscript.exe
92	4836	wscript.exe
93	4836	wscript.exe
94	4836	wscript.exe
95	4836	wscript.exe
96	4836	wscript.exe
97	4836	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PROMOTION_(PO_30784)_2024_05_01.JS	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PROMOTION_(PO_30784)_2024_05_01.JS\:SmartScreen:$DATA	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PROMOTION_(PO_30784)_2024_05_01.JS	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PROMOTION_(PO_30784)_2024_05_01.JS\:SmartScreen:$DATA	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PROMOTION_(PO_30784)_2024_05_01 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\PROMOTION_(PO_30784)_2024_05_01.JS\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PROMOTION_(PO_30784)_2024_05_01 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\PROMOTION_(PO_30784)_2024_05_01.JS\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PROMOTION_(PO_30784)_2024_05_01 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\PROMOTION_(PO_30784)_2024_05_01.JS\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PROMOTION_(PO_30784)_2024_05_01 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\PROMOTION_(PO_30784)_2024_05_01.JS\""	wscript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
62	pastebin.com
64	pastebin.com
66	pastebin.com
29	raw.githubusercontent.com
30	raw.githubusercontent.com
49	pastebin.com
51	pastebin.com
53	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
55	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 798253.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\PROMOTION_(PO_30784)_2024_05_01.JS\:SmartScreen:$DATA	WScript.exe

Script User-Agent 32 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	62	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	63	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	64	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	66	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	68	WSHRAT\|C2D25562\|FZBXDXUA\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	69	WSHRAT\|C2D25562\|FZBXDXUA\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	80	WSHRAT\|C2D25562\|FZBXDXUA\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	88	WSHRAT\|C2D25562\|FZBXDXUA\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	75	WSHRAT\|C2D25562\|FZBXDXUA\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	78	WSHRAT\|C2D25562\|FZBXDXUA\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	92	WSHRAT\|C2D25562\|FZBXDXUA\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	52	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	58	WSHRAT\|C2D25562\|FZBXDXUA\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	79	WSHRAT\|C2D25562\|FZBXDXUA\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	89	WSHRAT\|C2D25562\|FZBXDXUA\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	70	WSHRAT\|C2D25562\|FZBXDXUA\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	72	WSHRAT\|C2D25562\|FZBXDXUA\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	90	WSHRAT\|C2D25562\|FZBXDXUA\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	93	WSHRAT\|C2D25562\|FZBXDXUA\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	95	WSHRAT\|C2D25562\|FZBXDXUA\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	96	WSHRAT\|C2D25562\|FZBXDXUA\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	65	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	67	WSHRAT\|C2D25562\|FZBXDXUA\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	76	WSHRAT\|C2D25562\|FZBXDXUA\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	94	WSHRAT\|C2D25562\|FZBXDXUA\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	97	WSHRAT\|C2D25562\|FZBXDXUA\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	50	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	51	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	87	WSHRAT\|C2D25562\|FZBXDXUA\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	53	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	61	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	86	WSHRAT\|C2D25562\|FZBXDXUA\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3116	msedge.exe
3116	msedge.exe
468	msedge.exe
468	msedge.exe
3048	identity_helper.exe
3048	identity_helper.exe
2600	msedge.exe
2600	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 1516	468	msedge.exe	82
PID 468 wrote to memory of 1516	468	msedge.exe	82
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 1028	468	msedge.exe	83
PID 468 wrote to memory of 3116	468	msedge.exe	84
PID 468 wrote to memory of 3116	468	msedge.exe	84
PID 468 wrote to memory of 3136	468	msedge.exe	85
PID 468 wrote to memory of 3136	468	msedge.exe	85
PID 468 wrote to memory of 3136	468	msedge.exe	85
PID 468 wrote to memory of 3136	468	msedge.exe	85
PID 468 wrote to memory of 3136	468	msedge.exe	85
PID 468 wrote to memory of 3136	468	msedge.exe	85
PID 468 wrote to memory of 3136	468	msedge.exe	85
PID 468 wrote to memory of 3136	468	msedge.exe	85
PID 468 wrote to memory of 3136	468	msedge.exe	85
PID 468 wrote to memory of 3136	468	msedge.exe	85
PID 468 wrote to memory of 3136	468	msedge.exe	85
PID 468 wrote to memory of 3136	468	msedge.exe	85
PID 468 wrote to memory of 3136	468	msedge.exe	85
PID 468 wrote to memory of 3136	468	msedge.exe	85
PID 468 wrote to memory of 3136	468	msedge.exe	85
PID 468 wrote to memory of 3136	468	msedge.exe	85
PID 468 wrote to memory of 3136	468	msedge.exe	85
PID 468 wrote to memory of 3136	468	msedge.exe	85
PID 468 wrote to memory of 3136	468	msedge.exe	85
PID 468 wrote to memory of 3136	468	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Pending_Invoice_Bank_Details.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8a7946f8,0x7ffd8a794708,0x7ffd8a794718
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,7670961071991357601,8693596317299100105,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,7670961071991357601,8693596317299100105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,7670961071991357601,8693596317299100105,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7670961071991357601,8693596317299100105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7670961071991357601,8693596317299100105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,7670961071991357601,8693596317299100105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,7670961071991357601,8693596317299100105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7670961071991357601,8693596317299100105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7670961071991357601,8693596317299100105,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7670961071991357601,8693596317299100105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7670961071991357601,8693596317299100105,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,7670961071991357601,8693596317299100105,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7670961071991357601,8693596317299100105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,7670961071991357601,8693596317299100105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2600
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\PROMOTION_(PO_30784)_2024_05_01.JS"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - NTFS ADS
  PID:4352
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\PROMOTION_(PO_30784)_2024_05_01.JS"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:4836
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\PROMOTION_(PO_30784)_2024_05_01.JS"
  2⤵
  - Blocklisted process makes network request
  PID:1088
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\PROMOTION_(PO_30784)_2024_05_01.JS"
  2⤵
  - Blocklisted process makes network request
  PID:2464
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\PROMOTION_(PO_30784)_2024_05_01.JS"
  2⤵
  - Blocklisted process makes network request
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7670961071991357601,8693596317299100105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7670961071991357601,8693596317299100105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7670961071991357601,8693596317299100105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7670961071991357601,8693596317299100105,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7670961071991357601,8693596317299100105,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1924 /prefetch:1
  2⤵
  PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,7670961071991357601,8693596317299100105,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6808 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7670961071991357601,8693596317299100105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7670961071991357601,8693596317299100105,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6992 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7670961071991357601,8693596317299100105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:1264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
486B

MD5
3ca52f58bfd423fd12e6d5220a37fb38

SHA1
48d0db2f65a14c9622c777d52b67afbf9fc9211a

SHA256
4fc6fd6a1129fe2be2b92ecbfadea02f1b1a627fc75db2030817bb65036f11ef

SHA512
e86daee2e820edeb273efcea717dea7720f538eb0763c8786d5f8e70642b3687cf2e2062d6b05ed88b7357f7cd54b33f81f5646a0dc0eea0b14e187866021728

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
86651d309d542bf250a0fcfacf8845b4

SHA1
bcdf6c810a6fd3f8944b65f7eb1f5fb7bc5f9ac6

SHA256
689ec5d34c6f26917e87dbefceebf64171ee350a14feca2ee4534e63a8be92cf

SHA512
a75aef1efb1eba91448c8771c4f25b6099e9eb66a4090651938b16b5414b2f80de0441d79adb21979834f9bf9a3fe5a24cf1c26d0bc880861c2366f31bdeb50f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7f2185e2d363f1c46205a3da8ab98dfb

SHA1
1b2228933d89db084bb76a9c65094ecdb307c940

SHA256
51e436400c8f3967a50e046a9a757904fa109e62b7cb6886e4ef404fbd5b5ffb

SHA512
bbbd16bce85cb810ef358f422b8ce699a013e1f76737c53e23b28c2456e588ee0e2d997d763aa7c2acfa34b21b2ae8f902131d8aa2963a841745e6ed81e0b5d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d15f20cf906daecb4db41db696c6713b

SHA1
d45dafe92ddccad4c0b7f9c669d23f3d88c8f2ef

SHA256
cb0aa1f2c037818efcba7de4bde1eb36611e2770e19aeb27acc0e2ff0d879a7f

SHA512
b70b4f402916d018773efda8632720cb85c9b1f037ce2680708ad74fed2f01db0ee7c7074448f31ebddb8cad7d22abf7eb16203a58f168fed596bad8d45057c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6c5aa76ff8f6dc117011d6bcc36364ca

SHA1
b533a6d56df4d19d2049a03cc94809e49eb2a1bd

SHA256
e97dac7284d93ff2fdd3834d3adb58a48a00d0c25cff2415773a6a64b1b42fb3

SHA512
76ca076d67016d33cbf3073a2672cbaf93df70c027b5964c30e67851b221ec885ab43383769e54c3c59cf0b343a8f867a4af959898be21e402464beb9374af44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
03d8ea01b8ed0072ae37c5fdbc562d9f

SHA1
3671a6f6d7aaa5252e32061e28bf93936250f951

SHA256
bd975d51b858e42157cb1f082a8a55f8743dc68ff8027f9056e22560e3da840f

SHA512
1268affcc930aa0b2154a1e63072ffff8ac43e6cd91721c61aa9c72f437c2f9820b5affd7435b3d33291515b2b78d4d026ccc0dd9a5eb3f7af86f57aebbddfca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
aaa6119e8d1dc8b2481554c6d145cdd9

SHA1
a244ac4e7844877f157ae634c0cbde844a190295

SHA256
89296ccd344a8a32b0149e193294f4b0165ad1bc3321beb2549a66d932d8fca4

SHA512
6953b45dbaab0f4604422a12fca53618ca23bf1874e452d406183b093fe3de6c57954d18d1540657339b7278bc61af2b801ca332d6f01e954eb61b71d928d206

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
370a56fcdadc90fc913bbe187f4fda3d

SHA1
a0359c79f455ea0b90615e7d07aedf8dbcb79988

SHA256
eea3ed9a498fa13948a0194eee2810c4eccd16bc5ecdc2387d00a08837b59d6d

SHA512
ea01e9006fd2d6748d189a17fbfe86d31bfb08154fcaa092f59f20dec6cd9ea1d277027eedb394c6d369568892f3f1abd750ab0d362dde903c35730e838b18dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PROMOTION_(PO_30784)_2024_05_01.JS:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 798253.crdownload

Filesize
617KB

MD5
de49780282c208213f5975bc6b3149d7

SHA1
146fa7bdffff277ccfd7e6f3cf7ba5eb3f24e447

SHA256
ad5c24066f1b316dc2d9f96afc026182d605efc92f09223052e27d94b39a0b5e

SHA512
575c3149279a3a4d9dba94e9fa3ad3f22a3425aeb4ffb24ede8905a1117e011762e586b55f9581c078385444ca7c4d107e60bf18b993735e5bbec72bdc39a110

Download Submit