470d90ec620da317d6365412ec34a411d4ed0b12b90cc02399c5a57ca209a78e

Analysis

max time kernel
156s
max time network
160s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
27-05-2024 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AccGenerator.exe
Size

13.2MB
MD5

6945d0630139e2d1f6195f8455d36553
SHA1

fe83987ef7ce5b17a06387d5bb3729803812b8c1
SHA256

6198793cde7e2f3dc53c62036e300ee46bbefe5956f30ea78c6088c40db1abd9
SHA512

058de495189967e5129fa395b7be99ba6c5a5bc09d71f1d0f833703317ac17e31786a58d96681e8a6d0272bdb0f07533c493ad91a0ff9af92b8d04915eae32fa
SSDEEP

393216:BY3aADfDtlpfaMPY9sw3n48A4oLKMiFeER3E3rQ:BY3NbxHf9PcsYApKMkeER

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

Processes:

selenium-manager.exemsedgedriver.exeselenium-manager.exemsedgedriver.exeselenium-manager.exemsedgedriver.exe

pid process

4472 selenium-manager.exe
3576 msedgedriver.exe
2292 selenium-manager.exe
2472 msedgedriver.exe
4056 selenium-manager.exe
1388 msedgedriver.exe

pid	process
4472	selenium-manager.exe
3576	msedgedriver.exe
2292	selenium-manager.exe
2472	msedgedriver.exe
4056	selenium-manager.exe
1388	msedgedriver.exe

Loads dropped DLL 30 IoCs

Processes:

AccGenerator.exeAccGenerator.exe

pid	process
4464	AccGenerator.exe
4464	AccGenerator.exe
4464	AccGenerator.exe
4464	AccGenerator.exe
4464	AccGenerator.exe
4464	AccGenerator.exe
4464	AccGenerator.exe
4464	AccGenerator.exe
4464	AccGenerator.exe
4464	AccGenerator.exe
4464	AccGenerator.exe
4464	AccGenerator.exe
4464	AccGenerator.exe
4464	AccGenerator.exe
4464	AccGenerator.exe
4560	AccGenerator.exe
4560	AccGenerator.exe
4560	AccGenerator.exe
4560	AccGenerator.exe
4560	AccGenerator.exe
4560	AccGenerator.exe
4560	AccGenerator.exe
4560	AccGenerator.exe
4560	AccGenerator.exe
4560	AccGenerator.exe
4560	AccGenerator.exe
4560	AccGenerator.exe
4560	AccGenerator.exe
4560	AccGenerator.exe
4560	AccGenerator.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

28 raw.githubusercontent.com
29 raw.githubusercontent.com
1 raw.githubusercontent.com
2 raw.githubusercontent.com
3 raw.githubusercontent.com

flow	ioc
28	raw.githubusercontent.com
29	raw.githubusercontent.com
1	raw.githubusercontent.com
2	raw.githubusercontent.com
3	raw.githubusercontent.com

Checks system information in the registry 2 TTPs 6 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedgedriver.exemsedgedriver.exemsedgedriver.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	msedgedriver.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	msedgedriver.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	msedgedriver.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	msedgedriver.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	msedgedriver.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	msedgedriver.exe

Modifies registry class 1 IoCs

Processes:

OpenWith.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings OpenWith.exe
Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

5056 reg.exe
376 reg.exe
4780 reg.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2616 NOTEPAD.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

5000 OpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	OpenWith.exe

pid	process
5056	reg.exe
376	reg.exe
4780	reg.exe

pid	process
2616	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4696	WMIC.exe
Token: SeSecurityPrivilege	4696	WMIC.exe
Token: SeTakeOwnershipPrivilege	4696	WMIC.exe
Token: SeLoadDriverPrivilege	4696	WMIC.exe
Token: SeSystemProfilePrivilege	4696	WMIC.exe
Token: SeSystemtimePrivilege	4696	WMIC.exe
Token: SeProfSingleProcessPrivilege	4696	WMIC.exe
Token: SeIncBasePriorityPrivilege	4696	WMIC.exe
Token: SeCreatePagefilePrivilege	4696	WMIC.exe
Token: SeBackupPrivilege	4696	WMIC.exe
Token: SeRestorePrivilege	4696	WMIC.exe
Token: SeShutdownPrivilege	4696	WMIC.exe
Token: SeDebugPrivilege	4696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4696	WMIC.exe
Token: SeRemoteShutdownPrivilege	4696	WMIC.exe
Token: SeUndockPrivilege	4696	WMIC.exe
Token: SeManageVolumePrivilege	4696	WMIC.exe
Token: 33	4696	WMIC.exe
Token: 34	4696	WMIC.exe
Token: 35	4696	WMIC.exe
Token: 36	4696	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4696	WMIC.exe
Token: SeSecurityPrivilege	4696	WMIC.exe
Token: SeTakeOwnershipPrivilege	4696	WMIC.exe
Token: SeLoadDriverPrivilege	4696	WMIC.exe
Token: SeSystemProfilePrivilege	4696	WMIC.exe
Token: SeSystemtimePrivilege	4696	WMIC.exe
Token: SeProfSingleProcessPrivilege	4696	WMIC.exe
Token: SeIncBasePriorityPrivilege	4696	WMIC.exe
Token: SeCreatePagefilePrivilege	4696	WMIC.exe
Token: SeBackupPrivilege	4696	WMIC.exe
Token: SeRestorePrivilege	4696	WMIC.exe
Token: SeShutdownPrivilege	4696	WMIC.exe
Token: SeDebugPrivilege	4696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4696	WMIC.exe
Token: SeRemoteShutdownPrivilege	4696	WMIC.exe
Token: SeUndockPrivilege	4696	WMIC.exe
Token: SeManageVolumePrivilege	4696	WMIC.exe
Token: 33	4696	WMIC.exe
Token: 34	4696	WMIC.exe
Token: 35	4696	WMIC.exe
Token: 36	4696	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5000	WMIC.exe
Token: SeSecurityPrivilege	5000	WMIC.exe
Token: SeTakeOwnershipPrivilege	5000	WMIC.exe
Token: SeLoadDriverPrivilege	5000	WMIC.exe
Token: SeSystemProfilePrivilege	5000	WMIC.exe
Token: SeSystemtimePrivilege	5000	WMIC.exe
Token: SeProfSingleProcessPrivilege	5000	WMIC.exe
Token: SeIncBasePriorityPrivilege	5000	WMIC.exe
Token: SeCreatePagefilePrivilege	5000	WMIC.exe
Token: SeBackupPrivilege	5000	WMIC.exe
Token: SeRestorePrivilege	5000	WMIC.exe
Token: SeShutdownPrivilege	5000	WMIC.exe
Token: SeDebugPrivilege	5000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5000	WMIC.exe
Token: SeRemoteShutdownPrivilege	5000	WMIC.exe
Token: SeUndockPrivilege	5000	WMIC.exe
Token: SeManageVolumePrivilege	5000	WMIC.exe
Token: 33	5000	WMIC.exe
Token: 34	5000	WMIC.exe
Token: 35	5000	WMIC.exe
Token: 36	5000	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5000	WMIC.exe

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

OpenWith.exe

pid	process
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AccGenerator.exeAccGenerator.exeselenium-manager.execmd.execmd.execmd.execmd.execmd.exeselenium-manager.execmd.exe

description	pid	process	target process
PID 1452 wrote to memory of 4464	1452	AccGenerator.exe	AccGenerator.exe
PID 1452 wrote to memory of 4464	1452	AccGenerator.exe	AccGenerator.exe
PID 4464 wrote to memory of 1676	4464	AccGenerator.exe	cmd.exe
PID 4464 wrote to memory of 1676	4464	AccGenerator.exe	cmd.exe
PID 4464 wrote to memory of 4964	4464	AccGenerator.exe	cmd.exe
PID 4464 wrote to memory of 4964	4464	AccGenerator.exe	cmd.exe
PID 4464 wrote to memory of 784	4464	AccGenerator.exe	cmd.exe
PID 4464 wrote to memory of 784	4464	AccGenerator.exe	cmd.exe
PID 4464 wrote to memory of 1724	4464	AccGenerator.exe	cmd.exe
PID 4464 wrote to memory of 1724	4464	AccGenerator.exe	cmd.exe
PID 4464 wrote to memory of 4472	4464	AccGenerator.exe	selenium-manager.exe
PID 4464 wrote to memory of 4472	4464	AccGenerator.exe	selenium-manager.exe
PID 4464 wrote to memory of 4472	4464	AccGenerator.exe	selenium-manager.exe
PID 4472 wrote to memory of 792	4472	selenium-manager.exe	cmd.exe
PID 4472 wrote to memory of 792	4472	selenium-manager.exe	cmd.exe
PID 4472 wrote to memory of 792	4472	selenium-manager.exe	cmd.exe
PID 792 wrote to memory of 4696	792	cmd.exe	WMIC.exe
PID 792 wrote to memory of 4696	792	cmd.exe	WMIC.exe
PID 792 wrote to memory of 4696	792	cmd.exe	WMIC.exe
PID 4472 wrote to memory of 1668	4472	selenium-manager.exe	cmd.exe
PID 4472 wrote to memory of 1668	4472	selenium-manager.exe	cmd.exe
PID 4472 wrote to memory of 1668	4472	selenium-manager.exe	cmd.exe
PID 1668 wrote to memory of 5000	1668	cmd.exe	WMIC.exe
PID 1668 wrote to memory of 5000	1668	cmd.exe	WMIC.exe
PID 1668 wrote to memory of 5000	1668	cmd.exe	WMIC.exe
PID 4472 wrote to memory of 2616	4472	selenium-manager.exe	cmd.exe
PID 4472 wrote to memory of 2616	4472	selenium-manager.exe	cmd.exe
PID 4472 wrote to memory of 2616	4472	selenium-manager.exe	cmd.exe
PID 2616 wrote to memory of 4188	2616	cmd.exe	WMIC.exe
PID 2616 wrote to memory of 4188	2616	cmd.exe	WMIC.exe
PID 2616 wrote to memory of 4188	2616	cmd.exe	WMIC.exe
PID 4472 wrote to memory of 3684	4472	selenium-manager.exe	cmd.exe
PID 4472 wrote to memory of 3684	4472	selenium-manager.exe	cmd.exe
PID 4472 wrote to memory of 3684	4472	selenium-manager.exe	cmd.exe
PID 3684 wrote to memory of 4580	3684	cmd.exe	WMIC.exe
PID 3684 wrote to memory of 4580	3684	cmd.exe	WMIC.exe
PID 3684 wrote to memory of 4580	3684	cmd.exe	WMIC.exe
PID 4472 wrote to memory of 912	4472	selenium-manager.exe	cmd.exe
PID 4472 wrote to memory of 912	4472	selenium-manager.exe	cmd.exe
PID 4472 wrote to memory of 912	4472	selenium-manager.exe	cmd.exe
PID 912 wrote to memory of 5056	912	cmd.exe	reg.exe
PID 912 wrote to memory of 5056	912	cmd.exe	reg.exe
PID 912 wrote to memory of 5056	912	cmd.exe	reg.exe
PID 4472 wrote to memory of 2812	4472	selenium-manager.exe	cmd.exe
PID 4472 wrote to memory of 2812	4472	selenium-manager.exe	cmd.exe
PID 4472 wrote to memory of 2812	4472	selenium-manager.exe	cmd.exe
PID 4464 wrote to memory of 4376	4464	AccGenerator.exe	cmd.exe
PID 4464 wrote to memory of 4376	4464	AccGenerator.exe	cmd.exe
PID 4464 wrote to memory of 3576	4464	AccGenerator.exe	msedgedriver.exe
PID 4464 wrote to memory of 3576	4464	AccGenerator.exe	msedgedriver.exe
PID 4464 wrote to memory of 4164	4464	AccGenerator.exe	cmd.exe
PID 4464 wrote to memory of 4164	4464	AccGenerator.exe	cmd.exe
PID 4464 wrote to memory of 744	4464	AccGenerator.exe	cmd.exe
PID 4464 wrote to memory of 744	4464	AccGenerator.exe	cmd.exe
PID 4464 wrote to memory of 2292	4464	AccGenerator.exe	selenium-manager.exe
PID 4464 wrote to memory of 2292	4464	AccGenerator.exe	selenium-manager.exe
PID 4464 wrote to memory of 2292	4464	AccGenerator.exe	selenium-manager.exe
PID 2292 wrote to memory of 4728	2292	selenium-manager.exe	cmd.exe
PID 2292 wrote to memory of 4728	2292	selenium-manager.exe	cmd.exe
PID 2292 wrote to memory of 4728	2292	selenium-manager.exe	cmd.exe
PID 4728 wrote to memory of 2036	4728	cmd.exe	WMIC.exe
PID 4728 wrote to memory of 2036	4728	cmd.exe	WMIC.exe
PID 4728 wrote to memory of 2036	4728	cmd.exe	WMIC.exe
PID 2292 wrote to memory of 4016	2292	selenium-manager.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\AccGenerator.exe
"C:\Users\Admin\AppData\Local\Temp\AccGenerator.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Users\Admin\AppData\Local\Temp\AccGenerator.exe
  "C:\Users\Admin\AppData\Local\Temp\AccGenerator.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1724
- - C:\Users\Admin\AppData\Local\Temp\_MEI14522\selenium\webdriver\common\windows\selenium-manager.exe
    C:\Users\Admin\AppData\Local\Temp\_MEI14522\selenium\webdriver\common\windows\selenium-manager.exe --browser MicrosoftEdge --output json
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /v/c "wmic os get osarchitecture"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:792
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic os get osarchitecture
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4696
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /v/c "set PFILES=%PROGRAMFILES(X86)%&& wmic datafile where name='!PFILES:\=\\!\\Microsoft\\Edge\\Application\\msedge.exe' get Version /value"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1668
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic datafile where name='C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe' get Version /value
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5000
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /v/c "set PFILES=%PROGRAMFILES: (x86)=%&& wmic datafile where name='!PFILES:\=\\!\\Microsoft\\Edge\\Application\\msedge.exe' get Version /value"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic datafile where name='C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe' get Version /value
        5⤵
        
        PID:4188
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /v/c "set PFILES=%LOCALAPPDATA%&& wmic datafile where name='!PFILES:\=\\!\\Microsoft\\Edge\\Application\\msedge.exe' get Version /value"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3684
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic datafile where name='C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Edge\\Application\\msedge.exe' get Version /value
        5⤵
        
        PID:4580
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /v/c "REG QUERY HKCU\Software\Microsoft\Edge\BLBeacon /v version"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:912
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKCU\Software\Microsoft\Edge\BLBeacon /v version
        5⤵
        Modifies registry key
        
        PID:5056
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /v/c "msedgedriver --version"
      4⤵
      PID:2812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4376
- - C:\Users\Admin\.cache\selenium\msedgedriver\win64\125.0.2535.67\msedgedriver.exe
    C:\Users\Admin\.cache\selenium\msedgedriver\win64\125.0.2535.67\msedgedriver.exe --port=49826
    3⤵
    - Executes dropped EXE
    - Checks system information in the registry
    PID:3576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:744
- - C:\Users\Admin\AppData\Local\Temp\_MEI14522\selenium\webdriver\common\windows\selenium-manager.exe
    C:\Users\Admin\AppData\Local\Temp\_MEI14522\selenium\webdriver\common\windows\selenium-manager.exe --browser MicrosoftEdge --output json
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /v/c "wmic os get osarchitecture"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4728
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic os get osarchitecture
        5⤵
        
        PID:2036
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /v/c "set PFILES=%PROGRAMFILES(X86)%&& wmic datafile where name='!PFILES:\=\\!\\Microsoft\\Edge\\Application\\msedge.exe' get Version /value"
      4⤵
      PID:4016
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic datafile where name='C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe' get Version /value
        5⤵
        
        PID:4656
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /v/c "set PFILES=%PROGRAMFILES: (x86)=%&& wmic datafile where name='!PFILES:\=\\!\\Microsoft\\Edge\\Application\\msedge.exe' get Version /value"
      4⤵
      PID:4292
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic datafile where name='C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe' get Version /value
        5⤵
        
        PID:4080
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /v/c "set PFILES=%LOCALAPPDATA%&& wmic datafile where name='!PFILES:\=\\!\\Microsoft\\Edge\\Application\\msedge.exe' get Version /value"
      4⤵
      PID:1860
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic datafile where name='C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Edge\\Application\\msedge.exe' get Version /value
        5⤵
        
        PID:4540
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /v/c "REG QUERY HKCU\Software\Microsoft\Edge\BLBeacon /v version"
      4⤵
      PID:4816
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKCU\Software\Microsoft\Edge\BLBeacon /v version
        5⤵
        Modifies registry key
        
        PID:376
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /v/c "msedgedriver --version"
      4⤵
      PID:2876
- - C:\Users\Admin\.cache\selenium\msedgedriver\win64\125.0.2535.67\msedgedriver.exe
    C:\Users\Admin\.cache\selenium\msedgedriver\win64\125.0.2535.67\msedgedriver.exe --port=49873
    3⤵
    - Executes dropped EXE
    - Checks system information in the registry
    PID:2472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3656

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1732

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5000
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\3469706837\payload.dat
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2616

C:\Users\Admin\AppData\Local\Temp\AccGenerator.exe
"C:\Users\Admin\AppData\Local\Temp\AccGenerator.exe"
1⤵
PID:912
- C:\Users\Admin\AppData\Local\Temp\AccGenerator.exe
  "C:\Users\Admin\AppData\Local\Temp\AccGenerator.exe"
  2⤵
  - Loads dropped DLL
  PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4588
- - C:\Users\Admin\AppData\Local\Temp\_MEI9122\selenium\webdriver\common\windows\selenium-manager.exe
    C:\Users\Admin\AppData\Local\Temp\_MEI9122\selenium\webdriver\common\windows\selenium-manager.exe --browser MicrosoftEdge --output json
    3⤵
    - Executes dropped EXE
    PID:4056
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /v/c "wmic os get osarchitecture"
      4⤵
      PID:4992
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic os get osarchitecture
        5⤵
        
        PID:4004
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /v/c "set PFILES=%PROGRAMFILES(X86)%&& wmic datafile where name='!PFILES:\=\\!\\Microsoft\\Edge\\Application\\msedge.exe' get Version /value"
      4⤵
      PID:4064
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic datafile where name='C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe' get Version /value
        5⤵
        
        PID:4380
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /v/c "set PFILES=%PROGRAMFILES: (x86)=%&& wmic datafile where name='!PFILES:\=\\!\\Microsoft\\Edge\\Application\\msedge.exe' get Version /value"
      4⤵
      PID:4028
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic datafile where name='C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe' get Version /value
        5⤵
        
        PID:376
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /v/c "set PFILES=%LOCALAPPDATA%&& wmic datafile where name='!PFILES:\=\\!\\Microsoft\\Edge\\Application\\msedge.exe' get Version /value"
      4⤵
      PID:2672
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic datafile where name='C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Edge\\Application\\msedge.exe' get Version /value
        5⤵
        
        PID:4260
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /v/c "REG QUERY HKCU\Software\Microsoft\Edge\BLBeacon /v version"
      4⤵
      PID:2476
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKCU\Software\Microsoft\Edge\BLBeacon /v version
        5⤵
        Modifies registry key
        
        PID:4780
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /v/c "msedgedriver --version"
      4⤵
      PID:3656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4228
- - C:\Users\Admin\.cache\selenium\msedgedriver\win64\125.0.2535.67\msedgedriver.exe
    C:\Users\Admin\.cache\selenium\msedgedriver\win64\125.0.2535.67\msedgedriver.exe --port=49973
    3⤵
    - Executes dropped EXE
    - Checks system information in the registry
    PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.cache\selenium\msedgedriver\win64\125.0.2535.67\msedgedriver.exe

Filesize
16.8MB

MD5
7b9a93cfe45355e660e1ae38db3fcaaa

SHA1
f4e9d6a4571afdb4a5b17c048a3dc8731fd68431

SHA256
5896e2e2e7cfc326c94115e84aea27f08aa68fcdb805366788ad0353d67be013

SHA512
55bae39037d414b73e10aa3c2fcbdf1f9bd082842da3df4db114ef2add7edf8e604524930ca4e228e79b1a6458c3e87c9cd4a5328446f806fe78feb9e204e416

Download Submit
C:\Users\Admin\.cache\selenium\selenium-manager.json

Filesize
193B

MD5
96dce7d386bd3b1c44c4dd8487c6a4ca

SHA1
7d8a630aa9fa765dfab9332222a4524fc6c8dce7

SHA256
3a4b02f0efcccd1188c29699912156c3a4cb1377c3359869a7e3506df98aeca7

SHA512
cf689006bed23d3451b0cd1474909f4d24df80da6b09ca19ca4a225eedff5f3f28c36175db2b6028f64761fbdf922f2133fe7faf2b851c3ef6f6fc483fc35e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14522\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14522\_bz2.pyd

Filesize
82KB

MD5
a62207fc33140de460444e191ae19b74

SHA1
9327d3d4f9d56f1846781bcb0a05719dea462d74

SHA256
ebcac51449f323ae3ae961a33843029c34b6a82138ccd9214cf99f98dd2148c2

SHA512
90f9db9ee225958cb3e872b79f2c70cb1fd2248ebaa8f3282afff9250285852156bf668f5cfec49a4591b416ce7ebaaac62d2d887152f5356512f2347e3762b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14522\_socket.pyd

Filesize
77KB

MD5
26dd19a1f5285712068b9e41808e8fa0

SHA1
90c9a112dd34d45256b4f2ed38c1cbbc9f24dba5

SHA256
eaabf6b78840daeaf96b5bdbf06adf0e4e2994dfeee5c5e27fefd824dbda5220

SHA512
173e1eda05d297d7da2193e8566201f05428437adcac80aecefe80f82d46295b15ce10990b5c080325dc59a432a587eef84a15ec688a62b82493ad501a1e4520

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14522\_ssl.pyd

Filesize
157KB

MD5
ab0e4fbffb6977d0196c7d50bc76cf2d

SHA1
680e581c27d67cd1545c810dbb175c2a2a4ef714

SHA256
680ad2de8a6cff927822c1d7dd22112a3e8a824e82a7958ee409a7b9ce45ec70

SHA512
2bff84a8ec7a26dde8d1bb09792ead8636009c8ef3fa68300a75420197cd7b6c8eaaf8db6a5f97442723e5228afa62961f002948e0eeee8c957c6517547dffba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14522\base_library.zip

Filesize
1.7MB

MD5
ebb4f1a115f0692698b5640869f30853

SHA1
9ba77340a6a32af08899e7f3c97841724dd78c3f

SHA256
4ab0deb6a298d14a0f50d55dc6ce5673b6c5320817ec255acf282191642a4576

SHA512
3f6ba7d86c9f292344f4ad196f4ae863bf936578dd7cfac7dc4aaf05c2c78e68d5f813c4ed36048b6678451f1717deeb77493d8557ee6778c6a70beb5294d21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14522\certifi\cacert.pem

Filesize
272KB

MD5
8d0619bfe30deadf6f21196f0f8d53d3

SHA1
e7abd65a8ccafeff6caf6a2ff98d27d24d87c9ad

SHA256
b301535dca491d9814ea28faa320ac7a19d0f5d94237996fa0a3b5a936432514

SHA512
5a88e4a06b98832aaa9bbb89e382f6c7e9b65c5ecba48de8f4ff1fa58bb06a74b9c2f6b2ec185c2a306cb0b5d68d0b28d74b323432a0b2953d8dfc29fed920d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14522\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

Filesize
113KB

MD5
2d1f2ffd0fecf96a053043daad99a5df

SHA1
b03d5f889e55e802d3802d0f0caa4d29c538406b

SHA256
207bbae9ddf8bdd64e65a8d600fe1dd0465f2afcd6dc6e28d4d55887cd6cbd13

SHA512
4f7d68f241a7f581e143a010c78113154072c63adff5f200ef67eb34d766d14ce872d53183eb2b96b1895aa9c8d4ca82ee5e61e1c5e655ff5be56970be9ebe3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14522\libcrypto-1_1.dll

Filesize
3.3MB

MD5
9d7a0c99256c50afd5b0560ba2548930

SHA1
76bd9f13597a46f5283aa35c30b53c21976d0824

SHA256
9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

SHA512
cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14522\python311.dll

Filesize
5.5MB

MD5
e2bd5ae53427f193b42d64b8e9bf1943

SHA1
7c317aad8e2b24c08d3b8b3fba16dd537411727f

SHA256
c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400

SHA512
ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14522\selenium\webdriver\common\windows\selenium-manager.exe

Filesize
3.0MB

MD5
b97e5ecdfd825a3a31183927e23e0199

SHA1
ab3d793868cc689699ce35d27e53cd0b8db76fcf

SHA256
c99709759258ae4a7174e23d395801f1e709f743d12ffe3e00bc638ae59fadfb

SHA512
61a8e401013d3fb04be465bab2eeb943585e11ae7249b5cfd16fcd1fdc12a433151c1e701a202c6b9a5ccbb4254d6b60b91da787e9666028c7190a2d6ced64f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14522\unicodedata.pyd

Filesize
1.1MB

MD5
58f7988b50cba7b793884f580c7083e1

SHA1
d52c06b19861f074e41d8b521938dee8b56c1f2e

SHA256
e36d14cf49ca2af44fae8f278e883341167bc380099dac803276a11e57c9cfa1

SHA512
397fa46b90582f8a8cd7df23b722204c38544717bf546837c45e138b39112f33a1850be790e248fca5b5ecd9ed7c91cd1af1864f72717d9805c486db0505fb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a62187976d3649939406fbf85cd620df.db

Filesize
24KB

MD5
1d5427d536f7d2b70fafc416cd271656

SHA1
74295a024e24c6d6f6421bd7acef25725110dda6

SHA256
11292596c083469da909b8989584a1086bcd36217b73d77ad5e6c265dcb2a9b0

SHA512
ba7ed46c1e75a2c2ccff1dac07eeef4e27bb42387e2eebe177281415aa4cdd5b07c911f4eab18a46eece18f071e755c84968af2b0bc0ed035b85d5872f31e7a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a62187976d3649939406fbf85cd620df.db.ses

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI14522\_hashlib.pyd

Filesize
63KB

MD5
787b82d4466f393366657b8f1bc5f1a9

SHA1
658639cddda55ac3bfc452db4ec9cf88851e606b

SHA256
241322647ba9f94bdc3ae387413ffb57ae14c8cf88bd564a31fe193c6ca43e37

SHA512
afcf66962958f38eec8b591aa30d380eb0e1b41028836058ff91b4d1472658de9fba3262f5c27ba688bd73da018e938f398e45911cd37584f623073067f575b6

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI14522\_lzma.pyd

Filesize
155KB

MD5
0c7ea68ca88c07ae6b0a725497067891

SHA1
c2b61a3e230b30416bc283d1f3ea25678670eb74

SHA256
f74aaf0aa08cf90eb1eb23a474ccb7cb706b1ede7f911daf7ae68480765bdf11

SHA512
fd52f20496a12e6b20279646663d880b1354cffea10793506fe4560ed7da53e4efba900ae65c9996fbb3179c83844a9674051385e6e3c26fb2622917351846b9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI14522\_queue.pyd

Filesize
31KB

MD5
06248702a6cd9d2dd20c0b1c6b02174d

SHA1
3f14d8af944fe0d35d17701033ff1501049e856f

SHA256
ac177cd84c12e03e3a68bca30290bc0b8f173eee518ef1fa6a9dce3a3e755a93

SHA512
5b22bbff56a8b48655332ebd77387d307f5c0a526626f3654267a34bc4863d8afaf08ff3946606f3cf00b660530389c37bdfac91843808dbebc7373040fec4c1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI14522\_uuid.pyd

Filesize
24KB

MD5
aea6a82bfa35b61d86e8b6a5806f31d6

SHA1
7c21b7147b391b7195583ab695717e38fe971e3e

SHA256
27b9545f5a510e71195951485d3c6a8b112917546fe5e8e46579b8ff6ce2acb0

SHA512
133d11535dea4b40afeca37f1a0905854fc4d2031efe802f00dd72e97b1705ca7ffe461acf90a36e2077534fe4df94d9469e99c64dbd3f301e5bca5c327fdc65

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI14522\charset_normalizer\md.cp311-win_amd64.pyd

Filesize
10KB

MD5
fa50d9f8bce6bd13652f5090e7b82c4d

SHA1
ee137da302a43c2f46d4323e98ffd46d92cf4bef

SHA256
fff69928dea1432e0c7cb1225ab96f94fd38d5d852de9a6bb8bf30b7d2bedceb

SHA512
341cec015e74348eab30d86ebb35c028519703006814a2ecd19b9fe5e6fcb05eda6dde0aaf4fe624d254b0d0180ec32adf3b93ee96295f8f0f4c9d4ed27a7c0c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI14522\libssl-1_1.dll

Filesize
688KB

MD5
bec0f86f9da765e2a02c9237259a7898

SHA1
3caa604c3fff88e71f489977e4293a488fb5671c

SHA256
d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd

SHA512
ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI14522\select.pyd

Filesize
29KB

MD5
756c95d4d9b7820b00a3099faf3f4f51

SHA1
893954a45c75fb45fe8048a804990ca33f7c072d

SHA256
13e4d9a734a453a3613e11b6a518430099ad7e3d874ea407d1f9625b7f60268a

SHA512
0f54f0262cf8d71f00bf5666eb15541c6ecc5246cd298efd3b7dd39cdd29553a8242d204c42cfb28c537c3d61580153200373c34a94769f102b3baa288f6c398

Download Submit