Resubmissions
29-05-2024 02:24
240529-cv1dbaeg8y 1029-05-2024 02:23
240529-ct89tsff35 1029-05-2024 02:22
240529-ctvrfaeg5s 1029-05-2024 02:18
240529-crpseaef6s 1029-05-2024 02:15
240529-cpnsbsfd57 1029-05-2024 02:14
240529-cpgn1see6y 10Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 02:18
Behavioral task
behavioral1
Sample
fd8ff9de932932bf7264ba598c7ae899b9cea81f998e3eb5e9d9f18dc2b428b2.elf
Resource
win10v2004-20240508-en
General
-
Target
fd8ff9de932932bf7264ba598c7ae899b9cea81f998e3eb5e9d9f18dc2b428b2.elf
-
Size
98KB
-
MD5
102e77b70024942c692b36b962e9803b
-
SHA1
8b2f2c397432ac5799a56e16e14d19f8dd428aad
-
SHA256
fd8ff9de932932bf7264ba598c7ae899b9cea81f998e3eb5e9d9f18dc2b428b2
-
SHA512
a232c523c59d020fec10303aa98b3ee04bac5bb49084fb8f0f6d5e226a62f5366742d00f58f8b905a20b9705cdd00bdf299e14004af400316ce8fc5be4a645f4
-
SSDEEP
3072:RucT7B75gVPUbcj6/k6Sdz3DqzUNa0jLmCP:Ruc3d5ujCSp3Oaa0jv
Malware Config
Signatures
-
Downloads MZ/PE file
-
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005b1010511f65dd1c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005b1010510000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005b101051000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5b101051000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005b10105100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Modifies registry class 3 IoCs
Processes:
cmd.exeOpenWith.exesvchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3558294865-3673844354-2255444939-1000\{DDFDA4D3-A098-4ACB-9411-AE28E3DD97A6} svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msedge.exepid process 1120 msedge.exe 1120 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 4092 vssvc.exe Token: SeRestorePrivilege 4092 vssvc.exe Token: SeAuditPrivilege 4092 vssvc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid process 4120 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1312 wrote to memory of 4088 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4088 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 4016 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 1120 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 1120 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 336 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 336 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 336 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 336 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 336 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 336 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 336 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 336 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 336 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 336 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 336 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 336 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 336 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 336 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 336 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 336 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 336 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 336 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 336 1312 msedge.exe msedge.exe PID 1312 wrote to memory of 336 1312 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\fd8ff9de932932bf7264ba598c7ae899b9cea81f998e3eb5e9d9f18dc2b428b2.elf1⤵
- Modifies registry class
PID:1480
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4120
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault85933da8h314fh4ff0h8ee7h77fb878f1b2a1⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffafade46f8,0x7ffafade4708,0x7ffafade47182⤵PID:4088
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,7961206079300348469,15603699707487480072,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:22⤵PID:4016
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,7961206079300348469,15603699707487480072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1120 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,7961206079300348469,15603699707487480072,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:82⤵PID:336
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4932
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3128
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:4932
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1244
-
C:\Windows\system32\wuauclt.exe"C:\Windows\system32\wuauclt.exe" /UpdateDeploymentProvider UpdateDeploymentProvider.dll /ClassId ecfa8c59-f71c-45e6-a965-1c3b93046516 /RunHandlerComServer1⤵PID:4868
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD587f7abeb82600e1e640b843ad50fe0a1
SHA1045bbada3f23fc59941bf7d0210fb160cb78ae87
SHA256b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262
SHA512ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5e5aa722406d8d900181bafa7cbb744c9
SHA120090c20ef29ec302df05b44d3d36f58440fde52
SHA256f36e276da7161bc778e84d35508559e856c842e9d379585813d3a7844fb5ffa9
SHA512187fda26aa9f91ecffa76da26f232c4c777dec2333f62b6547f684d7bb3c5c0273019aaad6e84658ef5674988e0cf67a56e3eece69bd6327c182f191ee75bc9a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD503d94fa8a705999804a84a530373696f
SHA101aa4682759ad3bd07f51d1ac8355c002c67365d
SHA2568a652c2f3f9ade0ea1e0d46095aeee445ae1853787e73258e0844339cad00281
SHA51227fb656f53f03ae9d430fca98614373d1b34028f7d2e7ca9f95ad78f31f0f5d93415ae3df7e75577d9e1202613e95668018f29092ac3ce9f111cd458cf13806c
-
C:\Users\Admin\Videos\Captures\desktop.iniFilesize
190B
MD5b0d27eaec71f1cd73b015f5ceeb15f9d
SHA162264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA25686d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA5127b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c
-
\??\pipe\LOCAL\crashpad_1312_DQVGVWMJAOQIEDVMMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e