fd8ff9de932932bf7264ba598c7ae899b9cea81f998e3eb5e9d9f18dc2b428b2

Resubmissions

29/05/2024, 02:24

240529-cv1dbaeg8y 10

29/05/2024, 02:23

29/05/2024, 02:22

29/05/2024, 02:18

29/05/2024, 02:15

29/05/2024, 02:14

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd8ff9de932932bf7264ba598c7ae899b9cea81f998e3eb5e9d9f18dc2b428b2.elf
Size

98KB
MD5

102e77b70024942c692b36b962e9803b
SHA1

8b2f2c397432ac5799a56e16e14d19f8dd428aad
SHA256

fd8ff9de932932bf7264ba598c7ae899b9cea81f998e3eb5e9d9f18dc2b428b2
SHA512

a232c523c59d020fec10303aa98b3ee04bac5bb49084fb8f0f6d5e226a62f5366742d00f58f8b905a20b9705cdd00bdf299e14004af400316ce8fc5be4a645f4
SSDEEP

3072:RucT7B75gVPUbcj6/k6Sdz3DqzUNa0jLmCP:Ruc3d5ujCSp3Oaa0jv

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005b1010511f65dd1c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005b1010510000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005b101051000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5b101051000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005b10105100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3558294865-3673844354-2255444939-1000\{DDFDA4D3-A098-4ACB-9411-AE28E3DD97A6}	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1120	msedge.exe
1120	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	4092	vssvc.exe
Token: SeRestorePrivilege	4092	vssvc.exe
Token: SeAuditPrivilege	4092	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4120	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 4088	1312	msedge.exe	111
PID 1312 wrote to memory of 4088	1312	msedge.exe	111
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 4016	1312	msedge.exe	112
PID 1312 wrote to memory of 1120	1312	msedge.exe	113
PID 1312 wrote to memory of 1120	1312	msedge.exe	113
PID 1312 wrote to memory of 336	1312	msedge.exe	114
PID 1312 wrote to memory of 336	1312	msedge.exe	114
PID 1312 wrote to memory of 336	1312	msedge.exe	114
PID 1312 wrote to memory of 336	1312	msedge.exe	114
PID 1312 wrote to memory of 336	1312	msedge.exe	114
PID 1312 wrote to memory of 336	1312	msedge.exe	114
PID 1312 wrote to memory of 336	1312	msedge.exe	114
PID 1312 wrote to memory of 336	1312	msedge.exe	114
PID 1312 wrote to memory of 336	1312	msedge.exe	114
PID 1312 wrote to memory of 336	1312	msedge.exe	114
PID 1312 wrote to memory of 336	1312	msedge.exe	114
PID 1312 wrote to memory of 336	1312	msedge.exe	114
PID 1312 wrote to memory of 336	1312	msedge.exe	114
PID 1312 wrote to memory of 336	1312	msedge.exe	114
PID 1312 wrote to memory of 336	1312	msedge.exe	114
PID 1312 wrote to memory of 336	1312	msedge.exe	114
PID 1312 wrote to memory of 336	1312	msedge.exe	114
PID 1312 wrote to memory of 336	1312	msedge.exe	114
PID 1312 wrote to memory of 336	1312	msedge.exe	114
PID 1312 wrote to memory of 336	1312	msedge.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\fd8ff9de932932bf7264ba598c7ae899b9cea81f998e3eb5e9d9f18dc2b428b2.elf
1⤵
- Modifies registry class
PID:1480

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault85933da8h314fh4ff0h8ee7h77fb878f1b2a
1⤵
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffafade46f8,0x7ffafade4708,0x7ffafade4718
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,7961206079300348469,15603699707487480072,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,7961206079300348469,15603699707487480072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,7961206079300348469,15603699707487480072,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:4932

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1244

C:\Windows\system32\wuauclt.exe
"C:\Windows\system32\wuauclt.exe" /UpdateDeploymentProvider UpdateDeploymentProvider.dll /ClassId ecfa8c59-f71c-45e6-a965-1c3b93046516 /RunHandlerComServer
1⤵
PID:4868

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e5aa722406d8d900181bafa7cbb744c9

SHA1
20090c20ef29ec302df05b44d3d36f58440fde52

SHA256
f36e276da7161bc778e84d35508559e856c842e9d379585813d3a7844fb5ffa9

SHA512
187fda26aa9f91ecffa76da26f232c4c777dec2333f62b6547f684d7bb3c5c0273019aaad6e84658ef5674988e0cf67a56e3eece69bd6327c182f191ee75bc9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
03d94fa8a705999804a84a530373696f

SHA1
01aa4682759ad3bd07f51d1ac8355c002c67365d

SHA256
8a652c2f3f9ade0ea1e0d46095aeee445ae1853787e73258e0844339cad00281

SHA512
27fb656f53f03ae9d430fca98614373d1b34028f7d2e7ca9f95ad78f31f0f5d93415ae3df7e75577d9e1202613e95668018f29092ac3ce9f111cd458cf13806c

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit