Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 10:46
Static task
static1
Behavioral task
behavioral1
Sample
VirusShare_2159f467a156a355c527f8816dc99375.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
VirusShare_2159f467a156a355c527f8816dc99375.exe
Resource
win10v2004-20240426-en
General
-
Target
VirusShare_2159f467a156a355c527f8816dc99375.exe
-
Size
350KB
-
MD5
2159f467a156a355c527f8816dc99375
-
SHA1
41dd19f62208901d4dd454d084382dc408fc0bf1
-
SHA256
2de0e8bfc87c75268fc4dd06971cfa4eaa6ef0703a92b07e8a3d1d78473e2758
-
SHA512
14eb7a5bae2f09b7a11682689677d4ad61b83a81c0bb64d880d97cd858147ad5362038b3ccf67a7e3958aa06105e71f81b6cab01b01f5edf527efeabaf468874
-
SSDEEP
6144:zqjAgHiAy4sYQwxmE8r3M9NQbkN4PYITd/FP1i2/ph80vVy98G2fms7L:zXopy41mEaM9+b3PFNFlhTy98G2eqL
Malware Config
Extracted
C:\Program Files\Common Files\DESIGNER\-!RecOveR!-wxdkm++.Txt
http://k47d3.proporr.com/225A1510AD1888A7
http://wor4d.slewirk.at/225A1510AD1888A7
http://kbv5s.kylepasse.at/225A1510AD1888A7
http://yyhn7fpvq44cqcu3.onion/225A1510AD1888A7
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation VirusShare_2159f467a156a355c527f8816dc99375.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation cxdrenwgpnxp.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\-!RecOveR!-wxdkm++.Png cxdrenwgpnxp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\-!RecOveR!-wxdkm++.Txt cxdrenwgpnxp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\-!RecOveR!-wxdkm++.Htm cxdrenwgpnxp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\-!RecOveR!-wxdkm++.Png cxdrenwgpnxp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\-!RecOveR!-wxdkm++.Txt cxdrenwgpnxp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\-!RecOveR!-wxdkm++.Htm cxdrenwgpnxp.exe -
Executes dropped EXE 1 IoCs
pid Process 1152 cxdrenwgpnxp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hostslertrikcro = "C:\\Windows\\SYSTEM32\\CMD.EXE /C START \"\" \"C:\\Users\\Admin\\Documents\\cxdrenwgpnxp.exe\"" cxdrenwgpnxp.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-200.png cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.Resource\-!RecOveR!-wxdkm++.Txt cxdrenwgpnxp.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\-!RecOveR!-wxdkm++.Htm cxdrenwgpnxp.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\-!RecOveR!-wxdkm++.Htm cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-ES\-!RecOveR!-wxdkm++.Txt cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-300.png cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\-!RecOveR!-wxdkm++.Htm cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-125.png cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-200.png cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\-!RecOveR!-wxdkm++.Png cxdrenwgpnxp.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\my\-!RecOveR!-wxdkm++.Png cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\40.jpg cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\WinMetadata\-!RecOveR!-wxdkm++.Htm cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-180.png cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\-!RecOveR!-wxdkm++.Txt cxdrenwgpnxp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\-!RecOveR!-wxdkm++.Txt cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileSmallSquare.scale-100.png cxdrenwgpnxp.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\-!RecOveR!-wxdkm++.Png cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\CortanaApp.ViewElements\Assets\-!RecOveR!-wxdkm++.Htm cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\-!RecOveR!-wxdkm++.Txt cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.contrast-white_scale-100.png cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-32_contrast-white.png cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-140.png cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxAccountsSplashLogo.scale-100.png cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-125.png cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\155.png cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uk-UA\View3d\-!RecOveR!-wxdkm++.Htm cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\-!RecOveR!-wxdkm++.Txt cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\-!RecOveR!-wxdkm++.Txt cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailWideTile.scale-125.png cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-32_altform-unplated_contrast-black.png cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppUpdate.svg cxdrenwgpnxp.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\-!RecOveR!-wxdkm++.Htm cxdrenwgpnxp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Document Parts\-!RecOveR!-wxdkm++.Txt cxdrenwgpnxp.exe File opened for modification C:\Program Files\Windows Media Player\de-DE\-!RecOveR!-wxdkm++.Htm cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.scale-100.png cxdrenwgpnxp.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\-!RecOveR!-wxdkm++.Htm cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalStoreLogo.scale-100_contrast-white.png cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-unplated_contrast-black.png cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\-!RecOveR!-wxdkm++.Png cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\-!RecOveR!-wxdkm++.Png cxdrenwgpnxp.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\main.css cxdrenwgpnxp.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\sd\-!RecOveR!-wxdkm++.Txt cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\Icon_Xbox_PhotosSplashWideTile.scale-200.png cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-20_altform-lightunplated.png cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-100_contrast-white.png cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\-!RecOveR!-wxdkm++.Png cxdrenwgpnxp.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\-!RecOveR!-wxdkm++.Htm cxdrenwgpnxp.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\-!RecOveR!-wxdkm++.Txt cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\-!RecOveR!-wxdkm++.Txt cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kn-IN\View3d\-!RecOveR!-wxdkm++.Png cxdrenwgpnxp.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\bg.pak cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-fullcolor.png cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Light.scale-300.png cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\-!RecOveR!-wxdkm++.Htm cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_PigEar.png cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\pstn\-!RecOveR!-wxdkm++.Htm cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupMedTile.scale-200.png cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-250.png cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\-!RecOveR!-wxdkm++.Png cxdrenwgpnxp.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\-!RecOveR!-wxdkm++.Png cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.scale-400.png cxdrenwgpnxp.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-200.png cxdrenwgpnxp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.White.png cxdrenwgpnxp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3828 vssadmin.exe 284 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings cxdrenwgpnxp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe 1152 cxdrenwgpnxp.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1152 cxdrenwgpnxp.exe Token: SeBackupPrivilege 4876 vssvc.exe Token: SeRestorePrivilege 4876 vssvc.exe Token: SeAuditPrivilege 4876 vssvc.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1036 wrote to memory of 1152 1036 VirusShare_2159f467a156a355c527f8816dc99375.exe 80 PID 1036 wrote to memory of 1152 1036 VirusShare_2159f467a156a355c527f8816dc99375.exe 80 PID 1036 wrote to memory of 1152 1036 VirusShare_2159f467a156a355c527f8816dc99375.exe 80 PID 1036 wrote to memory of 3432 1036 VirusShare_2159f467a156a355c527f8816dc99375.exe 83 PID 1036 wrote to memory of 3432 1036 VirusShare_2159f467a156a355c527f8816dc99375.exe 83 PID 1036 wrote to memory of 3432 1036 VirusShare_2159f467a156a355c527f8816dc99375.exe 83 PID 1152 wrote to memory of 3828 1152 cxdrenwgpnxp.exe 87 PID 1152 wrote to memory of 3828 1152 cxdrenwgpnxp.exe 87 PID 1152 wrote to memory of 1984 1152 cxdrenwgpnxp.exe 96 PID 1152 wrote to memory of 1984 1152 cxdrenwgpnxp.exe 96 PID 1152 wrote to memory of 1984 1152 cxdrenwgpnxp.exe 96 PID 1152 wrote to memory of 3432 1152 cxdrenwgpnxp.exe 97 PID 1152 wrote to memory of 3432 1152 cxdrenwgpnxp.exe 97 PID 3432 wrote to memory of 5860 3432 msedge.exe 98 PID 3432 wrote to memory of 5860 3432 msedge.exe 98 PID 1152 wrote to memory of 284 1152 cxdrenwgpnxp.exe 99 PID 1152 wrote to memory of 284 1152 cxdrenwgpnxp.exe 99 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 1708 3432 msedge.exe 101 PID 3432 wrote to memory of 2412 3432 msedge.exe 102 PID 3432 wrote to memory of 2412 3432 msedge.exe 102 PID 3432 wrote to memory of 1916 3432 msedge.exe 103 PID 3432 wrote to memory of 1916 3432 msedge.exe 103 PID 3432 wrote to memory of 1916 3432 msedge.exe 103 PID 3432 wrote to memory of 1916 3432 msedge.exe 103 PID 3432 wrote to memory of 1916 3432 msedge.exe 103 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cxdrenwgpnxp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" cxdrenwgpnxp.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_2159f467a156a355c527f8816dc99375.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_2159f467a156a355c527f8816dc99375.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Users\Admin\Documents\cxdrenwgpnxp.exeC:\Users\Admin\Documents\cxdrenwgpnxp.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1152 -
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3828
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\-!RecOveR!-wxdkm++.Txt3⤵PID:1984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\-!RecOveR!-wxdkm++.Htm3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff32fc46f8,0x7fff32fc4708,0x7fff32fc47184⤵PID:5860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,12151596414465685009,1729401409948047325,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:24⤵PID:1708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,12151596414465685009,1729401409948047325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:34⤵PID:2412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,12151596414465685009,1729401409948047325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:84⤵PID:1916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12151596414465685009,1729401409948047325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:14⤵PID:5824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12151596414465685009,1729401409948047325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:14⤵PID:5404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,12151596414465685009,1729401409948047325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:84⤵PID:2372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,12151596414465685009,1729401409948047325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:84⤵PID:1544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12151596414465685009,1729401409948047325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:14⤵PID:3356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12151596414465685009,1729401409948047325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:14⤵PID:5096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12151596414465685009,1729401409948047325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:14⤵PID:5508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12151596414465685009,1729401409948047325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:14⤵PID:3272
-
-
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:284
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\DOCUME~1\CXDREN~1.EXE >> NUL3⤵PID:2480
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE >> NUL2⤵PID:3432
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4876
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5040
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5ff88c6a0513814d7a9d7bb909438b246
SHA1a7603d3b4b43a575a7fef2a8f9cd96f76dcd561e
SHA2565cb8a994fa48d86e46a6e13e1c7aadbbd2bae56fe7fe35523445704fb340aee4
SHA51253b385b4a00b137cac321e2efee9650b77892500e4f93785fc40e808b8116992836d6e0cf65fe4e1913ae6c430a8e5b1d86359cb902c7836924981758c89490d
-
Filesize
74KB
MD5a43c9793c4778595c047ce18c80c2de6
SHA174bf7a67cb130cbc7b3491739d197677e168e079
SHA256b703ea034092705a15a75c4edc485e158a48c51b8a75211964d810559f8a3958
SHA512c3e342b60c8b2986627bebf8a25e9039bab894d86f680698873d730bfc8aba8efd80b3cf7c339a00cc28a9c5d73306e354c8b422e29242ae4a62f7ce3b2a0f71
-
Filesize
2KB
MD504a78abcb4fdd54866fd45f84935017c
SHA1dbc7af0b84a790ede24dd50389eca89a446b1b2a
SHA256fabd82176bde890111e3ac8f0ba2df034d39b8f4e6942a2f1411ebb4bd988dc7
SHA5122e25cf6ed0b18b5243c14dee1d58ea261b9ddcadf86726ed605977c86f3937d1aaaf834b25a6175f7600fc1df47e3034f23de67a3683c60daf4fdd09f6133402
-
Filesize
152B
MD5f53207a5ca2ef5c7e976cbb3cb26d870
SHA149a8cc44f53da77bb3dfb36fc7676ed54675db43
SHA25619ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23
SHA512be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499
-
Filesize
152B
MD5ae54e9db2e89f2c54da8cc0bfcbd26bd
SHA1a88af6c673609ecbc51a1a60dfbc8577830d2b5d
SHA2565009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af
SHA512e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998
-
Filesize
5KB
MD57415ceb2db0c47350c7766b93732d6f1
SHA172cf10767fb039818f217c1a1ee001503d24dce7
SHA256be55b3f9777ed447d5afe0fb11209d50ed73f6a8fc63f5d9fd76a0d6addb885d
SHA51270db07bd573bf6a8b4852432e7034b31fee08f0bde29cd5149f42ca180db92789462473f98bb3f11a24a2d1c4f4e8c8a6f0604aeb351509025b2fc2a7ae8fa5e
-
Filesize
6KB
MD564c013804413687992cc392c4995e2fe
SHA1cc85b958ffe733656dede61de3c737a8a19b5db3
SHA2560d81675d672d468c5cd9b8ecf756a67a5fc5ee77ea9aec8c93dbc2a22f8d8dc8
SHA512c530742abdb35b2bc739de4fb89ce8e19bdd1a83a3abd7946ac171cdfedfc8895943092b463f95a7ed607f200dd02b2f81b27f993ac8b6dcc18e38e9d13f72f0
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5fbcada45d57256a37e7811afa8598694
SHA1ee15b17182c377023f8c4276c8b2df6f1f7ee7f9
SHA2562472620c5392d0c538bd0f06a3199a9affee2c40f10c4a41f83d2904bc01c47a
SHA5123cec60353d6b51843d0e65aed8e0747a0ec2588e852d84389297b95d62604630537799123d41bd32660051651e8e1a546fa5f8f7b58189f5f1dbe16cf59b09dd
-
Filesize
350KB
MD52159f467a156a355c527f8816dc99375
SHA141dd19f62208901d4dd454d084382dc408fc0bf1
SHA2562de0e8bfc87c75268fc4dd06971cfa4eaa6ef0703a92b07e8a3d1d78473e2758
SHA51214eb7a5bae2f09b7a11682689677d4ad61b83a81c0bb64d880d97cd858147ad5362038b3ccf67a7e3958aa06105e71f81b6cab01b01f5edf527efeabaf468874