hxxps://github[.]com/luxusergrabber/Mercurial_grabber

Analysis

max time kernel
258s
max time network
247s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
10/06/2024, 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/luxusergrabber/Mercurial_grabber

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-3001105534-2705918504-2956618779-1000_StartupInfo3.xml	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe
File created	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{d6a20725-923a-4d7f-a888-c54d3a22f3df}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{d6a20725-923a-4d7f-a888-c54d3a22f3df}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin	svchost.exe
File opened for modification	C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3001105534-2705918504-2956618779-1000_UserData.bin	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	svchost.exe
File created	C:\Windows\system32\NDF\{7CAC81D5-7DDF-4D15-AE00-446C6EB915D7}-temp-06102024-2002.etl	svchost.exe
File opened for modification	C:\Windows\system32\NDF\{7CAC81D5-7DDF-4D15-AE00-446C6EB915D7}-temp-06102024-2002.etl	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3852	ipconfig.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\RAS AutoDial\Default	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\RAS AutoDial	svchost.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4620	msedge.exe
4620	msedge.exe
2324	msedge.exe
2324	msedge.exe
4160	identity_helper.exe
4160	identity_helper.exe
4900	msedge.exe
4900	msedge.exe
5792	sdiagnhost.exe
5792	sdiagnhost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5792	sdiagnhost.exe
Token: SeShutdownPrivilege	2468	svchost.exe
Token: SeCreatePagefilePrivilege	2468	svchost.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
3192	msdt.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 1360	2324	msedge.exe	80
PID 2324 wrote to memory of 1360	2324	msedge.exe	80
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 1228	2324	msedge.exe	81
PID 2324 wrote to memory of 4620	2324	msedge.exe	82
PID 2324 wrote to memory of 4620	2324	msedge.exe	82
PID 2324 wrote to memory of 3284	2324	msedge.exe	83
PID 2324 wrote to memory of 3284	2324	msedge.exe	83
PID 2324 wrote to memory of 3284	2324	msedge.exe	83
PID 2324 wrote to memory of 3284	2324	msedge.exe	83
PID 2324 wrote to memory of 3284	2324	msedge.exe	83
PID 2324 wrote to memory of 3284	2324	msedge.exe	83
PID 2324 wrote to memory of 3284	2324	msedge.exe	83
PID 2324 wrote to memory of 3284	2324	msedge.exe	83
PID 2324 wrote to memory of 3284	2324	msedge.exe	83
PID 2324 wrote to memory of 3284	2324	msedge.exe	83
PID 2324 wrote to memory of 3284	2324	msedge.exe	83
PID 2324 wrote to memory of 3284	2324	msedge.exe	83
PID 2324 wrote to memory of 3284	2324	msedge.exe	83
PID 2324 wrote to memory of 3284	2324	msedge.exe	83
PID 2324 wrote to memory of 3284	2324	msedge.exe	83
PID 2324 wrote to memory of 3284	2324	msedge.exe	83
PID 2324 wrote to memory of 3284	2324	msedge.exe	83
PID 2324 wrote to memory of 3284	2324	msedge.exe	83
PID 2324 wrote to memory of 3284	2324	msedge.exe	83
PID 2324 wrote to memory of 3284	2324	msedge.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/luxusergrabber/Mercurial_grabber
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc23583cb8,0x7ffc23583cc8,0x7ffc23583cd8
  2⤵
  PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2452 /prefetch:8
  2⤵
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4420 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:3184
- C:\Windows\system32\msdt.exe
  -modal "197138" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDFFB19.tmp" -ep "NetworkDiagnosticsWeb"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1372 /prefetch:1
  2⤵
  PID:6032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4408 /prefetch:1
  2⤵
  PID:5676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1732 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9919831227649815172,5481512323917307993,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:4564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4636

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5792
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  PID:5956
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  PID:1044
- C:\Windows\system32\ipconfig.exe
  "C:\Windows\system32\ipconfig.exe" /all
  2⤵
  - Gathers network information
  PID:3852
- C:\Windows\system32\ROUTE.EXE
  "C:\Windows\system32\ROUTE.EXE" print
  2⤵
  PID:2756
- C:\Windows\system32\makecab.exe
  "C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf
  2⤵
  PID:2504

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:3836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2608
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun
  2⤵
  PID:5356

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
390187670cb1e0eb022f4f7735263e82

SHA1
ea1401ccf6bf54e688a0dc9e6946eae7353b26f1

SHA256
3e6c56356d6509a3fd4b2403555be55e251f4a962379b29735c1203e57230947

SHA512
602f64d74096d4fb7a23b23374603246d42b17cc854835e3b2f4d464997b73f289a3b40eb690e3ee707829d4ff886865e982f72155d96be6bc00166f44878062

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8294f1821fd3419c0a42b389d19ecfc6

SHA1
cd4982751377c2904a1d3c58e801fa013ea27533

SHA256
92a96c9309023c8b9e1396ff41f7d9d3ff8a3687972e76b9ebd70b04e3bf223a

SHA512
372d369f7ad1b0e07200d3aa6b2cfce5beafa7a97f63932d4c9b3b01a0e8b7eb39881867f87ded55a9973abea973b2d2c9b6fc4892f81cec644702b9edb1566d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2cddd6ef5adf655b80184d268cf23b9a

SHA1
65210d388863f93956a0c751d4a4b8a44c735271

SHA256
06ea83b627c4c7ca6feafa99c017f610ac4f4d54169b2d8dfaf7bcc7ce804c54

SHA512
5db24112cc0e06b6f1c0265b863503a0395c3f1693f14a63ace3b17e3764f09d324d60a0264cda84445e61f36df32f6ad1baa975fb40dcd862548233827af364

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
85c994553d04363d4609ce80c8ebbf5d

SHA1
128d3ebafc38e8a74c4da78c2e674e6fdb50bd4f

SHA256
71155e3268fe33950159b02aabff8f523610157147ceee21c1fbe0c53ca48a44

SHA512
9a47f966b710a41c4a599c303230a0f2f49b436b228d335973e3fb6cdb9b7ee9438882d92536edf6b26aabb9031776b9c0eb8399ea78e61f6215c0a0227531ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6b3692fb25d5858b3019c0239a8b4bae

SHA1
a76850336f3e15af615b6e7de3fcad446a2ec4cd

SHA256
247f6e6fb6e8a5839626b5d37389a6b056ebc2b3c74dd594938f7a2a4e919893

SHA512
7ea2d4673f97ed2f90f6745fbe038d2bb1c879191a96d410c2489907090d6b89e14860836a25ecef52d9cd890fd126a36383d5c199aee3db0d1e11336c43cf2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
b2e9f7024ccc9ee93feb08f3532a66d9

SHA1
872435123121476ada180ade2a68b55208d2a36b

SHA256
2d41b4ebb5c0ff281773c3c40d7bb8bf8e4df73cd1cf410a40c6655aca7bdf3d

SHA512
39f364d250b1135652d5aae5df0fd68c28e1f99462d1a86873fe0354821d4f31b92aa7b375039235dc2f9b73d36517381fe23e304a0b16cd17bf62deb16afaa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
a7ee34b8de045bb5d72ea8d0c2bc5e1f

SHA1
5033645b076cab0708e10170939bf1c59782b7b0

SHA256
d0405dbe2de2ffc54721bc7ace38fcba6f4c966b97fa91bd2aa9598e36d094eb

SHA512
cc3e5f8ea9b2bea32ac7b9e7a1865083528c29251f077c55f360e5fa2c32c62a08161732b89e07d61963ee9d30ffcb1bf04040b161eb900c474631126ed4ba3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
ff56a7d65ea42041d5d299fc9a62dad2

SHA1
1cad6559984b1180f524b821c9f2823a3fea80b4

SHA256
1ddd86eee1718eaeea3f921425c9a6a113d658edb8c578415d186448c8ab1ed8

SHA512
29d1baf77b5f3f50eb12cd5e23d734ff09825ea1ba9bd4315b732967fff2a6d999f29fba951f7e65353102b6b04ce83b8928ac02f849ac0f5dd10e7483616579

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDFFB19.tmp

Filesize
3KB

MD5
6ff85fa3620c93d1f09d0ebd7988a388

SHA1
1b177af264d3e8509ff0ca9d743037aacdabe465

SHA256
45d558e920ad621af239561b7e1a203616dd2b07b05d4472ebbc6521b3b54a6c

SHA512
f3f6e3d4c7cc8361226556e6c2b19c219d19951eb2fe44b019ee78c924f072e843ad2cb65612d5c5b6a08fb8e77b9eeeeadc002022209aa4d6b9f8b159c3b813

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dhxjli2q.tyv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC4B2.tmp\NetworkConfiguration.cab

Filesize
1KB

MD5
c78fdb8c48c012f1e9070b720f4abda8

SHA1
cc3bcb411bbd37c54b4eb4d7780f9bd76d7dae5a

SHA256
c5a916b3b7ea0bc4688ecb5a4a5555e2f7988cea224a6f2eb516ac2e3a5f437c

SHA512
c5ed669e4950c3ff3ea9d027f62f0aef1c40a176611f0a32dec0ae4a8c346bd91cf3e6d85dddd26e64a53454620c3031fe4b461beeb8cc1d790c330c84eae82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC4B2.tmp\NetworkConfiguration.ddf

Filesize
231B

MD5
00848049d4218c485d9e9d7a54aa3b5f

SHA1
d1d5f388221417985c365e8acaec127b971c40d0

SHA256
ffeafbb8e7163fd7ec9abc029076796c73cd7b4eddaeeda9ba394c547419769e

SHA512
3a4874a5289682e2b32108740feea586cb9ccdad9ca08bf30f67c9742370c081ad943ea714f08dbf722f9f98f3b0bb307619a8ba47f96b24301c68b0fd1086d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC4B2.tmp\ipconfig.all.txt

Filesize
2KB

MD5
c4d185d0befddfafe9665669e1592cf4

SHA1
fa191feb5b0f7910d877faa76203b0a42c69f586

SHA256
fcbd63f1f774cdb5bc0c0081517d37a55ab374575c2edc3e8b49e14793dd4887

SHA512
4058459f8341d01ddc0b532473d472b5daaa1f88154a7023788b2a7b8dad545950ad68e49eac495860f7cbd12af0ebdf16dae8f9682bba7240afb6eb70bf4caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC4B2.tmp\route.print.txt

Filesize
4KB

MD5
5848b21c91b531e59caff89beb5d734a

SHA1
930a7947f8aecab42c6e9412c06bc050137e6633

SHA256
c625d0b268120c39706c1794602cf6f0d843ec4d27d3db3b2f0874f35b7bd520

SHA512
dbc1309381455d818f9fc226415b2820904dbcca88c702b2d5c10651961152a4701a02e95c2d2057f87995e18f8760bf10846139f4c2e19a700c7905c49a3371

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC4B2.tmp\setup.inf

Filesize
978B

MD5
4729d44d6ceab0443e74223ee5e58a19

SHA1
017910fe70da922bd41bade4da44b935373cd804

SHA256
5932a37e4f2e8ff633dbe5226088366b363dfb63a931ab6dd6247b95f06441b7

SHA512
46c403abec51915af00f289ed552aec7f733f80750e5f3e2f424bce650c224ba27125694dce10b7bacb5ac6a78cd856a54d2284dc1c927da0a858520afbcfb16

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC4B2.tmp\setup.rpt

Filesize
283B

MD5
1e8383285599f408a11687df88b7629a

SHA1
003591664e5db808b61e07db96a68b784a0f6b25

SHA256
0bdaec4e4d38b28265f25fcd0582a3f1a9bd2ea1c9959167f35ad97387d085c3

SHA512
fe11338e59101b01943f56faaf8a1d16dd43e504206a21a74b6da0208e959c18409ec53b56bfa071444a2d3d70f83100f55c92c681be2e766924003d3d723b49

Download Submit
C:\Users\Admin\Desktop\UseApprove.mhtml

Filesize
416KB

MD5
4f7925a1c6f04acf6506b2d79fb87486

SHA1
f240921fbda9d640894d4c56b58869a000f653cb

SHA256
c565094836cf89f1f98987bfe383ea2beed25b3f8d8e5e08d29d08521ee73f76

SHA512
6d8f95ee760aad2bb22edccb60266104b615d7553443c51dbf6296cf61ffab4ff69edb0344afab0d085cb390d12ed6b5c6e4024a785a0b04edbddae9ff8a3e57

Download Submit
C:\Windows\TEMP\SDIAG_ba3271b5-ac10-4613-933a-923e2adee4a1\NetworkDiagnosticsResolve.ps1

Filesize
11KB

MD5
d213491a2d74b38a9535d616b9161217

SHA1
bde94742d1e769638e2de84dfb099f797adcc217

SHA256
4662c3c94e0340a243c2a39ca8a88fd9f65c74fb197644a11d4ffcae6b191211

SHA512
5fd8b91b27935711495934e5d7ca14f9dd72bc40a38072595879ef334a47f99e0608087ddc62668c6f783938d9f22a3688c5cdef3a9ad6c3575f3cfa5a3b0104

Download Submit
C:\Windows\TEMP\SDIAG_ba3271b5-ac10-4613-933a-923e2adee4a1\NetworkDiagnosticsTroubleshoot.ps1

Filesize
25KB

MD5
d0cfc204ca3968b891f7ce0dccfb2eda

SHA1
56dad1716554d8dc573d0ea391f808e7857b2206

SHA256
e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

SHA512
4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

Download Submit
C:\Windows\TEMP\SDIAG_ba3271b5-ac10-4613-933a-923e2adee4a1\NetworkDiagnosticsVerify.ps1

Filesize
10KB

MD5
9b222d8ec4b20860f10ebf303035b984

SHA1
b30eea35c2516afcab2c49ef6531af94efaf7e1a

SHA256
a32e13da40ac4b9e1dac7dd28bc1d25e2f2136b61ff93be943018b20796f15bc

SHA512
8331337ccb6e3137b01aeec03e6921fd3b9e56c44fa1b17545ae5c7bfcdd39fcd8a90192884b3a82f56659009e24b63ce7f500e8766fd01e8d4e60a52de0fe67

Download Submit
C:\Windows\TEMP\SDIAG_ba3271b5-ac10-4613-933a-923e2adee4a1\StartDPSService.ps1

Filesize
567B

MD5
a660422059d953c6d681b53a6977100e

SHA1
0c95dd05514d062354c0eecc9ae8d437123305bb

SHA256
d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813

SHA512
26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523

Download Submit
C:\Windows\TEMP\SDIAG_ba3271b5-ac10-4613-933a-923e2adee4a1\UtilityFunctions.ps1

Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_ba3271b5-ac10-4613-933a-923e2adee4a1\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_ba3271b5-ac10-4613-933a-923e2adee4a1\en-US\LocalizationData.psd1

Filesize
5KB

MD5
91f545459be2ff513b8d98c7831b8e54

SHA1
499e4aa76fc21540796c75ba5a6a47980ff1bc21

SHA256
1ccd68e58ead16d22a6385bb6bce0e2377ed573387bdafac3f72b62264d238ff

SHA512
469571a337120885ee57e0c73a3954d0280fa813e11709ee792285c046f6ddaf9be5583e475e627ea5f34e8e6fb723a4681289312f0e51dc8e9894492407b911

Download Submit
C:\Windows\Temp\SDIAG_ba3271b5-ac10-4613-933a-923e2adee4a1\DiagPackage.dll

Filesize
488KB

MD5
ec287e627bf07521b8b443e5d7836c92

SHA1
02595dde2bd98326d8608ee3ddabc481ddc39c3d

SHA256
35fa9f66ed386ee70cb28ec6e03a3b4848e3ae11c8375ba3b17b26d35bd5f694

SHA512
8465ae3ca6a4355888eecedda59d83806faf2682431f571185c31fb8a745f2ef4b26479f07aaf2693cd83f2d0526a1897a11c90a1f484a72f1e5965b72de9903

Download Submit
C:\Windows\Temp\SDIAG_ba3271b5-ac10-4613-933a-923e2adee4a1\en-US\DiagPackage.dll.mui

Filesize
17KB

MD5
44b3399345bc836153df1024fa0a81e1

SHA1
ce979bfdc914c284a9a15c4d0f9f18db4d984cdd

SHA256
502abf2efedb7f76147a95dc0755723a070cdc3b2381f1860313fd5f01c4fb4d

SHA512
a49ba1a579eedca2356f8a4df94b1c273e483ceace93c617cddee77f66e90682836c77cea58047320b2c2f1d0e23ee7efa3d8af71e8ee864faef7e68f233bec4

Download Submit
C:\Windows\Temp\SDIAG_ba3271b5-ac10-4613-933a-923e2adee4a1\result\7CAC81D5-7DDF-4D15-AE00-446C6EB915D7.Diagnose.Admin.0.etl

Filesize
192KB

MD5
dd11ca8a1bf3c1cb6951c5ae5ad56ee1

SHA1
8a005c7a03eb792f9250992725b97a297714106c

SHA256
6746879f4cc00bf131a06fd242d72861d406794eefb6679516f601e0c0f711a8

SHA512
ef56fd210afc8f6226ff7e63f38982e5a174c95f0439ac1fbdf8dcb2dcd8734b18576f638c02b87344dcc48ade7aa152afa6faa574a84189b31df3a8081c40b9

Download Submit
memory/2468-486-0x000001680C5B0000-0x000001680C5B1000-memory.dmp

Filesize
4KB

Download
memory/2468-482-0x0000016808100000-0x0000016808110000-memory.dmp

Filesize
64KB

Download
memory/2468-478-0x00000168069B0000-0x00000168069C0000-memory.dmp

Filesize
64KB

Download
memory/2468-601-0x000001680C6D0000-0x000001680C6D1000-memory.dmp

Filesize
4KB

Download
memory/2468-602-0x000001680C6C0000-0x000001680C6C1000-memory.dmp

Filesize
4KB

Download
memory/2468-604-0x000001680C5C0000-0x000001680C5C1000-memory.dmp

Filesize
4KB

Download
memory/2468-605-0x000001680C5B0000-0x000001680C5B1000-memory.dmp

Filesize
4KB

Download
memory/2468-607-0x000001680C5B0000-0x000001680C5B1000-memory.dmp

Filesize
4KB

Download
memory/2468-610-0x000001680C500000-0x000001680C501000-memory.dmp

Filesize
4KB

Download
memory/5792-463-0x0000017330000000-0x0000017330022000-memory.dmp

Filesize
136KB

Download