Analysis

  • max time kernel
    75s
  • max time network
    77s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18-06-2024 12:32

Errors

Reason
Machine shutdown

General

  • Target

    pyrogenesis.exe

  • Size

    4.4MB

  • MD5

    7ef8ce833b1d6e88288652cafcc2af3a

  • SHA1

    b88a4c6551c624cd9d99a3f5ecf76840f759479b

  • SHA256

    1c09a8d2cc3321aa3bdadfea803b7fc5af617d657b1785dc58881a1aa8ba245b

  • SHA512

    3c5f72d368b29dd06640a7b322f9f3a0c49d983095fc7ae8b14ec3890116af3cc7734156474789725bf141090149c145fe9c1f42073004f68a9f64482843b69a

  • SSDEEP

    98304:jV2WaxWnr4UyqKFSii4gcALAyfyc5E5Dk:jVZr9yXFST4gcAUpI

Score
5/10

Malware Config

Signatures

  • Detected potential entity reuse from brand microsoft.
  • Drops file in Windows directory 4 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pyrogenesis.exe
    "C:\Users\Admin\AppData\Local\Temp\pyrogenesis.exe"
    1⤵
      PID:1748
    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4088
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
      1⤵
        PID:4108
      • C:\Windows\System32\oobe\UserOOBEBroker.exe
        C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
        1⤵
        • Drops file in Windows directory
        PID:4076
      • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
        C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
        1⤵
          PID:5092
        • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
          C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
          1⤵
            PID:1700
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2149241
            1⤵
            • Enumerates system info in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:1044
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9c2473cb8,0x7ff9c2473cc8,0x7ff9c2473cd8
              2⤵
                PID:4920
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,2178637688787208688,2730708747193711546,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2052 /prefetch:2
                2⤵
                  PID:3368
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,2178637688787208688,2730708747193711546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:3
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4040
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,2178637688787208688,2730708747193711546,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:8
                  2⤵
                    PID:4056
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2178637688787208688,2730708747193711546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
                    2⤵
                      PID:2344
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2178637688787208688,2730708747193711546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
                      2⤵
                        PID:2228
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2178637688787208688,2730708747193711546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
                        2⤵
                          PID:896
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2178637688787208688,2730708747193711546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
                          2⤵
                            PID:2240
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2178637688787208688,2730708747193711546,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
                            2⤵
                              PID:1632
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:2208
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:2460
                              • C:\Windows\system32\LogonUI.exe
                                "LogonUI.exe" /flags:0x4 /state0:0xa3a28055 /state1:0x41c64e6d
                                1⤵
                                • Modifies data under HKEY_USERS
                                • Suspicious use of SetWindowsHookEx
                                PID:2432

                              Network

                              MITRE ATT&CK Matrix ATT&CK v13

                              Discovery

                              Query Registry

                              1
                              T1012

                              System Information Discovery

                              1
                              T1082

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                bbfb66ff6f5e565ac00d12dbb0f4113d

                                SHA1

                                8ee31313329123750487278afb3192d106752f17

                                SHA256

                                165401ef4e6bbd51cb89d3f9e6dc13a50132669d5b0229c7db12f2ec3f605754

                                SHA512

                                8ea206daabc7895923f3df9798bfd96f459bf859c78f3e5640fad550678b5090539f2a1b590883cd9797efee999acccac16d499772f61f5390e91bcc44d60560

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                9a91b6dd57fc9c4880d34e9e7c6b760f

                                SHA1

                                77a09da6ef4343a8b232386e000cd2d6b9fc30a3

                                SHA256

                                0170297f0103d4e415653f86dedc31b0827580042f86862206fd3f6f135b543a

                                SHA512

                                9fc3b9be931b3edebc4a6809d62d805046bdceb4c27a7db21cfbbcb0e5e253ab529c54d64e465e60904a6ab3b83156e26b97f852c9526f46f037944f806a7f0f

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                Filesize

                                120B

                                MD5

                                53ec86756c5d78d1c738f980adfd7d79

                                SHA1

                                2f1c32161a0cefedd12ed04abe09095a429286cc

                                SHA256

                                850308fd2c192a3be1047da1e74c180b2217faf5fba0d1ba9e763b7c28062ff2

                                SHA512

                                902a0747c8c463da968e27c94d7977573796e517c9ffc9ad5acea30d753ff707643ac52980eae287549e84f9edf4f8c69a6eba0a90d1bab93cd16736659bcc94

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                Filesize

                                189B

                                MD5

                                5e1f9068447613da1cf1cef1ac1ecd24

                                SHA1

                                96a471227975a7987934c420f6c0cf3a8457302f

                                SHA256

                                e018c545680b0da8a04b069210dffb60f4a21c19dfbaa8ad1dda4e64acedc35d

                                SHA512

                                764d9814b388d8cbaa1892843e951b3717bdfcfbd88be4e881f0694eb96fc6a9a4c77fab9204f42e70142b58dc9cbc55c2d208e704ae0473a7f65175fc611ee6

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                6KB

                                MD5

                                a2b2a9586bde53f81fa87ec2166a868b

                                SHA1

                                fb574c3759017aeff1ff32f9fa5df248fb08140e

                                SHA256

                                318d7d7f88b825bd805e9cce4ab1c3ac8bf37099d40555b845b408dd7530f30a

                                SHA512

                                dcb405289e6e197535999aa06097b1662bb0e4eebfae64afcfa27ca47a25f2fa2d5134964cc7058435e95fedb2ebbf4e94c511a12b9504235fae40fc371255bb

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                5KB

                                MD5

                                1381d2a7c2a983ef6b133598d14dc398

                                SHA1

                                5569dc131fc327ce0d856dfd70e74387e1d3da09

                                SHA256

                                2e906980af9a72028f58fabaf85603b08d0e155fc19a1d6f0b163a44af731139

                                SHA512

                                99428313e6ac624687d2b38cb4fc98464258bdab80f57557b80b84d9bdd5994b9d7e10229568c8e5542028e8b4c7e61843db13690e3431f49e1c9e5e7a3767c7

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                Filesize

                                11KB

                                MD5

                                420629e378733e83d65431d63a459d92

                                SHA1

                                8194d42df51070abc93318fab06e120930b8b247

                                SHA256

                                d248b2ec36c7b8486b5d3f63b9c762e5c452a2c2a2e0382933d01b2a1e6bdf6a

                                SHA512

                                bf006c4ad70f7db24f65d6d4be0bb8cdd239b99a6c39713538d7ff4ce35b7e66dc77b23e450dffd15abfd37ff222cdae7de2a979f21c0e3831093a2c2d09da36

                              • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-6-18.1232.5092.1.odl
                                Filesize

                                706B

                                MD5

                                8071370a374ffd1205cd6c3001ea7d1a

                                SHA1

                                9b1d7e01ae65ca42145e74ef1a030e7c744979fe

                                SHA256

                                cbbaf6b1d69744cb7d5258f5663ad55dfc00d05276b97210ed019501276c869e

                                SHA512

                                ba6730675fc665cb4c4ee547662fad8e5ea95f91ea5a4dad1d95f0f5ca65ffb91e90fecbfaad465b872a2db15fc088ce5048254c32b6be69719a3e0d700117d9

                              • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
                                Filesize

                                10KB

                                MD5

                                ebdb4566a509bf737e7f3726b8e5d003

                                SHA1

                                bfabb2b07b9cad82a182d5564c4bf61a6a40d61b

                                SHA256

                                29704bfd9a2326469e78055f8e9b54d6e0affbc5982608478beeb1c91a4cb6f8

                                SHA512

                                30f4cacb2db6a19f221f90e1547d4ecea075de7f73dffb0573cc3a2971a2bf92f4c2ea02bc0b622fcc6fb5ba47a8f21d656dc552f676476e0abf779e8a52b77d

                              • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
                                Filesize

                                10KB

                                MD5

                                bd43203446666c289e75a2c4f4b4255d

                                SHA1

                                11861227c74d2bb840415217b6d28c7fe33ce779

                                SHA256

                                1473ec018f75564f213f38964dcf8499a370a71c3d2aa7dfcf39c0a7d3133c56

                                SHA512

                                1b97ef5c155ffdb8593eed7d9f5455ba87ae90693c26791656c2bd34855dc54642e4a8b5feaee0b4e1c627a4399d77ec463bfe30e1d99798305a9e02a5b0c075

                              • \??\pipe\LOCAL\crashpad_1044_NPPXLUEEIVHBOBGD
                                MD5

                                d41d8cd98f00b204e9800998ecf8427e

                                SHA1

                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                SHA256

                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                SHA512

                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e