370a27a30ee57247faddeb1f99a83933247e07c8760a07ed82e451e1cb5e5cdd

General

Target

windirstat1_1_2_setup.exe
Size

630KB
MD5

3abf1c149873e25d4e266225fbf37cbf
SHA1

6fa92dd2ca691c11dfbfc0a239e34369897a7fab
SHA256

370a27a30ee57247faddeb1f99a83933247e07c8760a07ed82e451e1cb5e5cdd
SHA512

b6d9672a580a02299bc370deb1fd99b5ca10ab86456385870cdae522c185ae51f8d390a7c50fcb5c7898523f52c834bb73515ffc6d0b0bcde210640e815ece9e
SSDEEP

12288:yCjeMsiGVBKvjxTNlZaLlcMj+wXZvQpd9nP2+ZMU2tYspZcMwr/GNd35:yCjeTZa7BTsxewXZUTP2HU2yawjY5

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

windirstat1_1_2_setup.exe

pid process

3008 windirstat1_1_2_setup.exe
3008 windirstat1_1_2_setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3008	windirstat1_1_2_setup.exe
3008	windirstat1_1_2_setup.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Clipup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	Clipup.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msedge.exe

pid process

1988 msedge.exe
1988 msedge.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SystemSettingsAdminFlows.exe

pid process

5028 SystemSettingsAdminFlows.exe

pid	process
1988	msedge.exe
1988	msedge.exe

pid	process
5028	SystemSettingsAdminFlows.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3512 wrote to memory of 1448	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1448	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3656	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1988	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1988	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 2996	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 2996	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 2996	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 2996	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 2996	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 2996	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 2996	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 2996	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 2996	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 2996	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 2996	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 2996	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 2996	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 2996	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 2996	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 2996	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 2996	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 2996	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 2996	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 2996	3512	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\windirstat1_1_2_setup.exe
"C:\Users\Admin\AppData\Local\Temp\windirstat1_1_2_setup.exe"
1⤵
- Loads dropped DLL
PID:3008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault153ba440hc4b5h4befha6e9ha0bcf4d31ea7
1⤵
- Suspicious use of WriteProcessMemory
PID:3512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x104,0x12c,0x7ffa2d2c46f8,0x7ffa2d2c4708,0x7ffa2d2c4718
2⤵
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,10499042054478858669,12781128934042749778,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
2⤵
PID:3656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,10499042054478858669,12781128934042749778,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,10499042054478858669,12781128934042749778,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
2⤵
PID:2996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:876

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" EnterProductKey
1⤵
- Suspicious use of SetWindowsHookEx
PID:5028

C:\Windows\system32\Clipup.exe
C:\Windows\system32\Clipup.exe -d -k PC6QJ-F3NVJ-3BGTG-PYJB8-D9MQB %PROGRAMDATA%\Microsoft\Windows\ClipSvc\Install
2⤵
PID:4232

C:\Windows\system32\Clipup.exe
C:\Windows\system32\Clipup.exe -d -k PC6QJ-F3NVJ-3BGTG-PYJB8-D9MQB %PROGRAMDATA%\Microsoft\Windows\ClipSvc\Install -ppl C:\Users\Admin\AppData\Local\Temp\temFB82.tmp
3⤵
- Checks SCSI registry key(s)
PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
5b6ff6669a863812dff3a9e76cb311e4

SHA1
355f7587ad1759634a95ae191b48b8dbaa2f1631

SHA256
c7fb7eea8bea4488bd4605df51aa560c0e1b11660e9228863eb4ad1be0a07906

SHA512
d153b1412fadda28c0582984e135b819ba330e01d3299bb4887062ffd6d3303da4f2c4b64a3de277773f4756da361e7bc5885c226ae2a5cfdd16ee60512e2e5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
069b2424bc5f55abd025e560e6982d0e

SHA1
111c36aa8cd904d396116c9f54cfa561c95ec2bd

SHA256
49d942b70031b28d3b6099f7e202205a24e1a0b254853b5750534b14abc9861d

SHA512
34ef9846551a0849222c421176b4d89f12679cb1dc30282f71fbeb976f59cdd849671f0a4cfb194863f3a3ab05e6a06abb8b030e71b59718b83767b92311e1be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
c911a1cdb795ee449a7ae66d01c04da3

SHA1
8025284091b54fd596b902430a733fdb2551a28b

SHA256
3649e35169a90991c96832b56dd9d73ea7e37c8661638278336b1c9895bccf53

SHA512
c747292e9b977e7242f98f91acafc1473f32222e85eb7bc0c8a89ac43f11517cb6281ab2a88734f3a70c6db170a7cdf8bcee0c2de12ccfe99279b31511865839

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslAF3D.tmp\System.dll
Filesize
10KB

MD5
4125926391466fdbe8a4730f2374b033

SHA1
fdd23034ada72d2537939ac6755d7f7c0e9b3f0e

SHA256
6692bd93bcd04146831652780c1170da79aa3784c3c070d95fb1580e339de6c5

SHA512
32a1cf96842454b3c3641316ee39051ae024bdce9e88ac236eadad531f2c0a08d46b77d525f7d994c9a5af4cc9a391d30ee92b9ec782b7fb9a42c76f0f52a008

Download Submit
C:\Users\Admin\AppData\Local\Temp\temFB82.tmp
Filesize
206B

MD5
b13af738aa8be55154b2752979d76827

SHA1
64a5f927720af02a367c105c65c1f5da639b7a93

SHA256
663ef05eb1c17b68e752a2d1e2dcd0eaa024e4c2ec88a7bc99a59e0aeabdf79b

SHA512
cb774f2729ce6b5cda325417fbad93e952b447fa2e9285375c26eb0fbdb7f4f8b644b1007038caafd6d8ba4efb3cc8c5da307c14e12be3454103d52848a029a4

Download Submit
\??\pipe\LOCAL\crashpad_3512_FHXBHSPMVSZYOSNU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1704-73-0x000001A358020000-0x000001A358030000-memory.dmp

Filesize
64KB

Download
memory/1704-85-0x000001A358020000-0x000001A358030000-memory.dmp

Filesize
64KB

Download
memory/1704-84-0x000001A357E00000-0x000001A357E10000-memory.dmp

Filesize
64KB

Download
memory/1704-74-0x000001A358020000-0x000001A358030000-memory.dmp

Filesize
64KB

Download
memory/1704-75-0x000001A358020000-0x000001A358030000-memory.dmp

Filesize
64KB

Download
memory/1704-77-0x000001A358020000-0x000001A358030000-memory.dmp

Filesize
64KB

Download
memory/1704-78-0x000001A358020000-0x000001A358030000-memory.dmp

Filesize
64KB

Download
memory/1704-70-0x000001A357E00000-0x000001A357E10000-memory.dmp

Filesize
64KB

Download
memory/1704-71-0x000001A357E00000-0x000001A357E10000-memory.dmp

Filesize
64KB

Download
memory/1704-72-0x000001A358020000-0x000001A358030000-memory.dmp

Filesize
64KB

Download
memory/1704-76-0x000001A358020000-0x000001A358030000-memory.dmp

Filesize
64KB

Download
memory/4232-68-0x0000018649ED0000-0x0000018649EE0000-memory.dmp

Filesize
64KB

Download
memory/4232-69-0x0000018649ED0000-0x0000018649EE0000-memory.dmp

Filesize
64KB

Download
memory/4232-87-0x0000018649ED0000-0x0000018649EE0000-memory.dmp

Filesize
64KB

Download
memory/5028-67-0x000002339B740000-0x000002339B750000-memory.dmp

Filesize
64KB

Download
memory/5028-66-0x000002339B740000-0x000002339B750000-memory.dmp

Filesize
64KB

Download
memory/5028-63-0x000002339B740000-0x000002339B750000-memory.dmp

Filesize
64KB

Download
memory/5028-64-0x000002339B740000-0x000002339B750000-memory.dmp

Filesize
64KB

Download
memory/5028-65-0x000002339B740000-0x000002339B750000-memory.dmp

Filesize
64KB

Download
memory/5028-62-0x000002339B740000-0x000002339B750000-memory.dmp

Filesize
64KB

Download
memory/5028-89-0x000002339CB70000-0x000002339CB80000-memory.dmp

Filesize
64KB

Download
memory/5028-88-0x000002339CB70000-0x000002339CB80000-memory.dmp

Filesize
64KB

Download
memory/5028-90-0x000002339CB70000-0x000002339CB80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing