Overview

overview

7

Static

static

1

Detection (pa5).exe

windows11-21h2-x64

7

Analysis

  • max time kernel
    90s
  • max time network
    93s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10-07-2024 08:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Detection (pa5).exe

  • Size

    4.9MB

  • MD5

    8a928d5b4eaa0d1f25fdde064fce2dd8

  • SHA1

    0dcb10d745c6d43aadaa1ab97b7cce0c1e85f1cb

  • SHA256

    64137fb074ba4603e4c3bae70e3d549f457338e10b69fd01d7d2603c20940ecd

  • SHA512

    0d4936033a79655319697e5511908b1f500ef451c3bd18e862d0526efac219764b99ad1ab1dd73528a460afb18c81fa6150a531c5c3c7b1e64c3fbcc5364caa7

  • SSDEEP

    49152:3EAnpzbAkVTBmqpH3qeRqV9BIxz2lZIFUy0hMZfr0X7RplBcqxO8mafeEGM:xqeWat23by0hMCrRXPHp

Score
7/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Detection (pa5).exe
    "C:\Users\Admin\AppData\Local\Temp\Detection (pa5).exe"
    1⤵
    • Checks BIOS information in registry
    • Enumerates connected drives
    • Drops file in System32 directory
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1060
    • C:\Windows\SYSTEM32\netsh.exe
      netsh.exe wlan show interfaces
      2⤵
      • Event Triggered Execution: Netsh Helper DLL
      PID:4956
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://docs.oracle.com/javase/8/docs
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffe4423cb8,0x7fffe4423cc8,0x7fffe4423cd8
      2⤵
        PID:2016
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,92748401739658507,15019639160503517110,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
        2⤵
          PID:1936
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,92748401739658507,15019639160503517110,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4152
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,92748401739658507,15019639160503517110,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2396 /prefetch:8
          2⤵
            PID:4116
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,92748401739658507,15019639160503517110,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
            2⤵
              PID:1728
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,92748401739658507,15019639160503517110,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
              2⤵
                PID:4128
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,92748401739658507,15019639160503517110,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:8
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:3968
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,92748401739658507,15019639160503517110,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
                2⤵
                  PID:1908
                • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,92748401739658507,15019639160503517110,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4048
              • C:\Windows\System32\CompPkgSrv.exe
                C:\Windows\System32\CompPkgSrv.exe -Embedding
                1⤵
                  PID:224
                • C:\Windows\System32\CompPkgSrv.exe
                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                  1⤵
                    PID:2788

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\D3DSCache\d466c90afe4f152a\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
                    Filesize

                    64KB

                    MD5

                    41ea7f8d3481dd99bcd110b20e0b523e

                    SHA1

                    c2e64367768650fb137ca8bca04097635c75b3f5

                    SHA256

                    bb4d777d2d2041f78b8cf87a32bd13fe4a5ac6e4178534946d46d003c603fad4

                    SHA512

                    af446b3fbdede71d8fe1ced90772d07e0c1448620d623f9a3331e589825e03ebdae483c599ce63c63789336941e6b75eaf6f48f6b363ad648b7a4b736f0d6927

                    Download Submit

                  • C:\Users\Admin\AppData\Local\D3DSCache\d466c90afe4f152a\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
                    Filesize

                    4B

                    MD5

                    f49655f856acb8884cc0ace29216f511

                    SHA1

                    cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

                    SHA256

                    7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

                    SHA512

                    599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

                    Download Submit

                  • C:\Users\Admin\AppData\Local\D3DSCache\d466c90afe4f152a\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
                    Filesize

                    1008B

                    MD5

                    0a9b7c327589ef83525ff93d94a59788

                    SHA1

                    7f79e155603d153939aafdb96304279ce7a6a5f9

                    SHA256

                    238ece98413c6cb60e29f304a5c8159b7a0aad0244ccc9180868994683a6727c

                    SHA512

                    02ef83ecd4fd084c4b6fcd4512a9354c6ac6701b7ad15e3e18472afcaf4a2623e75e36b8c449741cb988e9b2b76e8df3daee658bc06de2a13a1784318ebd5465

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                    Filesize

                    152B

                    MD5

                    4656c526f71d2c1122865ef7c6af3ff5

                    SHA1

                    61684265064c225f323d304931ff7764f5700ac2

                    SHA256

                    7172417b8464d5c2f52edfc867f4d83e475b58fd316b1916cdde30ed5bdde80e

                    SHA512

                    c3e4fc0baa216ef561a448e42378af01a50e0ebd9b5fe554c9af0ea3362b9ca2f4a1b99cfab66c18df085250dd7a5ca1b01ab256e28156d657c579f5518aa56a

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                    Filesize

                    152B

                    MD5

                    bc5eae38782879246edf98418132e890

                    SHA1

                    46aa7cc473f743c270ed2dc21841ddc6fc468c30

                    SHA256

                    b9dd7185c7678a25210a40f5a8cac3d048f7774042d93380bbbd1abb94d810d7

                    SHA512

                    73680b22df232f30faa64f485a4c2f340ba236b5918915866f84053f06532b0a722c4ee8038af3689ac04db41277c7852f7a11a0a15833ef66bcc046ee28afb7

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                    Filesize

                    408B

                    MD5

                    9ba0cc9968fafa18e559b5a593b2c1f0

                    SHA1

                    0cf6c1854b525e9813b52081b694d74deaa61ada

                    SHA256

                    bd53dab64cfe468b769fd8b6b701de10f2716613acb8161b20c388cbd1ed579a

                    SHA512

                    6c68d773f1ac5e47d037dfa80ae45d765e78f850d5905b4920c02bfbfd24eb4144234b281c29543bbd6563ba96f64b392ea83f93ad32ddb135fa10bdd15a8a11

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                    Filesize

                    653B

                    MD5

                    2658718cdf961b552d9736ed86be19f2

                    SHA1

                    6d321203b1af2cfbf3fe44c57c97c2be02fc36c3

                    SHA256

                    76b5000977cb5bca0cc777b7f73594b3f06f2c1c5f933d272dab4a154dd16223

                    SHA512

                    ea751d5409f9ce4e08aa2785fce114a26dac746e73fe940ca90e9076ba93bc235981321429e399c63e8af2bef38f24ca0fecd8aa467b74a17687c566c990bf97

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                    Filesize

                    5KB

                    MD5

                    5c2ac6dbfe85e2856ab65f84b1d6f0ee

                    SHA1

                    96eb32d3b331c53ad8987dba0c7ceb9bd2b67242

                    SHA256

                    fefe4a5a1c7f144845d5c927728ccf88e5a9538c4e83fb37fbc585b7acc5ec59

                    SHA512

                    c1629012e2150d2802ade8e298ae7189384753fd09eda29910a8a3a539f4364e6aab66a7d58243a3a980990ed7972e157e851b3f9913217b33147a43868cbef5

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                    Filesize

                    6KB

                    MD5

                    b7d0dd550fe0c79fd32245d5a8ea5159

                    SHA1

                    15c7cd77dec6bdc5f5809498457051890b063759

                    SHA256

                    2f6089f12ef563633de751742e4c2183f04ed3c021ee04cee9343405be664de5

                    SHA512

                    8db29d8a97d9cd364ff1c0cac463bcc279941f24d4c42986a9fffb3b9318c0d880ebdfb62608d75b175754dd9b5fefe84902b3c0e20161981f360f89bf6fb130

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                    Filesize

                    16B

                    MD5

                    46295cac801e5d4857d09837238a6394

                    SHA1

                    44e0fa1b517dbf802b18faf0785eeea6ac51594b

                    SHA256

                    0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                    SHA512

                    8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                    Filesize

                    16B

                    MD5

                    206702161f94c5cd39fadd03f4014d98

                    SHA1

                    bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                    SHA256

                    1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                    SHA512

                    0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                    Filesize

                    11KB

                    MD5

                    07210c0d88bb4d875eaf770a4edebb9d

                    SHA1

                    88b5ea32c01d0ab25d3d85494eedb002a077601d

                    SHA256

                    6ab63b0db9ada94cccbedeace96de0f83a1e50ee4b08748285fa6ae74c67f310

                    SHA512

                    7c887206a024bbece8e666bb77cf6c3a23b207b6a6798b9529a76e57e9d9e7a45bbace1db56538b17c77de601da9339aaf8df159a187c4c799419f61c5fe5ee9

                    Download Submit

                  • memory/1060-10-0x0000011803BE0000-0x0000011803BE1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1060-6-0x0000011803BE0000-0x0000011803BE1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1060-0-0x0000011803BE0000-0x0000011803BE1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1060-12-0x0000011803BE0000-0x0000011803BE1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1060-11-0x0000011803BE0000-0x0000011803BE1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1060-8-0x0000011803BE0000-0x0000011803BE1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1060-9-0x0000011803BE0000-0x0000011803BE1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1060-1-0x0000011803BE0000-0x0000011803BE1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1060-7-0x0000011803BE0000-0x0000011803BE1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1060-2-0x0000011803BE0000-0x0000011803BE1000-memory.dmp

                    Filesize

                    4KB

                    Download