d6baadd07cf7d848a374407b328119c3fd497c168941bee2c76c7f3c8e39ad2b

Analysis

max time kernel
146s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
19/07/2024, 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rechecker-mod.exe.vbs
Size

1KB
MD5

b4e2b36f56fdf2b4bcdea044881e8bb2
SHA1

f5664d5f9e7e6e26345b3a9ac48d5cf1876174f7
SHA256

d6baadd07cf7d848a374407b328119c3fd497c168941bee2c76c7f3c8e39ad2b
SHA512

a451411498f55ad4b3bc2f00dbc929fc04bd1ab0a0ccb2da8dfd04e32b431ac9ec38b6d7cbeea67a90582da6bd4d274fc875b3d3500ea6026aab56c4590c0964

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	420	WScript.exe
3	420	WScript.exe
4	420	WScript.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3724	msedge.exe
3724	msedge.exe
840	msedge.exe
840	msedge.exe
1980	msedge.exe
1980	msedge.exe
4716	identity_helper.exe
4716	identity_helper.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 2876	840	msedge.exe	86
PID 840 wrote to memory of 2876	840	msedge.exe	86
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 1624	840	msedge.exe	87
PID 840 wrote to memory of 3724	840	msedge.exe	88
PID 840 wrote to memory of 3724	840	msedge.exe	88
PID 840 wrote to memory of 712	840	msedge.exe	89
PID 840 wrote to memory of 712	840	msedge.exe	89
PID 840 wrote to memory of 712	840	msedge.exe	89
PID 840 wrote to memory of 712	840	msedge.exe	89
PID 840 wrote to memory of 712	840	msedge.exe	89
PID 840 wrote to memory of 712	840	msedge.exe	89
PID 840 wrote to memory of 712	840	msedge.exe	89
PID 840 wrote to memory of 712	840	msedge.exe	89
PID 840 wrote to memory of 712	840	msedge.exe	89
PID 840 wrote to memory of 712	840	msedge.exe	89
PID 840 wrote to memory of 712	840	msedge.exe	89
PID 840 wrote to memory of 712	840	msedge.exe	89
PID 840 wrote to memory of 712	840	msedge.exe	89
PID 840 wrote to memory of 712	840	msedge.exe	89
PID 840 wrote to memory of 712	840	msedge.exe	89
PID 840 wrote to memory of 712	840	msedge.exe	89
PID 840 wrote to memory of 712	840	msedge.exe	89
PID 840 wrote to memory of 712	840	msedge.exe	89
PID 840 wrote to memory of 712	840	msedge.exe	89
PID 840 wrote to memory of 712	840	msedge.exe	89

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rechecker-mod.exe.vbs"
1⤵
- Blocklisted process makes network request
PID:420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffeff703cb8,0x7ffeff703cc8,0x7ffeff703cd8
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,9076415229994404009,6077861652344910392,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,9076415229994404009,6077861652344910392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,9076415229994404009,6077861652344910392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9076415229994404009,6077861652344910392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9076415229994404009,6077861652344910392,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9076415229994404009,6077861652344910392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
  2⤵
  PID:680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9076415229994404009,6077861652344910392,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,9076415229994404009,6077861652344910392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3800 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9076415229994404009,6077861652344910392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9076415229994404009,6077861652344910392,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9076415229994404009,6077861652344910392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,9076415229994404009,6077861652344910392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,9076415229994404009,6077861652344910392,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1236 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
575466f58c7d9d3224035d23f102d140

SHA1
2fce4082fa83534b3ddc91e42fb242baee4afa1c

SHA256
9da0e657652daa1ef86af7c3db62b0af9cce372a5f765c98c68479922ccf1923

SHA512
06503e718fe967076dd8a061b57debdc663b9616b005f8567099a84fc7184880633079335d622c243918efc3356b40e683708fb0583084abeed7db6168a212ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1d33f465a73554cd1c183cbcd0a28a2

SHA1
f5c16fc4edff600cb307f762d950500aa29a1e8b

SHA256
22d8c228cdcfd3e05431d7377748014035a3488ad3a0d4aecc334e724245a1f9

SHA512
7cc94f77f3943143ee86eabbfddcb110ce52c6ff0975842e3a3d06072f51f2c48914ee61f24484a539888ad19a7e6a1becfb029485cd5984bc736434a63cee95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6a0e1e0480e3f2ab371252fc8def7fe8

SHA1
a978d39590657a4f7df9fdfea84a3571790ecdf7

SHA256
a12801bec13cb88be3f52fa2344afa3f4d5b2b13ef58dedfe79ec9f055ebaaba

SHA512
8db9522cce6957fe806a7a92de4e6e1426be1df38302f8d4d474a9e6f6eab6e60f1473888d9feb78ca1d05b695f9461c3064b70a4d4a35d2b225b19a9b0d8212

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ab098fffcfc7bc1d354f789929951252

SHA1
5c51371ecc60ce5356e3c0741d8399a4f950b006

SHA256
267112ed9b0cb37fe279293991e96ae71f415038d27aa0a3bae3a7642cea59c3

SHA512
e9458518e7f31079f7cb5b5ad0975a885f24dca8aa344a858e2c0172704f5eecb6c5e73e3e70f52f8919f5abe03c51a8d0a863aaacdff8f7af217f72858128cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8646c6c17691a70da5b3c192a0fe7586

SHA1
4f6fa1256a9403344baf01d924764d82c2fbe6bb

SHA256
cc97fc3033edddfc6678ee995882a530f2236b23f41ce2ec61062d53cebbb871

SHA512
938b34c77e6230840acfc21b9aba41438b1633ea803d55fe0338f7a2201ba54a55df76dbe778ebbf586936a9af82bcd1c92fc876c6ce6fb13d6b09ebfd4c5126

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
65883bc681176cb20cc72198f7ddb72c

SHA1
ce004da694e8a5ce6cb7447940d1e151d48ee9dd

SHA256
326e0717d4437835674c0cb4434bdc06cd555ea4b751a93a3d7e8f7f8b8d7f57

SHA512
20da6e17a63ef3960ce8146fa56eb7e511ff73774e3374ebbc2ece5745add2c005a0a53500258b039f8dfaee19fd314db7f4504f777f35bc34c19763cb424fd2

Download Submit