hxxps://recoilwizard[.]com/RecoilWizard[.]zip

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2024, 22:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://recoilwizard.com/RecoilWizard.zip

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5960	sNICnfyKKLvqlMP.exe
4532	sNICnfyKKLvqlMP.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
5960	sNICnfyKKLvqlMP.exe
5960	sNICnfyKKLvqlMP.exe
5960	sNICnfyKKLvqlMP.exe
5960	sNICnfyKKLvqlMP.exe
5960	sNICnfyKKLvqlMP.exe
4532	sNICnfyKKLvqlMP.exe
4532	sNICnfyKKLvqlMP.exe
4532	sNICnfyKKLvqlMP.exe
4532	sNICnfyKKLvqlMP.exe
4532	sNICnfyKKLvqlMP.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
5444	taskkill.exe
4896	taskkill.exe
2068	taskkill.exe
4900	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
5396	NOTEPAD.EXE
4508	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
452	msedge.exe
452	msedge.exe
3660	msedge.exe
3660	msedge.exe
1116	identity_helper.exe
1116	identity_helper.exe
4724	msedge.exe
4724	msedge.exe
5960	sNICnfyKKLvqlMP.exe
5960	sNICnfyKKLvqlMP.exe
4532	sNICnfyKKLvqlMP.exe
4532	sNICnfyKKLvqlMP.exe
5800	msedge.exe
5800	msedge.exe
5800	msedge.exe
5800	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5788	7zG.exe
Token: 35	5788	7zG.exe
Token: SeSecurityPrivilege	5788	7zG.exe
Token: SeSecurityPrivilege	5788	7zG.exe
Token: SeIncreaseQuotaPrivilege	5396	WMIC.exe
Token: SeSecurityPrivilege	5396	WMIC.exe
Token: SeTakeOwnershipPrivilege	5396	WMIC.exe
Token: SeLoadDriverPrivilege	5396	WMIC.exe
Token: SeSystemProfilePrivilege	5396	WMIC.exe
Token: SeSystemtimePrivilege	5396	WMIC.exe
Token: SeProfSingleProcessPrivilege	5396	WMIC.exe
Token: SeIncBasePriorityPrivilege	5396	WMIC.exe
Token: SeCreatePagefilePrivilege	5396	WMIC.exe
Token: SeBackupPrivilege	5396	WMIC.exe
Token: SeRestorePrivilege	5396	WMIC.exe
Token: SeShutdownPrivilege	5396	WMIC.exe
Token: SeDebugPrivilege	5396	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5396	WMIC.exe
Token: SeRemoteShutdownPrivilege	5396	WMIC.exe
Token: SeUndockPrivilege	5396	WMIC.exe
Token: SeManageVolumePrivilege	5396	WMIC.exe
Token: 33	5396	WMIC.exe
Token: 34	5396	WMIC.exe
Token: 35	5396	WMIC.exe
Token: 36	5396	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5396	WMIC.exe
Token: SeSecurityPrivilege	5396	WMIC.exe
Token: SeTakeOwnershipPrivilege	5396	WMIC.exe
Token: SeLoadDriverPrivilege	5396	WMIC.exe
Token: SeSystemProfilePrivilege	5396	WMIC.exe
Token: SeSystemtimePrivilege	5396	WMIC.exe
Token: SeProfSingleProcessPrivilege	5396	WMIC.exe
Token: SeIncBasePriorityPrivilege	5396	WMIC.exe
Token: SeCreatePagefilePrivilege	5396	WMIC.exe
Token: SeBackupPrivilege	5396	WMIC.exe
Token: SeRestorePrivilege	5396	WMIC.exe
Token: SeShutdownPrivilege	5396	WMIC.exe
Token: SeDebugPrivilege	5396	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5396	WMIC.exe
Token: SeRemoteShutdownPrivilege	5396	WMIC.exe
Token: SeUndockPrivilege	5396	WMIC.exe
Token: SeManageVolumePrivilege	5396	WMIC.exe
Token: 33	5396	WMIC.exe
Token: 34	5396	WMIC.exe
Token: 35	5396	WMIC.exe
Token: 36	5396	WMIC.exe
Token: SeDebugPrivilege	5444	taskkill.exe
Token: SeDebugPrivilege	4896	taskkill.exe
Token: SeIncreaseQuotaPrivilege	5920	WMIC.exe
Token: SeSecurityPrivilege	5920	WMIC.exe
Token: SeTakeOwnershipPrivilege	5920	WMIC.exe
Token: SeLoadDriverPrivilege	5920	WMIC.exe
Token: SeSystemProfilePrivilege	5920	WMIC.exe
Token: SeSystemtimePrivilege	5920	WMIC.exe
Token: SeProfSingleProcessPrivilege	5920	WMIC.exe
Token: SeIncBasePriorityPrivilege	5920	WMIC.exe
Token: SeCreatePagefilePrivilege	5920	WMIC.exe
Token: SeBackupPrivilege	5920	WMIC.exe
Token: SeRestorePrivilege	5920	WMIC.exe
Token: SeShutdownPrivilege	5920	WMIC.exe
Token: SeDebugPrivilege	5920	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5920	WMIC.exe
Token: SeRemoteShutdownPrivilege	5920	WMIC.exe
Token: SeUndockPrivilege	5920	WMIC.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
5788	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5960	sNICnfyKKLvqlMP.exe
4532	sNICnfyKKLvqlMP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 4652	3660	msedge.exe	83
PID 3660 wrote to memory of 4652	3660	msedge.exe	83
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 2336	3660	msedge.exe	84
PID 3660 wrote to memory of 452	3660	msedge.exe	85
PID 3660 wrote to memory of 452	3660	msedge.exe	85
PID 3660 wrote to memory of 1928	3660	msedge.exe	86
PID 3660 wrote to memory of 1928	3660	msedge.exe	86
PID 3660 wrote to memory of 1928	3660	msedge.exe	86
PID 3660 wrote to memory of 1928	3660	msedge.exe	86
PID 3660 wrote to memory of 1928	3660	msedge.exe	86
PID 3660 wrote to memory of 1928	3660	msedge.exe	86
PID 3660 wrote to memory of 1928	3660	msedge.exe	86
PID 3660 wrote to memory of 1928	3660	msedge.exe	86
PID 3660 wrote to memory of 1928	3660	msedge.exe	86
PID 3660 wrote to memory of 1928	3660	msedge.exe	86
PID 3660 wrote to memory of 1928	3660	msedge.exe	86
PID 3660 wrote to memory of 1928	3660	msedge.exe	86
PID 3660 wrote to memory of 1928	3660	msedge.exe	86
PID 3660 wrote to memory of 1928	3660	msedge.exe	86
PID 3660 wrote to memory of 1928	3660	msedge.exe	86
PID 3660 wrote to memory of 1928	3660	msedge.exe	86
PID 3660 wrote to memory of 1928	3660	msedge.exe	86
PID 3660 wrote to memory of 1928	3660	msedge.exe	86
PID 3660 wrote to memory of 1928	3660	msedge.exe	86
PID 3660 wrote to memory of 1928	3660	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://recoilwizard.com/RecoilWizard.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff96f5846f8,0x7ff96f584708,0x7ff96f584718
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,9519703371569526919,7431055028447018646,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,9519703371569526919,7431055028447018646,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,9519703371569526919,7431055028447018646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:8
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,9519703371569526919,7431055028447018646,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,9519703371569526919,7431055028447018646,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,9519703371569526919,7431055028447018646,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,9519703371569526919,7431055028447018646,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,9519703371569526919,7431055028447018646,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,9519703371569526919,7431055028447018646,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2240,9519703371569526919,7431055028447018646,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  PID:676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,9519703371569526919,7431055028447018646,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,9519703371569526919,7431055028447018646,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,9519703371569526919,7431055028447018646,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2240,9519703371569526919,7431055028447018646,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4132 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,9519703371569526919,7431055028447018646,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5732 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3840

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5704

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap27124:86:7zEvent20616
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5788

C:\Users\Admin\Downloads\RecoilWizard\sNICnfyKKLvqlMP.exe
"C:\Users\Admin\Downloads\RecoilWizard\sNICnfyKKLvqlMP.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 2
  2⤵
  PID:1396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
  2⤵
  PID:100
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM cmd.exe >NUL 2>&1
  2⤵
  PID:4380
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM powershell.exe >NUL 2>&1
  2⤵
  PID:2328
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM powershell.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4896

C:\Users\Admin\Downloads\RecoilWizard\sNICnfyKKLvqlMP.exe
"C:\Users\Admin\Downloads\RecoilWizard\sNICnfyKKLvqlMP.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 2
  2⤵
  PID:3524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
  2⤵
  PID:5880
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM cmd.exe >NUL 2>&1
  2⤵
  PID:6044
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:2068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM powershell.exe >NUL 2>&1
  2⤵
  PID:3804
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM powershell.exe
    3⤵
    - Kills process with taskkill
    PID:4900

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\RecoilWizard\ReadMe.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5396

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\RecoilWizard\hwid_log.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
184B

MD5
71b28a380885dc0da7b7ca878811a980

SHA1
c8eee48a060f45e94468cb57e82a1b074f69454e

SHA256
2f01e8a365acd7d6d3b14b6263f864a2ff4cc83e92eb969bc8b7cb6c92284013

SHA512
31b2c82f66ef9b400a319d803b2be8b1993ab9de427a961e3ccb2e505fe7d4aa56ae56739f8ff2608fad0403230270d669b991c3c3e8d42f7a09dbe3d0c08cc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
232929bbf569c1f23defc3482fc8ba01

SHA1
e2ad604cb9d0886145f6eb4995df20d6cd6775e8

SHA256
0d61cf875bb8f69a91741d6e1eb02bc4e5966467a12aec1482645020a2a71292

SHA512
a6923c6f1ba21171a9bfaf2cea60c458095cc8a14651fff776e2031fe5b6a6ba338a509166a6bd3565891b9a7597c264f2088287f843490124b4ff0213616d9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
060c592c0c1b25aa1bcfcb82d169edcf

SHA1
e03e6913294f75cdd70cab520ff596b55bd6da69

SHA256
a080585ca9dfaf168dbaedeedcf2715d24d4b23d34843768376efdbe91b87f84

SHA512
0c894583cf06dfe800d8122923a1b67765339ab659c1e87343cf7f1bd0dc2d1f43ec49a8d6d9d3f1912c5f82fa243dd1f2270a0a4955df9c45bda25c7d9bd8af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3448815117f98c1ccf24bf438c903bec

SHA1
d5b2eb0e6edd140547c631383d47947756d02bdb

SHA256
634d6a2ce44215e0c6e1a1c6627cbb6cc387c59c7463456430447112f50dccbd

SHA512
2aa6c2660d74389b461d5f5e553dd16362d8312a0fec7ba36867286ff370ca680595570d257304abeef66d1029b3979874c6378a2f933eca1bf00c4f28b618f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c3af2c4a3a1a9899af4511fb8cd6239e

SHA1
636ab825e0a4f2451401501fc4d58263f7f78974

SHA256
d634fa25ebcc5e8ee76cb3027a3f11bf63946fa68c485325bab6d018940c009d

SHA512
2bf9e56cbb684ceea05698d31343a792d47a299a3d485eaf1683480c9928db7d4b911a2c0ec567b9af1005c68372c7ef151dc5847a0ed73158d2d012ff43f759

Download Submit
C:\Users\Admin\Downloads\RecoilWizard.zip

Filesize
20.1MB

MD5
23ef354d39c84aa524ce1db1c10f835b

SHA1
aa18d971f31bcbeaccd7cfcdce8a4813ac2d2da9

SHA256
fcc5e58f843b3535708aa8a3ae38c2df9dc5d19587dd95199608f7b9dd173ea7

SHA512
f1f6df9c9a616a0efc5eb7bc8204deebb43a817d9302e62babae9fc2b7db52662ee585a55b58ee12f91d0983232a602181743962fc99f61059133ba9153015d8

Download Submit
C:\Users\Admin\Downloads\RecoilWizard\ReadMe.txt

Filesize
1KB

MD5
ea1e63ff70ff13a40775a284ba8183b0

SHA1
fcde5d691e41b116f4e0be47a75befb603cb0c7d

SHA256
57678730324a206e0e0cb2d3e779271b7ee1f3b5a77180195fb733d9a7d52102

SHA512
fb82986fe22639bba76881addea59e991f5c6283f9806e6d30e686654e161490e6c26e625344a23ef04da4bf6fa2100a9bbbb74e8c08687b002766f383001506

Download Submit
C:\Users\Admin\Downloads\RecoilWizard\hwid_log.txt

Filesize
528B

MD5
d1f21220475592da541236e942c29524

SHA1
f2483810b6d4b3232d310508a3d564a23537ce7a

SHA256
57b3b586ba15c4196d4cb13a712375a36f4a95c855be592bdb49749f86e12ae4

SHA512
c772cd7763902a2bae4f5b836c721057ae2b1a3c2ac42a5c3e72170ce9043ec2c9175ccebf98f357f2ba5313df7b3bc39b2257d7343fbe6bae9902e845cd01b0

Download Submit
C:\Users\Admin\Downloads\RecoilWizard\sNICnfyKKLvqlMP.exe

Filesize
22.2MB

MD5
2bb9b74151fc48db4a8eb6e02d29ab32

SHA1
4dbc36c698ff2d7ac1a2ba11c731ecfb2e0144f0

SHA256
c26960aaf308f7453d1c2ed5224aba141aae1fe38d17d8b5a1f976bd8ead7cdb

SHA512
4a0730d1479a5f4c1b185a591202f43c75a3e13b59146aa6e25da14b333ce2cafb8d09434d2ffd6f293957dd1e6482b4a01925d33e4c604d0b03639aee8b32c3

Download Submit
memory/4532-252-0x0000000140000000-0x0000000142DB1000-memory.dmp

Filesize
45.7MB

Download
memory/5960-128-0x00007FF97E660000-0x00007FF97E662000-memory.dmp

Filesize
8KB

Download
memory/5960-135-0x00007FF97E6D0000-0x00007FF97E6D2000-memory.dmp

Filesize
8KB

Download
memory/5960-120-0x00007FF97E5E0000-0x00007FF97E5E2000-memory.dmp

Filesize
8KB

Download
memory/5960-121-0x00007FF97E5F0000-0x00007FF97E5F2000-memory.dmp

Filesize
8KB

Download
memory/5960-122-0x00007FF97E600000-0x00007FF97E602000-memory.dmp

Filesize
8KB

Download
memory/5960-123-0x00007FF97E610000-0x00007FF97E612000-memory.dmp

Filesize
8KB

Download
memory/5960-124-0x00007FF97E620000-0x00007FF97E622000-memory.dmp

Filesize
8KB

Download
memory/5960-125-0x00007FF97E630000-0x00007FF97E632000-memory.dmp

Filesize
8KB

Download
memory/5960-126-0x00007FF97E640000-0x00007FF97E642000-memory.dmp

Filesize
8KB

Download
memory/5960-127-0x00007FF97E650000-0x00007FF97E652000-memory.dmp

Filesize
8KB

Download
memory/5960-118-0x00007FF97E5C0000-0x00007FF97E5C2000-memory.dmp

Filesize
8KB

Download
memory/5960-129-0x00007FF97E670000-0x00007FF97E672000-memory.dmp

Filesize
8KB

Download
memory/5960-130-0x00007FF97E680000-0x00007FF97E682000-memory.dmp

Filesize
8KB

Download
memory/5960-131-0x00007FF97E690000-0x00007FF97E692000-memory.dmp

Filesize
8KB

Download
memory/5960-132-0x00007FF97E6A0000-0x00007FF97E6A2000-memory.dmp

Filesize
8KB

Download
memory/5960-133-0x00007FF97E6B0000-0x00007FF97E6B2000-memory.dmp

Filesize
8KB

Download
memory/5960-134-0x00007FF97E6C0000-0x00007FF97E6C2000-memory.dmp

Filesize
8KB

Download
memory/5960-119-0x00007FF97E5D0000-0x00007FF97E5D2000-memory.dmp

Filesize
8KB

Download
memory/5960-136-0x0000000002070000-0x00000000024EE000-memory.dmp

Filesize
4.5MB

Download
memory/5960-143-0x0000000002070000-0x00000000024EE000-memory.dmp

Filesize
4.5MB

Download
memory/5960-144-0x00000000024F0000-0x0000000002B22000-memory.dmp

Filesize
6.2MB

Download
memory/5960-170-0x0000000002C00000-0x0000000002CA4000-memory.dmp

Filesize
656KB

Download
memory/5960-169-0x0000000002B30000-0x0000000002BFC000-memory.dmp

Filesize
816KB

Download
memory/5960-168-0x00000000004D0000-0x00000000004EA000-memory.dmp

Filesize
104KB

Download
memory/5960-171-0x00000000024F0000-0x0000000002B22000-memory.dmp

Filesize
6.2MB

Download
memory/5960-172-0x0000000140000000-0x0000000142DB1000-memory.dmp

Filesize
45.7MB

Download
memory/5960-162-0x0000000002C00000-0x0000000002CA4000-memory.dmp

Filesize
656KB

Download
memory/5960-156-0x0000000002B30000-0x0000000002BFC000-memory.dmp

Filesize
816KB

Download
memory/5960-150-0x00000000004D0000-0x00000000004EA000-memory.dmp

Filesize
104KB

Download
memory/5960-142-0x0000000002070000-0x00000000024EE000-memory.dmp

Filesize
4.5MB

Download
memory/5960-180-0x0000000140000000-0x0000000142DB1000-memory.dmp

Filesize
45.7MB

Download
memory/5960-117-0x00007FF97E5B0000-0x00007FF97E5B2000-memory.dmp

Filesize
8KB

Download
memory/5960-116-0x00007FF97E5A0000-0x00007FF97E5A2000-memory.dmp

Filesize
8KB

Download
memory/5960-115-0x00007FF97E590000-0x00007FF97E592000-memory.dmp

Filesize
8KB

Download
memory/5960-105-0x0000000140000000-0x0000000142DB1000-memory.dmp

Filesize
45.7MB

Download