hxxp://ramsomware

Analysis

max time kernel
274s
max time network
246s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
24-08-2024 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://ramsomware

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
8	msedge.exe
8	msedge.exe
1276	msedge.exe
1276	msedge.exe
1408	msedge.exe
1408	msedge.exe
3444	identity_helper.exe
3444	identity_helper.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 5016	1276	msedge.exe	81
PID 1276 wrote to memory of 5016	1276	msedge.exe	81
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 1156	1276	msedge.exe	82
PID 1276 wrote to memory of 8	1276	msedge.exe	83
PID 1276 wrote to memory of 8	1276	msedge.exe	83
PID 1276 wrote to memory of 952	1276	msedge.exe	84
PID 1276 wrote to memory of 952	1276	msedge.exe	84
PID 1276 wrote to memory of 952	1276	msedge.exe	84
PID 1276 wrote to memory of 952	1276	msedge.exe	84
PID 1276 wrote to memory of 952	1276	msedge.exe	84
PID 1276 wrote to memory of 952	1276	msedge.exe	84
PID 1276 wrote to memory of 952	1276	msedge.exe	84
PID 1276 wrote to memory of 952	1276	msedge.exe	84
PID 1276 wrote to memory of 952	1276	msedge.exe	84
PID 1276 wrote to memory of 952	1276	msedge.exe	84
PID 1276 wrote to memory of 952	1276	msedge.exe	84
PID 1276 wrote to memory of 952	1276	msedge.exe	84
PID 1276 wrote to memory of 952	1276	msedge.exe	84
PID 1276 wrote to memory of 952	1276	msedge.exe	84
PID 1276 wrote to memory of 952	1276	msedge.exe	84
PID 1276 wrote to memory of 952	1276	msedge.exe	84
PID 1276 wrote to memory of 952	1276	msedge.exe	84
PID 1276 wrote to memory of 952	1276	msedge.exe	84
PID 1276 wrote to memory of 952	1276	msedge.exe	84
PID 1276 wrote to memory of 952	1276	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ramsomware
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe1fd13cb8,0x7ffe1fd13cc8,0x7ffe1fd13cd8
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,6577157942972802727,12071264771031336739,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,6577157942972802727,12071264771031336739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,6577157942972802727,12071264771031336739,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6577157942972802727,12071264771031336739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6577157942972802727,12071264771031336739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6577157942972802727,12071264771031336739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6577157942972802727,12071264771031336739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6577157942972802727,12071264771031336739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6577157942972802727,12071264771031336739,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,6577157942972802727,12071264771031336739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3392 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6577157942972802727,12071264771031336739,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:704
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,6577157942972802727,12071264771031336739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3448 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6577157942972802727,12071264771031336739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6577157942972802727,12071264771031336739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6577157942972802727,12071264771031336739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,6577157942972802727,12071264771031336739,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3552 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c3889d3f0d2246f800c495aec7c3f7c

SHA1
dd38e6bf74617bfcf9d6cceff2f746a094114220

SHA256
0a4781bca132edf11500537cbf95ff840c2b6fd33cd94809ca9929f00044bea4

SHA512
2d6cb23e2977c0890f69751a96daeb71e0f12089625f32b34b032615435408f21047b90c19de09f83ef99957681440fdc0c985e079bb196371881b5fdca68a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c4a10f6df4922438ca68ada540730100

SHA1
4c7bfbe3e2358a28bf5b024c4be485fa6773629e

SHA256
f286c908fea67163f02532503b5555a939f894c6f2e683d80679b7e5726a7c02

SHA512
b4d407341989e0bbbe0cdd64f7757bea17f0141a89104301dd7ffe45e7511d3ea27c53306381a29c24df68bdb9677eb8c07d4d88874d86aba41bb6f0ce7a942c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8377946a51b1e22da608305bb3b79bab

SHA1
c64f96083ca2ce06418e276e58c2e7a7bbedf422

SHA256
e2f44e5a62379888cc7bfbdfe127f074e7779883f9bbae445a9d153800264e38

SHA512
6ccb3ec05ac000826388f72b41d5758479bee3d0ec4b36f9cea6fd119a74305d6d9cfb322ae07b8e806e631ad786822e594980d47c33eb5b021f942d0aa29cca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c3aeaa4246359c3c0538d5252056c061

SHA1
ca63d5803685c7231b7520fe8fd0f486f01dd6b3

SHA256
2fde05ab42badb08415a39ca33caa279fc76f0ed5557dcb977059ab3f9300ac0

SHA512
59f49d16d6b994fd251ee5b5bb6a3a6befb0effe361a36359c77f9fe35e0c4ef5ce49832c9a52684b5ab9f7e12b67f8b89f53e531190ed7e175fcc2b1a08fb5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
85ac0de96207f1a0d6c703323c47d6d8

SHA1
dc8024fd634e4823e2135b942fd77e4b74b2e91c

SHA256
aa516188c2ba00e29b655b56e1065471ef1f2523da3c569fd1713057bb05138f

SHA512
b324a80ffc85f3cd82247b583c1fccddf7cb3e32e77d2d115a2a4d57baca153e2f99c17eabc93c27c55904c2ec1b04369b7fbcb4bae544efc900a09e60e34d4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
13d58456f3450183ba52b7919f42e78f

SHA1
8c97a6bf892a93fc8b73f76732b3affcf8f0493c

SHA256
0d250ae47b5c294295c780ef3dcf8ce9e789120ca5c719fc468454d709387644

SHA512
15c696f2d2e52aa44ee470505d6a160e14a4d295f5a1e6b05533fcb5a667149c9b56e3e5107437f0cf2c2f21a58b6f0bfde6ca770e43405de27c690f63bbda87

Download Submit