69018330addd15f93caaffffad1c9277319a3d1099343bb00457f0c6d6ee903d

Analysis

max time kernel
134s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Unlock_Tool.zip
Size

43.3MB
MD5

456ddeb136247119855b9c0156e1c81d
SHA1

446cd3b1bac934345ab8c9122a107b4155a11cb1
SHA256

69018330addd15f93caaffffad1c9277319a3d1099343bb00457f0c6d6ee903d
SHA512

dbd2fb034b642e46db5ddb2ca11dc11235f43f98c20f32bb08eb6d65990811d8c88f76f88e87c3784f47e5b612fd2e4cd03d17c54ea1c0b3f616dd1aed85a5ac
SSDEEP

786432:02W85xHdbAXsgHqQCV0BiotGwIDxJOZW4jro72paQcyqJvCf8BrhDZAZN:0X85xHhAXpIo8wuxMZvvH0JKMrhNWN

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2484	msedge.exe
2484	msedge.exe
3236	msedge.exe
3236	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 3432	3236	msedge.exe	112
PID 3236 wrote to memory of 3432	3236	msedge.exe	112
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 4568	3236	msedge.exe	113
PID 3236 wrote to memory of 2484	3236	msedge.exe	114
PID 3236 wrote to memory of 2484	3236	msedge.exe	114
PID 3236 wrote to memory of 3332	3236	msedge.exe	115
PID 3236 wrote to memory of 3332	3236	msedge.exe	115
PID 3236 wrote to memory of 3332	3236	msedge.exe	115
PID 3236 wrote to memory of 3332	3236	msedge.exe	115
PID 3236 wrote to memory of 3332	3236	msedge.exe	115
PID 3236 wrote to memory of 3332	3236	msedge.exe	115
PID 3236 wrote to memory of 3332	3236	msedge.exe	115
PID 3236 wrote to memory of 3332	3236	msedge.exe	115
PID 3236 wrote to memory of 3332	3236	msedge.exe	115
PID 3236 wrote to memory of 3332	3236	msedge.exe	115
PID 3236 wrote to memory of 3332	3236	msedge.exe	115
PID 3236 wrote to memory of 3332	3236	msedge.exe	115
PID 3236 wrote to memory of 3332	3236	msedge.exe	115
PID 3236 wrote to memory of 3332	3236	msedge.exe	115
PID 3236 wrote to memory of 3332	3236	msedge.exe	115
PID 3236 wrote to memory of 3332	3236	msedge.exe	115
PID 3236 wrote to memory of 3332	3236	msedge.exe	115
PID 3236 wrote to memory of 3332	3236	msedge.exe	115
PID 3236 wrote to memory of 3332	3236	msedge.exe	115
PID 3236 wrote to memory of 3332	3236	msedge.exe	115

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Unlock_Tool.zip
1⤵
PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://temp/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe697b46f8,0x7ffe697b4708,0x7ffe697b4718
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,11505316724499974992,13365117542367233854,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:2
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,11505316724499974992,13365117542367233854,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,11505316724499974992,13365117542367233854,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,11505316724499974992,13365117542367233854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,11505316724499974992,13365117542367233854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,11505316724499974992,13365117542367233854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:4772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3984

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\91a3f538-6ed4-4859-a68f-6a00776d703b.tmp

Filesize
6KB

MD5
566850ac2a4634ff58338d6616609c49

SHA1
8afbfa639f50e7ed3d61df000cc363bda51467f3

SHA256
09ab8f2f2274369a7bfb15b19680150aa51773cb0218ccfc39b2c93a2eacfa4a

SHA512
b23fd071b49239a1fec885c8b00e3d899da4f4d53edc21393e0d22ffb8112635603413d6067ec59b670e260eb209ca0d4a3ec5694c03851ce7aa62a88b9393f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2c0ddc76585aab1eb2390a2da93598fe

SHA1
b7895723c4afebba3f412b5079c086e8f87695dd

SHA256
5b63fc453a1962d5ded45654492fe38b9e4a0c423e505b0eaa4f3b7229a732da

SHA512
722ca48ee290e2bc420f20b3e68286e10cc720b1e33eed3b23b69f536017635888c22f42e9f0fd0dbe635ac4e202df7cbab672a2dd5537ed303ee876538b1969

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9c140b8519dea3bc962e469af51064de

SHA1
b822c3ad2d165f02fc9299860baa2ca95ea0394c

SHA256
5f98e971ad5aedfa4949c0532e6bfb7850d9f15fb31b3741b0a5d30c994f6497

SHA512
dc189a97fb3c2ea1904057a67306ecec2b1ca1fd265815c4d548ff296f32da6c68eda4e4ffda15a1d45f6c6cc5385e7a25c48246aea08264458ab62b61ae81a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit