mimikatz | hxxps://github[.]com/enginestein/Virus-Collection/raw/main/Windows/Binaries/Ransomware/NotPetya[.]exe

Analysis

max time kernel
63s
max time network
66s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
16-09-2024 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/enginestein/Virus-Collection/raw/main/Windows/Binaries/Ransomware/NotPetya.exe

Score

10^/10

mimikatz bootkit defense_evasion discovery persistence spyware stealer

Malware Config

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x000200000002aa8f-125.dat	mimikatz

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4944	NotPetya.exe
1124	735A.tmp

Loads dropped DLL 1 IoCs

pid	Process
232	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
12	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in Program Files directory 54 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\javafx-src.zip	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\FPEXT.MSG	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Dark.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Dark.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf	rundll32.exe
File opened for modification	C:\Program Files\ConfirmGet.doc	rundll32.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrome.7z	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\classfile_constants.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jvmti.h	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jni.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h	rundll32.exe
File opened for modification	C:\Program Files\RenameProtect.pptx	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Complex Machine.pdf	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro DC.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jawt.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPP.VBS	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\SHELLNEW\EXCEL12.XLSX	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Dark.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Light.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.cfg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\java.settings.cfg	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS	rundll32.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\perfc.dat	NotPetya.exe
File opened for modification	C:\Windows\perfc.dat	rundll32.exe
File created	C:\Windows\perfc	rundll32.exe
File created	C:\Windows\dllhost.dat	rundll32.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NotPetya.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NotPetya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 115915.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NotPetya.exe:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2624	msedge.exe
2624	msedge.exe
5020	msedge.exe
5020	msedge.exe
1592	msedge.exe
1592	msedge.exe
4624	identity_helper.exe
4624	identity_helper.exe
4388	msedge.exe
4388	msedge.exe
232	rundll32.exe
232	rundll32.exe
1124	735A.tmp
1124	735A.tmp
1124	735A.tmp
1124	735A.tmp
1124	735A.tmp
1124	735A.tmp
1124	735A.tmp

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	232	rundll32.exe
Token: SeDebugPrivilege	232	rundll32.exe
Token: SeTcbPrivilege	232	rundll32.exe
Token: SeDebugPrivilege	1124	735A.tmp

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4944	NotPetya.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 3436	5020	msedge.exe	80
PID 5020 wrote to memory of 3436	5020	msedge.exe	80
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 3704	5020	msedge.exe	82
PID 5020 wrote to memory of 2624	5020	msedge.exe	83
PID 5020 wrote to memory of 2624	5020	msedge.exe	83
PID 5020 wrote to memory of 2716	5020	msedge.exe	84
PID 5020 wrote to memory of 2716	5020	msedge.exe	84
PID 5020 wrote to memory of 2716	5020	msedge.exe	84
PID 5020 wrote to memory of 2716	5020	msedge.exe	84
PID 5020 wrote to memory of 2716	5020	msedge.exe	84
PID 5020 wrote to memory of 2716	5020	msedge.exe	84
PID 5020 wrote to memory of 2716	5020	msedge.exe	84
PID 5020 wrote to memory of 2716	5020	msedge.exe	84
PID 5020 wrote to memory of 2716	5020	msedge.exe	84
PID 5020 wrote to memory of 2716	5020	msedge.exe	84
PID 5020 wrote to memory of 2716	5020	msedge.exe	84
PID 5020 wrote to memory of 2716	5020	msedge.exe	84
PID 5020 wrote to memory of 2716	5020	msedge.exe	84
PID 5020 wrote to memory of 2716	5020	msedge.exe	84
PID 5020 wrote to memory of 2716	5020	msedge.exe	84
PID 5020 wrote to memory of 2716	5020	msedge.exe	84
PID 5020 wrote to memory of 2716	5020	msedge.exe	84
PID 5020 wrote to memory of 2716	5020	msedge.exe	84
PID 5020 wrote to memory of 2716	5020	msedge.exe	84
PID 5020 wrote to memory of 2716	5020	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/enginestein/Virus-Collection/raw/main/Windows/Binaries/Ransomware/NotPetya.exe
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffce4463cb8,0x7ffce4463cc8,0x7ffce4463cd8
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,12930183542233797812,3378283332305916450,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,12930183542233797812,3378283332305916450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,12930183542233797812,3378283332305916450,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12930183542233797812,3378283332305916450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2628 /prefetch:1
  2⤵
  PID:472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12930183542233797812,3378283332305916450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,12930183542233797812,3378283332305916450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12930183542233797812,3378283332305916450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,12930183542233797812,3378283332305916450,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12930183542233797812,3378283332305916450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12930183542233797812,3378283332305916450,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12930183542233797812,3378283332305916450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
  2⤵
  PID:1804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12930183542233797812,3378283332305916450,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,12930183542233797812,3378283332305916450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,12930183542233797812,3378283332305916450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4252

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3012

C:\Users\Admin\Downloads\NotPetya.exe
"C:\Users\Admin\Downloads\NotPetya.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4944
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:232
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 11:18
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1116
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 11:18
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4992
- - C:\Users\Admin\AppData\Local\Temp\735A.tmp
    "C:\Users\Admin\AppData\Local\Temp\735A.tmp" \\.\pipe\{2AE8981B-9EE7-44EA-833B-FCFE7B857D19}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e2612636cf368bc811fdc8db09e037d

SHA1
d69e34379f97e35083f4c4ea1249e6f1a5f51d56

SHA256
2eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9

SHA512
b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8115549491cca16e7bfdfec9db7f89a

SHA1
d1eb5c8263cbe146cd88953bb9886c3aeb262742

SHA256
dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e

SHA512
851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a79f92c99d3c4cea7afb6a267fa0148a

SHA1
44ebfd9673d179fd80969dabaeb1e9296a6c4df9

SHA256
c2a1467d0477dc267530069145b89ca05d41cf283a7c9c801d1854e1d61ce0a8

SHA512
0e860651aeaf4674fd189eabadc587fd677555de77fcb794fc6e7703d0eb9182aa33f2ffeea98af32b4d51fd87eb2f18e41bf374b309f2ef3305f66d789ba0b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0c48e978fa44a066dcde2ce40f2f2d27

SHA1
df4c50895aaaca9870f24da0d096d595031bf034

SHA256
cb5b0fc33aeecc8225d295b5945b37ce189eaa9657e3da0dd4094027418875c1

SHA512
a6b48c2dd6b235ceba6f7f9e455b4b06d3bd8477cb01c5611c2c3fb169c4ea31687f3dd5e30beeff0134f5523761004ae18a82bef6dedcfd9607aca2cc63fd05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
61acd662fa71655c296a43caf12e3a0e

SHA1
fe879ef426c3a78683390bd475fef4f532e85f2e

SHA256
7d58bd721c2da2da381c16682848384eb21aa0b4663acca2c277dbb30140d63f

SHA512
da1279182252545eb9c41ef124a661f19367e75ced0b1673d8b20cf4d61258540c09b1cc85a42ca5edb9266b823ab0755d985ab40a7d41fba8ed8f60e0997ead

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f971f3eaf40e7bfe4b1cf36f179d6969

SHA1
cf4d3b0e078a341489fc451785a50459f9d3d12f

SHA256
503b0a365c165f838fca60024a26d656f31c6c9d6a474e7891f0cf20092d1614

SHA512
d5993cea8042e9f332999711ef9442aca2fdafefc18d1d700374547c73f5b52c8329e52fbb5285433e8586e3d36d3de28e3654c14fb7cc1670d98d5c42da7d89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ef51c2c8144f66a8a7561f667faf9ad5

SHA1
d57607e2807ebc974925ca4e29411f23631e1c30

SHA256
7a8d5469a9b3fc9fd60524311112567c9390c54544c6c9d06915b835848b4e56

SHA512
4e2f3baae8e08c3273a9469724298d6f158d75c52f3c650b725992a5c1f63f7889415dda8b36ac2d5241a40b09c2ce824b639fb2edfc0381a8608f26fb0e3a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\735A.tmp

Filesize
55KB

MD5
7e37ab34ecdcc3e77e24522ddfd4852d

SHA1
38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf

SHA256
02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f

SHA512
1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

Download Submit
C:\Users\Admin\Downloads\NotPetya.exe:Zone.Identifier

Filesize
144B

MD5
0bf28c827ca43396efe758f0c785a3ae

SHA1
f3393e00d35ca56d31ed9898fb1bf39beb55ad9f

SHA256
24e4be28cba4105e1aa3ce5279cff709f9ae3327e94613888e1578ec34169244

SHA512
acac7d753fbfa645d7e3a953118b05974cecb69fc0b86ad29c7156dceb16da75f0fc1124bca35fea70858720201683b26556155864ca62252fccb8ff548f3346

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 115915.crdownload

Filesize
390KB

MD5
5b7e6e352bacc93f7b80bc968b6ea493

SHA1
e686139d5ed8528117ba6ca68fe415e4fb02f2be

SHA256
63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a

SHA512
9d24af0cb00fb8a5e61e9d19cd603b5541a22ae6229c2acf498447e0e7d4145fee25c8ab9d5d5f18f554e6cbf8ca56b7ca3144e726d7dfd64076a42a25b3dfb6

Download Submit
C:\Windows\perfc.dat

Filesize
353KB

MD5
71b6a493388e7d0b40c83ce903bc6b04

SHA1
34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d

SHA256
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

SHA512
072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f

Download Submit
C:\Windows\perfc.dat

Filesize
353KB

MD5
87e48f32628f23eee59ed36b93735293

SHA1
d9f9a61b4ac96ede4c9e719f475321a160a00bed

SHA256
1799b513968e260d524305c64ef65a6390ce4592972a95711aa10f8923786619

SHA512
2440643ca3dee4e1dffb5d6355481bafffc843959712115d6c8eb7a3d692782eb55253df028fc904aef4b409fcfc59b9d2b8a9262f85b93c4adb124d1bff6188

Download Submit
memory/232-111-0x00000000022D0000-0x000000000232E000-memory.dmp

Filesize
376KB

Download
memory/232-119-0x00000000022D0000-0x000000000232E000-memory.dmp

Filesize
376KB

Download
memory/232-122-0x00000000022D0000-0x000000000232E000-memory.dmp

Filesize
376KB

Download
memory/232-120-0x00000000022D0000-0x000000000232E000-memory.dmp

Filesize
376KB

Download
memory/232-133-0x00000000022D0000-0x000000000232E000-memory.dmp

Filesize
376KB

Download