Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2024 04:46
Static task
static1
Behavioral task
behavioral1
Sample
MicrosoftEdge.msi
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral2
Sample
MicrosoftEdge.msi
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
MicrosoftEdge.msi
-
Size
436KB
-
MD5
6ff3f0a2f7f1ec8a71bed37496e2e6fa
-
SHA1
66a0ba30d846d65bd91b716e1226b15be42958ff
-
SHA256
455163bfa49326fb7787af85cb0decc84100533da38bbdcbf06b2bdb6f7f521a
-
SHA512
41641ec872adb885d483a8b229065caf860bde933f7883b158ad47ab0bdddd1a2e92c3d5cf9e7d6161fb251b0020467e5b4db8855fdaa202f0132c658267a2b2
-
SSDEEP
6144:etO9iRQYpgjpjew5DHyGxcqo8Cs+QVAnjOl4ieipV8VTGUpHN7UjjIU5ei:etVRQ+gjpjegDro8s48yee8VzHigUc
Malware Config
Signatures
-
Detects RPCBackdoor 1 IoCs
resource yara_rule behavioral2/files/0x00070000000234f2-71.dat family_rpcbackdoor -
RPCBackdoor
RPCBackdoor is written in C++ and first seen in 2021.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MicrosoftEdge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate MicrosoftEdge.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1896 ICACLS.EXE -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log EXPAND.EXE File created C:\Windows\Installer\e57ca45.msi msiexec.exe File opened for modification C:\Windows\Installer\e57ca45.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSICB2F.tmp msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log EXPAND.EXE File created C:\Windows\Installer\SourceHash{9F393C2E-6390-4656-AF30-910CE947F703} msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 1620 MicrosoftEdge.exe -
Loads dropped DLL 2 IoCs
pid Process 4212 MsiExec.exe 1620 MicrosoftEdge.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2940 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXPAND.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ICACLS.EXE -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e7a671f193ce7b7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e7a671f10000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e7a671f1000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de7a671f1000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e7a671f100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\6 MicrosoftEdge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\7 MicrosoftEdge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MicrosoftEdge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier MicrosoftEdge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3 MicrosoftEdge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\5 MicrosoftEdge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 MicrosoftEdge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\4 MicrosoftEdge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier MicrosoftEdge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 MicrosoftEdge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier MicrosoftEdge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier MicrosoftEdge.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS MicrosoftEdge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVENDOR MicrosoftEdge.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 224 msiexec.exe 224 msiexec.exe 1620 MicrosoftEdge.exe 1620 MicrosoftEdge.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeShutdownPrivilege 2940 msiexec.exe Token: SeIncreaseQuotaPrivilege 2940 msiexec.exe Token: SeSecurityPrivilege 224 msiexec.exe Token: SeCreateTokenPrivilege 2940 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2940 msiexec.exe Token: SeLockMemoryPrivilege 2940 msiexec.exe Token: SeIncreaseQuotaPrivilege 2940 msiexec.exe Token: SeMachineAccountPrivilege 2940 msiexec.exe Token: SeTcbPrivilege 2940 msiexec.exe Token: SeSecurityPrivilege 2940 msiexec.exe Token: SeTakeOwnershipPrivilege 2940 msiexec.exe Token: SeLoadDriverPrivilege 2940 msiexec.exe Token: SeSystemProfilePrivilege 2940 msiexec.exe Token: SeSystemtimePrivilege 2940 msiexec.exe Token: SeProfSingleProcessPrivilege 2940 msiexec.exe Token: SeIncBasePriorityPrivilege 2940 msiexec.exe Token: SeCreatePagefilePrivilege 2940 msiexec.exe Token: SeCreatePermanentPrivilege 2940 msiexec.exe Token: SeBackupPrivilege 2940 msiexec.exe Token: SeRestorePrivilege 2940 msiexec.exe Token: SeShutdownPrivilege 2940 msiexec.exe Token: SeDebugPrivilege 2940 msiexec.exe Token: SeAuditPrivilege 2940 msiexec.exe Token: SeSystemEnvironmentPrivilege 2940 msiexec.exe Token: SeChangeNotifyPrivilege 2940 msiexec.exe Token: SeRemoteShutdownPrivilege 2940 msiexec.exe Token: SeUndockPrivilege 2940 msiexec.exe Token: SeSyncAgentPrivilege 2940 msiexec.exe Token: SeEnableDelegationPrivilege 2940 msiexec.exe Token: SeManageVolumePrivilege 2940 msiexec.exe Token: SeImpersonatePrivilege 2940 msiexec.exe Token: SeCreateGlobalPrivilege 2940 msiexec.exe Token: SeBackupPrivilege 3304 vssvc.exe Token: SeRestorePrivilege 3304 vssvc.exe Token: SeAuditPrivilege 3304 vssvc.exe Token: SeBackupPrivilege 224 msiexec.exe Token: SeRestorePrivilege 224 msiexec.exe Token: SeRestorePrivilege 224 msiexec.exe Token: SeTakeOwnershipPrivilege 224 msiexec.exe Token: SeRestorePrivilege 224 msiexec.exe Token: SeTakeOwnershipPrivilege 224 msiexec.exe Token: SeBackupPrivilege 2968 srtasks.exe Token: SeRestorePrivilege 2968 srtasks.exe Token: SeSecurityPrivilege 2968 srtasks.exe Token: SeTakeOwnershipPrivilege 2968 srtasks.exe Token: SeBackupPrivilege 2968 srtasks.exe Token: SeRestorePrivilege 2968 srtasks.exe Token: SeSecurityPrivilege 2968 srtasks.exe Token: SeTakeOwnershipPrivilege 2968 srtasks.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2940 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 224 wrote to memory of 2968 224 msiexec.exe 94 PID 224 wrote to memory of 2968 224 msiexec.exe 94 PID 224 wrote to memory of 4212 224 msiexec.exe 96 PID 224 wrote to memory of 4212 224 msiexec.exe 96 PID 224 wrote to memory of 4212 224 msiexec.exe 96 PID 4212 wrote to memory of 1896 4212 MsiExec.exe 97 PID 4212 wrote to memory of 1896 4212 MsiExec.exe 97 PID 4212 wrote to memory of 1896 4212 MsiExec.exe 97 PID 4212 wrote to memory of 4840 4212 MsiExec.exe 99 PID 4212 wrote to memory of 4840 4212 MsiExec.exe 99 PID 4212 wrote to memory of 4840 4212 MsiExec.exe 99 PID 4212 wrote to memory of 1620 4212 MsiExec.exe 101 PID 4212 wrote to memory of 1620 4212 MsiExec.exe 101 PID 4212 wrote to memory of 1620 4212 MsiExec.exe 101 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\MicrosoftEdge.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2940
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5149490D26414C7715B5004F0EF7287D2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-19d6d77e-24a7-4b18-9d29-8ee8624e71da\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1896
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4840
-
-
C:\Users\Admin\AppData\Local\Temp\MW-19d6d77e-24a7-4b18-9d29-8ee8624e71da\files\MicrosoftEdge.exe"C:\Users\Admin\AppData\Local\Temp\MW-19d6d77e-24a7-4b18-9d29-8ee8624e71da\files\MicrosoftEdge.exe"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:1620
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
189KB
MD5ea5e9cf992aa209fe006fb7ca4195b1c
SHA1270447b93d176e7f920a062a7a08eb7947c36163
SHA256cc50776e1e460cbe8f2d9ea083ccc273c79cdeefeef60c04946d759d1d0eb77d
SHA5120210453862c89a4f8e5d03f69bed3cd01a296bd3da31e200b2aefcc089734bdcd7720710643a8e4f58c150c55bced83bef05340c180e1d9ff303736fe11208fa
-
Filesize
147KB
MD5fc860959580c124e7e4781bb08437681
SHA1b551dd88a1d3d5f277dc174f5d9d11eeea0dafb0
SHA256eca127142a480fe51e7748159c8d219313a4730d60dc22c4dbbc1bd4d6a67b66
SHA512abab3d964d5e7b1bdf365a429cbc5b48614f4fb64281d5c0a4b0ce0ab3580fa539ca0f33bc4243dbbe5c6649fa0ce1a2a89de12725a78971001cd768aeb075d2
-
Filesize
279KB
MD5b1a8d000b6a66f272a5859c405c894b0
SHA167cd211ad46cf072ddf210631989713e52336789
SHA256c8b93075675b6b90cc5a2f58bdd1c52088a511485efd2f9bb6de54c9736e98e5
SHA5122dcd268e0840febd7eb3e06bc099c29ff3838b5e75cf0b0f21e65e246bb2be8e2508632488a3804dc0d5f4b2456bdf97fb815eadab9641e34fe62a937de9b94b
-
Filesize
1KB
MD5617a2374974c69dc311683e067655952
SHA198158857edf00271c3f445e863fa9f6c0eb377b8
SHA256b1d9d5f268cbae74b7fbb515cb621b6c5e5ca8159550a65240a416ae218e96ab
SHA5127eb57932d58588158034c0fff5e09f30b73323ffa2515dcdb291c9e95e6ff6f1adc4655f9dc5daf51ac91af9c56904c090863c51d8f8cd994361112f2ed30a7b
-
Filesize
1KB
MD5085af77410c27f9cf54c82d76773aff6
SHA1f88ce5454bf0b5236580e1761902217301a89f9c
SHA25690b30220141de0da07098a4d5e8184308157923974c07d385e493c6f2efa2fc9
SHA512967ecfef44fdbc45b737baa7b6493ca59c6f99e9a9b0caa80982050ed9e69efc7a1b49fdc923eacd6a80255b2f15867df79ec1dfa8b7db0e70e018b36a69610d
-
Filesize
208KB
MD50c8921bbcc37c6efd34faf44cf3b0cb5
SHA1dcfa71246157edcd09eecaf9d4c5e360b24b3e49
SHA256fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1
SHA512ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108
-
Filesize
23.7MB
MD5de8833bf7d4ac3b588f17c05e70d33ee
SHA181eb41d60a49a98182ebab5dc73ee47f761333b5
SHA256ea300696492872543dd186bf2e7a9b8eb1ee5dac205512e384260f836c5d3a10
SHA51248bfc5ed63685b9ffbd343c2b7676e99dc12afc6ccec8b6a1904c76614f9f01dfa7f294052000084405a5bdaf0a8aaf5829b2d9468b80d9486517b5195690924
-
\??\Volume{f171a6e7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{00982436-cdf3-42ba-b3b1-2df40c0a41f7}_OnDiskSnapshotProp
Filesize6KB
MD5e0c6c255b4a902600e7ec3e164f95cc5
SHA1749e29a00343da1f18170c577b01073e55f5c24e
SHA25601128788c0858cdda404ff49178cb05c14c9b0f3ff51a2d3516f88ee97f7c8e2
SHA512a68d1ba26694776038fd0b4d7ff2a304ba94a686e82ce74e3340701608666c89302cfe01814f916549486549bd000cd2bd6a17d1e984bf48893fa4818d1488a9