Analysis
-
max time kernel
147s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/10/2024, 01:57
Static task
static1
Behavioral task
behavioral1
Sample
f4052e52fed661fd05ea39a5187781ec6c234c5d7ea4ab91cd77f2e1d2c709b5.ps1
Resource
win7-20240903-en
General
-
Target
f4052e52fed661fd05ea39a5187781ec6c234c5d7ea4ab91cd77f2e1d2c709b5.ps1
-
Size
2KB
-
MD5
797992ab276d218d7feb2e6e8b2fd678
-
SHA1
99cfbecaebc79e723603997fb2102363319103eb
-
SHA256
f4052e52fed661fd05ea39a5187781ec6c234c5d7ea4ab91cd77f2e1d2c709b5
-
SHA512
702007e1ea9df25b54d996a8fcfea344812bd58f5fe70b1e7d1ba528ee1968148536c7a4c8bcd8e22d2087d539485fcd63e639449f1243cea62d513d82952479
Malware Config
Signatures
-
pid Process 3376 powershell.exe 1064 powershell.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3376 powershell.exe 3376 powershell.exe 1064 powershell.exe 1064 powershell.exe 232 msedge.exe 232 msedge.exe 1376 msedge.exe 1376 msedge.exe 668 identity_helper.exe 668 identity_helper.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3376 powershell.exe Token: SeDebugPrivilege 1064 powershell.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3376 wrote to memory of 1064 3376 powershell.exe 83 PID 3376 wrote to memory of 1064 3376 powershell.exe 83 PID 3376 wrote to memory of 1376 3376 powershell.exe 85 PID 3376 wrote to memory of 1376 3376 powershell.exe 85 PID 1376 wrote to memory of 3780 1376 msedge.exe 86 PID 1376 wrote to memory of 3780 1376 msedge.exe 86 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 4480 1376 msedge.exe 88 PID 1376 wrote to memory of 232 1376 msedge.exe 89 PID 1376 wrote to memory of 232 1376 msedge.exe 89 PID 1376 wrote to memory of 5088 1376 msedge.exe 90 PID 1376 wrote to memory of 5088 1376 msedge.exe 90 PID 1376 wrote to memory of 5088 1376 msedge.exe 90 PID 1376 wrote to memory of 5088 1376 msedge.exe 90 PID 1376 wrote to memory of 5088 1376 msedge.exe 90 PID 1376 wrote to memory of 5088 1376 msedge.exe 90 PID 1376 wrote to memory of 5088 1376 msedge.exe 90 PID 1376 wrote to memory of 5088 1376 msedge.exe 90 PID 1376 wrote to memory of 5088 1376 msedge.exe 90 PID 1376 wrote to memory of 5088 1376 msedge.exe 90 PID 1376 wrote to memory of 5088 1376 msedge.exe 90 PID 1376 wrote to memory of 5088 1376 msedge.exe 90 PID 1376 wrote to memory of 5088 1376 msedge.exe 90 PID 1376 wrote to memory of 5088 1376 msedge.exe 90 PID 1376 wrote to memory of 5088 1376 msedge.exe 90 PID 1376 wrote to memory of 5088 1376 msedge.exe 90
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\f4052e52fed661fd05ea39a5187781ec6c234c5d7ea4ab91cd77f2e1d2c709b5.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://meet.google.com/2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd807146f8,0x7ffd80714708,0x7ffd807147183⤵PID:3780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,7777493912682460458,16071050574818682386,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2292 /prefetch:23⤵PID:4480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,7777493912682460458,16071050574818682386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,7777493912682460458,16071050574818682386,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:83⤵PID:5088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7777493912682460458,16071050574818682386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:13⤵PID:4152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7777493912682460458,16071050574818682386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:13⤵PID:1152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,7777493912682460458,16071050574818682386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:83⤵PID:2256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,7777493912682460458,16071050574818682386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7777493912682460458,16071050574818682386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:13⤵PID:2560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7777493912682460458,16071050574818682386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:13⤵PID:1148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7777493912682460458,16071050574818682386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:13⤵PID:1064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7777493912682460458,16071050574818682386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:13⤵PID:4868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,7777493912682460458,16071050574818682386,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3152 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1920
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1324
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2232
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5847d47008dbea51cb1732d54861ba9c9
SHA1f2099242027dccb88d6f05760b57f7c89d926c0d
SHA25610292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1
SHA512bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f
-
Filesize
152B
MD5f9664c896e19205022c094d725f820b6
SHA1f8f1baf648df755ba64b412d512446baf88c0184
SHA2567121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e
SHA5123fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize504B
MD56b58c17b60ca260897bfdbd46003349c
SHA1920e5a73fae6a42781a12d75d193cba37e1241e8
SHA256b5d3af532288cd7e338688cdc9cef3053202ad254a39e2f38f70335f50ed9071
SHA512c82c66bbc4d232bfedffee2f1bc6fddcf8aa3e3d6edaaedad4624982ed52b726926f4efa9e8930d3b9fa3fb6bc48c1e5de3934c1ce2ca341c8664612245da3f1
-
Filesize
2KB
MD508152dda60cb1ac09093f0fe81694cb9
SHA11662694175341e360c71378b121054865c31bbb9
SHA256eb6229753ba397214579a3c8a70fa0fa5f266e3de9a4af3da77a651547abf1e3
SHA512ea59d64712b2089db67fcc8e549c0e2035c42a9cbb217b1aef0a004bbd6d17ff30ee94497dca7e711e8598a6f60065d8a3b5b902614f8db20cdbca7889b1d143
-
Filesize
5KB
MD53fe05e25a59c9411f00841c4495a9e89
SHA1b662516593cb4269da64fc8d53846161c163dc35
SHA256427d759849d5230b353d9a0b7d8a405410411692a5aa8d9fbadf5b7ebd3336c0
SHA512cbd108659f817b30e285a953ede4af221779a76200ae3214d9e0a3820249093f27cbcb9237ea13b79d018e6da03a583e8f872b2c653ba86f3c2eb9b5d0ee424c
-
Filesize
7KB
MD5e8b27ab5a1e6c5b5bcb636e55c553c67
SHA1889b9a148bb11bde9768c0fb06db5cd2a244afef
SHA2563b28258627448252344b328e53674fb5d11b2300137f6806e59974eb52115057
SHA5121481fc17e7254f019f704a710b70ae0219dd7fc19c757d3e55fa23658a2b74ed5554348b786c43dd773e8101ba2641a9b48cde70a149d9869b5983a2619d8680
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD57a6fcea140f862fac6d4ca70a8aabe53
SHA1615016daf349dac9ca1e651fd183b757324d5c87
SHA2564714eab7de001631674b10cb863463c78b3b094d983dd3d2cb1a9beef01ec6ec
SHA51227d10f90b931d5486b418c258ec594e2b7d6988fae458a7e5b6e06a8cd0cc1ba05f0f5d43ca8e185f48ed9c4381cd9e339723d4bcedf14faa0feec225d70888e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82