75f4e9cb71e583ca3f8b19691b5754adb9c981580762137f82443e1eec468f9c

Analysis

max time kernel
93s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wordpress-6.7.1.zip
Size

27.3MB
MD5

743489098d970b226772de7b8b6553b1
SHA1

9867f75df4b90c4490b3e6a63475090b631ecf47
SHA256

75f4e9cb71e583ca3f8b19691b5754adb9c981580762137f82443e1eec468f9c
SHA512

972d76829c3fef21fd21f51021be6585837570f4a16eef18f62266950b972842fca4e81faea88819fa83310ee2595fa3f6292801918a5625e1b415540bc4a06e
SSDEEP

786432:BcoLBX0zo+mBjXle6wpKEZi8eD79NhTuMnjR1i5HX50k:B/LN0lmBjXM2LDfv+J0k

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4620	msedge.exe
4620	msedge.exe
3960	msedge.exe
3960	msedge.exe
2436	identity_helper.exe
2436	identity_helper.exe
5092	7zFM.exe
5092	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5092	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3960	msedge.exe
3960	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	5092	7zFM.exe
Token: 35	5092	7zFM.exe
Token: SeSecurityPrivilege	5092	7zFM.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
5092	7zFM.exe
5092	7zFM.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 3960	5092	7zFM.exe	97
PID 5092 wrote to memory of 3960	5092	7zFM.exe	97
PID 3960 wrote to memory of 1800	3960	msedge.exe	100
PID 3960 wrote to memory of 1800	3960	msedge.exe	100
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 2680	3960	msedge.exe	101
PID 3960 wrote to memory of 4620	3960	msedge.exe	102
PID 3960 wrote to memory of 4620	3960	msedge.exe	102
PID 3960 wrote to memory of 436	3960	msedge.exe	103
PID 3960 wrote to memory of 436	3960	msedge.exe	103
PID 3960 wrote to memory of 436	3960	msedge.exe	103
PID 3960 wrote to memory of 436	3960	msedge.exe	103
PID 3960 wrote to memory of 436	3960	msedge.exe	103
PID 3960 wrote to memory of 436	3960	msedge.exe	103
PID 3960 wrote to memory of 436	3960	msedge.exe	103
PID 3960 wrote to memory of 436	3960	msedge.exe	103
PID 3960 wrote to memory of 436	3960	msedge.exe	103
PID 3960 wrote to memory of 436	3960	msedge.exe	103
PID 3960 wrote to memory of 436	3960	msedge.exe	103
PID 3960 wrote to memory of 436	3960	msedge.exe	103
PID 3960 wrote to memory of 436	3960	msedge.exe	103
PID 3960 wrote to memory of 436	3960	msedge.exe	103
PID 3960 wrote to memory of 436	3960	msedge.exe	103
PID 3960 wrote to memory of 436	3960	msedge.exe	103
PID 3960 wrote to memory of 436	3960	msedge.exe	103
PID 3960 wrote to memory of 436	3960	msedge.exe	103

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\wordpress-6.7.1.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\7zO4E37B248\readme.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffeb3c746f8,0x7ffeb3c74708,0x7ffeb3c74718
    3⤵
    PID:1800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,9475776183462949264,12643999777197987018,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
    3⤵
    PID:2680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,9475776183462949264,12643999777197987018,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,9475776183462949264,12643999777197987018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
    3⤵
    PID:436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9475776183462949264,12643999777197987018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
    3⤵
    PID:964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9475776183462949264,12643999777197987018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
    3⤵
    PID:4724
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,9475776183462949264,12643999777197987018,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
    3⤵
    PID:1200
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,9475776183462949264,12643999777197987018,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7e15d91d8d38a27270c8a015fd43db4b

SHA1
c5afb836ab94578edf57d3512ef098f19c81446a

SHA256
dae549396c26052c649ac02e8927387b3264d3557e393dd419959edb567b9c4f

SHA512
f2a0158fa6e466fdfe5eac3996786edfa6d20e17bae4e3045ee62283dc6581b1074ba095276cc133a163ae0e44ce844982e1b418f322d868bb2bb52f88ff7dc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f207c31b782a9faec9389abbde81bd60

SHA1
87e577428b733dea413defbc5f4d3e862407800f

SHA256
3fdaf9c692f3d2ba275d51d74e8fac338e07ec042638b33ae567dc5048bc1776

SHA512
333e0cd47a9ecf70f16fdbffe8c75d64ac114b7a2515fcd82c4ff97a14139eed735b4be03777efb531622d01c36dabc77b7a050b3c1aaa888573bd48f509f24a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
55c408c60b088b82267e1991f9bef572

SHA1
d28328b764f20054b87d76157933fb4e9bbf50f6

SHA256
9930b6ae7ffdb55745c23e22482c6107129d2021638b15c8fa7ee3c808c588b3

SHA512
6e8c831bb1f0e432eeb54c6362b6de97881548f009e1a02429cf279f20b76a6d08ff3c025ad02f5846d9432cb04402117b45ddc3977f98b2432747b9ad95e1df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4E37B248\readme.html

Filesize
7KB

MD5
1f04dd54c5f57fc8d031b14b4696023e

SHA1
c02b50a386fabcea8e244f694180cb4a02d33fe8

SHA256
587d471315f941cbde21046760a35cb3668c7720d0029af3145e0e4188227439

SHA512
0c339edbdf449b8081d4df5b9cef016ac0435e3a43ce038e79dccf4366bbce0a1196df6c5524a204e173ce2327ea17a6da892b258cae6f217d673d604efce363

Download Submit