Analysis
-
max time kernel
313s -
max time network
315s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 12:43
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://
Resource
win10v2004-20240508-en
Errors
General
-
Target
http://
Malware Config
Signatures
-
Drops file in Drivers directory 64 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\drivers\pnpmem.sys cmd.exe File opened for modification C:\Windows\System32\drivers\rasacd.sys cmd.exe File opened for modification C:\Windows\System32\drivers\BthHfEnum.sys cmd.exe File opened for modification C:\Windows\System32\drivers\mpsdrv.sys cmd.exe File opened for modification C:\Windows\System32\drivers\pciide.sys cmd.exe File opened for modification C:\Windows\System32\drivers\scfilter.sys cmd.exe File opened for modification C:\Windows\System32\drivers\cldflt.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\cxwmbclass.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\ataport.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\umpass.sys cmd.exe File opened for modification C:\Windows\System32\drivers\usbehci.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\acpi.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\wfplwfs.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\gpuenergydrv.sys cmd.exe File opened for modification C:\Windows\System32\drivers\ksthunk.sys cmd.exe File opened for modification C:\Windows\System32\drivers\ntfs.sys cmd.exe File opened for modification C:\Windows\System32\drivers\ramdisk.sys cmd.exe File opened for modification C:\Windows\System32\drivers\tdx.sys cmd.exe File opened for modification C:\Windows\System32\drivers\Dumpata.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\dmvsc.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\hidclass.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\tsusbflt.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\intelide.sys cmd.exe File opened for modification C:\Windows\System32\drivers\vmstorfl.sys cmd.exe File opened for modification C:\Windows\System32\drivers\wof.sys cmd.exe File opened for modification C:\Windows\System32\drivers\pcmcia.sys cmd.exe File opened for modification C:\Windows\System32\drivers\condrv.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\cdrom.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\EhStorTcgDrv.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\modem.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\volsnap.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\mshidkmdf.sys cmd.exe File opened for modification C:\Windows\System32\drivers\ndis.sys cmd.exe File opened for modification C:\Windows\System32\drivers\rteth.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\scmbus.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\FWPKCLNT.SYS cmd.exe File opened for modification C:\Windows\System32\drivers\refsv1.sys cmd.exe File opened for modification C:\Windows\System32\drivers\usbprint.sys cmd.exe File opened for modification C:\Windows\System32\drivers\netbios.sys cmd.exe File opened for modification C:\Windows\System32\drivers\rdbss.sys cmd.exe File opened for modification C:\Windows\System32\drivers\BtaMPM.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\serial.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\usbhub.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\ws2ifsl.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\rdpdr.sys cmd.exe File opened for modification C:\Windows\System32\drivers\rdpvideominiport.sys cmd.exe File opened for modification C:\Windows\System32\drivers\terminpt.sys cmd.exe File opened for modification C:\Windows\System32\drivers\1394ohci.sys cmd.exe File opened for modification C:\Windows\System32\drivers\bthmodem.sys cmd.exe File opened for modification C:\Windows\System32\drivers\null.sys cmd.exe File opened for modification C:\Windows\System32\drivers\storqosflt.sys cmd.exe File opened for modification C:\Windows\System32\drivers\UcmUcsiAcpiClient.sys cmd.exe File opened for modification C:\Windows\System32\drivers\UMDF\usbdr.dll cmd.exe File opened for modification C:\Windows\System32\drivers\ataport.sys cmd.exe File opened for modification C:\Windows\System32\drivers\fvevol.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\IndirectKmd.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\mouclass.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\videoprt.sys cmd.exe File opened for modification C:\Windows\System32\drivers\dumpsd.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\wudfpf.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\mspqm.sys cmd.exe File opened for modification C:\Windows\System32\drivers\rasl2tp.sys cmd.exe File opened for modification C:\Windows\System32\drivers\acpitime.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\mup.sys.mui cmd.exe -
Manipulates Digital Signatures 2 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll cmd.exe File opened for modification C:\Windows\System32\wintrust.dll cmd.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1368 takeown.exe 2956 icacls.exe -
Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\spool\prtprocs\x64\winprint.dll cmd.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1368 takeown.exe 2956 icacls.exe -
Drops file in System32 directory 64 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\en-US\clip.exe.mui cmd.exe File opened for modification C:\Windows\System32\it-IT\ngckeyenum.dll.mui cmd.exe File opened for modification C:\Windows\System32\it-IT\SensorsCpl.dll.mui cmd.exe File opened for modification C:\Windows\System32\pcl.sep cmd.exe File opened for modification C:\Windows\System32\downlevel\api-ms-win-security-base-l1-1-0.dll cmd.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\hidi2c.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\microsoft_bluetooth_a2dp_src.inf_amd64_0bdbb11733d87f9a\microsoft_bluetooth_a2dp_src.inf cmd.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\Microsoft_Bluetooth_AvrcpTransport.inf_loc cmd.exe File opened for modification C:\Windows\System32\fr-FR\BthpanContextHandler.dll.mui cmd.exe File opened for modification C:\Windows\System32\HdcpHandler.dll cmd.exe File opened for modification C:\Windows\System32\uk-UA\SettingsHandlers_Geolocation.dll.mui cmd.exe File opened for modification C:\Windows\System32\wmerror.dll cmd.exe File opened for modification C:\Windows\System32\DeviceMetadataRetrievalClient.dll cmd.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\xboxgip.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\b57nd60a.inf_amd64_77a731ab08be20a5\b57nd60a.sys cmd.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\iaLPSS2i_GPIO2_GLK.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\en-US\c_ucm.inf_loc cmd.exe File opened for modification C:\Windows\System32\en-US\forfiles.exe.mui cmd.exe File opened for modification C:\Windows\System32\vbscript.dll cmd.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\NetEventPacketCapture.Types.ps1xml cmd.exe File opened for modification C:\Windows\System32\es-ES\wkssvc.dll.mui cmd.exe File opened for modification C:\Windows\System32\it-IT\mimefilt.dll.mui cmd.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\it-IT\MSFT_UserResource.strings.psd1 cmd.exe File opened for modification C:\Windows\System32\it-IT\ipconfig.exe.mui cmd.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\c_smrdisk.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\en-US\multiprt.inf_loc cmd.exe File opened for modification C:\Windows\System32\es-ES\lmhsvc.dll.mui cmd.exe File opened for modification C:\Windows\System32\fr-FR\VaultCli.dll.mui cmd.exe File opened for modification C:\Windows\System32\wbem\WMIPICMP.dll cmd.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\netathr10x.INF_loc cmd.exe File opened for modification C:\Windows\System32\es-ES\DeviceProperties.exe.mui cmd.exe File opened for modification C:\Windows\System32\uk-UA\WSCollect.exe.mui cmd.exe File opened for modification C:\Windows\System32\wbem\en-US\NetTCPIP.dll.mui cmd.exe File opened for modification C:\Windows\System32\it-IT\mrinfo.exe.mui cmd.exe File opened for modification C:\Windows\System32\ja-jp\openfiles.exe.mui cmd.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\BthLCPen.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\ChargeArbitration.inf_loc cmd.exe File opened for modification C:\Windows\System32\en-US\eappgnui.dll.mui cmd.exe File opened for modification C:\Windows\System32\es-ES\SrTasks.exe.mui cmd.exe File opened for modification C:\Windows\System32\it-IT\RpcEpMap.dll.mui cmd.exe File opened for modification C:\Windows\System32\MixedReality.Broker.dll cmd.exe File opened for modification C:\Windows\System32\netutils.dll cmd.exe File opened for modification C:\Windows\System32\spp\tokens\skus\ENTERP~1\Enterprise-Volume-GVLK-1-ul-rtm.xrm-ms cmd.exe File opened for modification C:\Windows\System32\DialogBlockingManager.dll cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mssmbios.inf_amd64_9fc7fe03de136fc1\mssmbios.sys cmd.exe File opened for modification C:\Windows\System32\es-ES\defragsvc.dll.mui cmd.exe File opened for modification C:\Windows\System32\it-IT\regsvr32.exe.mui cmd.exe File opened for modification C:\Windows\System32\ApplicationControlCSP.dll cmd.exe File opened for modification C:\Windows\System32\wbem\en-US\pcsvDevice_Uninstall.mfl cmd.exe File opened for modification C:\Windows\System32\WlanRadioManager.dll cmd.exe File opened for modification C:\Windows\System32\C_20278.NLS cmd.exe File opened for modification C:\Windows\System32\de-DE\netbtugc.exe.mui cmd.exe File opened for modification C:\Windows\System32\de-DE\runas.exe.mui cmd.exe File opened for modification C:\Windows\System32\AuthFWGP.dll cmd.exe File opened for modification C:\Windows\System32\de-DE\ComputerDefaults.exe.mui cmd.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\rhproxy.inf_loc cmd.exe File opened for modification C:\Windows\System32\it-IT\cmlua.dll.mui cmd.exe File opened for modification C:\Windows\System32\spp\tokens\skus\PROFES~1\Professional-Retail-4-pl-rtm.xrm-ms cmd.exe File opened for modification C:\Windows\System32\uk-UA\sndvolsso.dll.mui cmd.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterUso.Format.ps1xml cmd.exe File opened for modification C:\Windows\System32\config\SYSTEM~1.LOG cmd.exe File opened for modification C:\Windows\System32\DragDropExperienceCommon.dll cmd.exe File opened for modification C:\Windows\System32\DriverStore\ja-JP\AcpiDev.inf_loc cmd.exe File opened for modification C:\Windows\System32\fr-FR\rasmbmgr.dll.mui cmd.exe -
Modifies termsrv.dll 1 TTPs 1 IoCs
Commonly used to allow simultaneous RDP sessions.
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\termsrv.dll cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe -
Opens file in notepad (likely ransom note) 4 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXENOTEPAD.EXEpid process 3144 NOTEPAD.EXE 1592 NOTEPAD.EXE 2932 NOTEPAD.EXE 2332 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid process 5048 msedge.exe 5048 msedge.exe 3564 msedge.exe 3564 msedge.exe 2428 identity_helper.exe 2428 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
msedge.exepid process 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.exepid process 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe 3564 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 4132 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3564 wrote to memory of 3444 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 3444 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 4508 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 5048 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 5048 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 3240 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 3240 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 3240 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 3240 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 3240 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 3240 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 3240 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 3240 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 3240 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 3240 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 3240 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 3240 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 3240 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 3240 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 3240 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 3240 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 3240 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 3240 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 3240 3564 msedge.exe msedge.exe PID 3564 wrote to memory of 3240 3564 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa087846f8,0x7ffa08784708,0x7ffa087847182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,7000350716331620678,11072985010717811159,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,7000350716331620678,11072985010717811159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,7000350716331620678,11072985010717811159,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7000350716331620678,11072985010717811159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7000350716331620678,11072985010717811159,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7000350716331620678,11072985010717811159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7000350716331620678,11072985010717811159,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,7000350716331620678,11072985010717811159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4588 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,7000350716331620678,11072985010717811159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4588 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ss.bat1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\ss.bat"1⤵
-
C:\Windows\system32\takeown.exetakeown C:\Windows\System32\*2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\*2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ss.bat1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\ss.bat"1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\ss.bat"1⤵
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ss.bat1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\ss.bat" "1⤵
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ss.bat1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\ss.bat"1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Boot or Logon Autostart Execution: Print Processors
- Drops file in System32 directory
- Modifies termsrv.dll
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39f9055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD556641592f6e69f5f5fb06f2319384490
SHA16a86be42e2c6d26b7830ad9f4e2627995fd91069
SHA25602d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455
SHA512c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5612a6c4247ef652299b376221c984213
SHA1d306f3b16bde39708aa862aee372345feb559750
SHA2569d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a
SHA51234a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD55948165f8ed59d3485398b8222f49939
SHA1ec086106272a57f384240a870dafa62466035009
SHA256023a895eddbad14f2918c45de8f1ede485749b0b3ef38fb147b7b1284d8b453b
SHA5128930373458faa90431308642c0f54efce7f7c0131a2693d9b60c2af511c5787ea403255141540cd2e4691e589de56e7a670de5d58eee944bbd5da440fe124448
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD543da7c92cb55983737642fadcee306d5
SHA107e99a5d64605619136b42498413096ef9d7b1a1
SHA2564b5c52243cdc19319fbc9f66fa8d40c1f42bb39e77ffe6ad6289dc756175d514
SHA51231f50f086ffcf1fa21d06bb394848ef4af2a8e534c468d48b008cb7e3dd004cec627d010f5206e2010821055178e1d56f347f9b017e43c63716da3b586287ae5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5f52042df80a15d8fa06e00264020a515
SHA16d58f7048341c1b99d1266902abcd76b42cf56ae
SHA256b4831b6efeeeb441efaa5cd8aca334cc7e04665cf315da7b5e3caaeb99f96e20
SHA512aa68f76e78b16b72d693bf258ded910f18bfcb51cc84c8b01c3834daf810e5d7b6a9c3ff698f166f4bbd371153afb885983c5b27517fb8589596f43756c7b732
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\Desktop\ss.batFilesize
94B
MD53d11bc6b0fe2196c2188d0e05ad4d33e
SHA1e231a665becff3938d428a3cead603fff36d5c29
SHA2568848120f4bfc807f73eb8e8211ffd9c9c6fef06ca1369523795323f34da762b1
SHA51242555f44a6c154d14d0a5a734769e36fa65694f700feea72d8f623a9a14dabbf33323bd1a45178ae5777a9f2d82119e7334013a2b0e550c601a6cc9bc052aa46
-
C:\Users\Admin\Desktop\ss.batFilesize
28B
MD567ce02841f86b07da1a983f24d5a0ee4
SHA1a79fcc660b46cd80cf7aaac666c482ffb5b77a91
SHA25635ade8238f00005ab089cda97210da573ae1408152ab8a3070f221e31a6e2b55
SHA5121e111b854d201430a0de486b0c2db241931567b323a710a4297fd3c6df5bf2791dbc905766e133fef232c5c3e3345aff7526fa7492a16fc78be4eaf8a5411708
-
C:\Users\Admin\Desktop\ss.batFilesize
35B
MD516e25fa495c6a742f816929a5c8fbb77
SHA1dd5e01c47b8ec5d0111375b109c6f76fce8f4a23
SHA25658e201048a7b856a957fd9e5066208d094c70e804128b487ec98dfea0a10ff68
SHA5128e1ea967211c67524f15d6ac8f7c8b6dd203c81a5ff990259a55bbdd624941f84ef9dbb7ce88708e2a277b8a21c9fb5cff1120677bc06ccbef432b9d17ddafdb
-
C:\Users\Admin\Desktop\ss.batFilesize
33B
MD564bdae31156537beb24e536b6224806b
SHA1f728e44e3a84adb489c2afc68eb47333a312c9bd
SHA256ad9bb313f91ed8b22a9ccfa24819dc6df7de69f71289b0720ac22f280086a988
SHA512438006824b39b6e1367af2cbfdeb2ee308322913ff4929a8191f09beded9f4427b568034f48f286b4ba0bf9862bbf2affdc65c4fb7447f2b555164179b5fe12b
-
\??\pipe\LOCAL\crashpad_3564_QMXROVLGOVFMKKGBMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e