hxxp://google[.]com

Resubmissions

07/11/2023, 14:22

231107-rpw62ahb4w 1

27/10/2023, 15:55

23/10/2023, 16:49

17/10/2023, 12:22

16/10/2023, 18:28

16/10/2023, 17:48

12/10/2023, 18:50

Analysis

max time kernel
1819s
max time network
1726s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3324	msedge.exe
3324	msedge.exe
4652	msedge.exe
4652	msedge.exe
2176	identity_helper.exe
2176	identity_helper.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 1032	4652	msedge.exe	85
PID 4652 wrote to memory of 1032	4652	msedge.exe	85
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 4672	4652	msedge.exe	89
PID 4652 wrote to memory of 3324	4652	msedge.exe	87
PID 4652 wrote to memory of 3324	4652	msedge.exe	87
PID 4652 wrote to memory of 4152	4652	msedge.exe	88
PID 4652 wrote to memory of 4152	4652	msedge.exe	88
PID 4652 wrote to memory of 4152	4652	msedge.exe	88
PID 4652 wrote to memory of 4152	4652	msedge.exe	88
PID 4652 wrote to memory of 4152	4652	msedge.exe	88
PID 4652 wrote to memory of 4152	4652	msedge.exe	88
PID 4652 wrote to memory of 4152	4652	msedge.exe	88
PID 4652 wrote to memory of 4152	4652	msedge.exe	88
PID 4652 wrote to memory of 4152	4652	msedge.exe	88
PID 4652 wrote to memory of 4152	4652	msedge.exe	88
PID 4652 wrote to memory of 4152	4652	msedge.exe	88
PID 4652 wrote to memory of 4152	4652	msedge.exe	88
PID 4652 wrote to memory of 4152	4652	msedge.exe	88
PID 4652 wrote to memory of 4152	4652	msedge.exe	88
PID 4652 wrote to memory of 4152	4652	msedge.exe	88
PID 4652 wrote to memory of 4152	4652	msedge.exe	88
PID 4652 wrote to memory of 4152	4652	msedge.exe	88
PID 4652 wrote to memory of 4152	4652	msedge.exe	88
PID 4652 wrote to memory of 4152	4652	msedge.exe	88
PID 4652 wrote to memory of 4152	4652	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb36b346f8,0x7ffb36b34708,0x7ffb36b34718
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,4830092035268241384,7421045857127267264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,4830092035268241384,7421045857127267264,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,4830092035268241384,7421045857127267264,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,4830092035268241384,7421045857127267264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,4830092035268241384,7421045857127267264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,4830092035268241384,7421045857127267264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,4830092035268241384,7421045857127267264,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:2608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,4830092035268241384,7421045857127267264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,4830092035268241384,7421045857127267264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,4830092035268241384,7421045857127267264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,4830092035268241384,7421045857127267264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,4830092035268241384,7421045857127267264,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,4830092035268241384,7421045857127267264,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5140 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
4c8184dd1d0fef6596290dcacf079c04

SHA1
8466c0685bf6fbf99c752a3a1ea265eb3551e72e

SHA256
a403f3d826278d4418626ff6792ff01573cbcdf943c903856fd2c536ac1dd61a

SHA512
59e90e53d8b78cb8891154e84486a8632ac54e8b4294b8b1dd2ed046172e9fb97bb34ffbd7292eeb87764d06816245f6c05fb5cf138d85ff04d9a6706d5c3022

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7d2dec3e89a45b87dc86348336c18426

SHA1
2b682fe22fe277168de888095db523405d97c5c8

SHA256
b7e9a01fc38e4d796d051ec7607722592732a5383a640434ed56b4ed05f3e35d

SHA512
e9d494777ba1a48eae4f110f3dd1a4f4a517fc6aaddfde793372868202b6f5483635ce732c8cb73ab4cba2f9d7295b7049208bc36672229bbf71dfb6f11feca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
e29886e429d209e8a28be5975db14994

SHA1
40c7da854ad474353f48ed0daeff51780f7117e0

SHA256
e989ab465ef3bc309f84afe7dd63ff758c7ec8686b0698567350cc89c806b697

SHA512
ed8b7a587767847c5bab7b3eef2c411570c81dde2b4b135f370538fe42139c622a9268a088016f274d0e430e74e4e0f9c1b3dd9dd75cbe59c53298f3b73dc5d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
90d918c0be7f70305adadb816094cefb

SHA1
b42ababb7a39cb1febd2bbd9900c1be386bc192d

SHA256
8e67e5cc226f98d8c2808c6cd39c050582987427f09e99a1023b5dcc31e6adfa

SHA512
a6f7b3e96da72fbca01ba96d0a50626852cd53e7913f824717542fa0480f539a9509dea6e3642cb861ff14ffceb682b2a25ccfadb9a687670190d02493a54166

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1080371fb28a13d08542de558ed676d8

SHA1
f78bb2095915a2a3640f68c22265d96c5c2a0dd4

SHA256
abfb5cc9651d97b91520ea65fc02565c23e3d440854bac54a2c10e34a2538749

SHA512
1090286b8f70c3a898ec1397f511d37a5a79a12dd61b9c3e29b1f6e8eb431be5caf80a17aa81238e3bd2c68b4354217f2c7e9cbb094753126aeef4238c8fd612

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
25ac77f8c7c7b76b93c8346e41b89a95

SHA1
5a8f769162bab0a75b1014fb8b94f9bb1fb7970a

SHA256
8ad26364375358eac8238a730ef826749677c62d709003d84e758f0e7478cc4b

SHA512
df64a3593882972f3b10c997b118087c97a7fa684cd722624d7f5fb41d645c605d59a89eccf7518570ff9e73b4310432c4bb5864ee58e78c0743c0c1606853a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
191c74dc29b8a00b461ac566c6570ffd

SHA1
311a1875d293445ec3f647eacaa8f81977db6c22

SHA256
cb10e083519e14f1caa45564b5606ae22c6d2ab06fb97f53c7a0e7e94ddea8c0

SHA512
d50905575085a253a78b9650e3742e39a43f4c6c315086488e934f5349c1e16739b59cc388b2be7dcd2f8ebbd0bd6a6f6393155094a2f3acb286f7dff3fc0e94

Download Submit