e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9

Resubmissions

14/12/2023, 08:25

231214-kbc3nsdha2 10

14/12/2023, 07:45

231214-jlfe4sccbr 10

Analysis

max time kernel
275s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
14/12/2023, 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe
Size

1.1MB
MD5

4c7d2ec42f5b225982d9e2e96383a2fd
SHA1

6edc8db346032a83402d7104c5783cc1e929e402
SHA256

e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9
SHA512

c83cd4b6394a2629ab7148cf1db73ae040d247809660e34ec895cee37af56e655f99db0eb88711d206407076b949dd5f5e4dad3be9f272bf2b7985575e147861
SSDEEP

12288:TUOEh1CfIQ9wcSEzPXgFSuYxZyJhLA/3lqYV1lYT/S:oOq1cwcnjXgFSuYxZy72kYV1lYT

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3635043082-2972811465-3176142135-1000\{605AB04C-84A6-4992-96DE-6455721DD05D}	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2432	msedge.exe
2432	msedge.exe
4504	msedge.exe
4504	msedge.exe
4288	msedge.exe
4288	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3976	helppane.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3976	helppane.exe
3976	helppane.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 4504	3976	helppane.exe	115
PID 3976 wrote to memory of 4504	3976	helppane.exe	115
PID 4504 wrote to memory of 1640	4504	msedge.exe	116
PID 4504 wrote to memory of 1640	4504	msedge.exe	116
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 4772	4504	msedge.exe	117
PID 4504 wrote to memory of 2432	4504	msedge.exe	118
PID 4504 wrote to memory of 2432	4504	msedge.exe	118
PID 4504 wrote to memory of 4300	4504	msedge.exe	119
PID 4504 wrote to memory of 4300	4504	msedge.exe	119
PID 4504 wrote to memory of 4300	4504	msedge.exe	119
PID 4504 wrote to memory of 4300	4504	msedge.exe	119
PID 4504 wrote to memory of 4300	4504	msedge.exe	119
PID 4504 wrote to memory of 4300	4504	msedge.exe	119
PID 4504 wrote to memory of 4300	4504	msedge.exe	119
PID 4504 wrote to memory of 4300	4504	msedge.exe	119
PID 4504 wrote to memory of 4300	4504	msedge.exe	119
PID 4504 wrote to memory of 4300	4504	msedge.exe	119
PID 4504 wrote to memory of 4300	4504	msedge.exe	119
PID 4504 wrote to memory of 4300	4504	msedge.exe	119
PID 4504 wrote to memory of 4300	4504	msedge.exe	119
PID 4504 wrote to memory of 4300	4504	msedge.exe	119
PID 4504 wrote to memory of 4300	4504	msedge.exe	119
PID 4504 wrote to memory of 4300	4504	msedge.exe	119
PID 4504 wrote to memory of 4300	4504	msedge.exe	119
PID 4504 wrote to memory of 4300	4504	msedge.exe	119

C:\Users\Admin\AppData\Local\Temp\e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe
"C:\Users\Admin\AppData\Local\Temp\e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9.exe"
1⤵
PID:4376

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528882
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9617446f8,0x7ff961744708,0x7ff961744718
    3⤵
    PID:1640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,10597623605936756887,11359288519757851538,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
    3⤵
    PID:4772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,10597623605936756887,11359288519757851538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,10597623605936756887,11359288519757851538,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
    3⤵
    PID:4300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10597623605936756887,11359288519757851538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
    3⤵
    PID:3624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10597623605936756887,11359288519757851538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
    3⤵
    PID:1416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10597623605936756887,11359288519757851538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
    3⤵
    PID:1944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10597623605936756887,11359288519757851538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
    3⤵
    PID:4204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2172,10597623605936756887,11359288519757851538,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4832 /prefetch:8
    3⤵
    PID:2808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2172,10597623605936756887,11359288519757851538,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4684 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:4288
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10597623605936756887,11359288519757851538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
    3⤵
    PID:3264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
208a234643c411e1b919e904ee20115e

SHA1
400b6e6860953f981bfe4716c345b797ed5b2b5b

SHA256
af80020ae43388bbd3db31c75aade369d489a30a933574dea19163e094d5f458

SHA512
2779b96325234c836cbb91820ee332ed56c15b534ec0c7770b322a5c03849ec3ee67b0ec7978e1fab563eeed1cea96f5155d7b942702555d9352ff6711a548d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\13a6cb03-a36f-4fbe-9deb-0d8497c346b7.tmp

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
5533f445308fe23329812a80756d54a7

SHA1
7feace4eb59d22b2fe6b59e2baa0b9ac2d0e6d22

SHA256
560287fedd825870ec76e4adda8a9c8b48339591f27a33358af3fe739439c2cd

SHA512
4f55667c725823550e32c5428dc7f9d663dca478c86bda6badf2001de8168ba0a5b973c604dfc2e544f76b4d4688bf09a3b1a819d66375942d7cc4f6fb20d29d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6e6adb402b4eedebadeb3f21d760fda1

SHA1
4dd851247581a551852e9b67a9e8cf46c09e9f9d

SHA256
aefea87571ec7895310ce2f5d4b9402b5e949fac8df52fc0e076b70828bfc258

SHA512
66300d367f82bfee7c0d67edd5ccf1642ea96b0917b858f30e9e62eba96df462970b602cae5d929676e1c0a5ba064a2314fe587ec00cce67cb9753368d0ae627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7527e35ab16aeb4c8f38c3936399c7cc

SHA1
7616ad9919dce797a6671fd1822eceaa912cbd38

SHA256
6247080e48228d03cbcc894a3ce4083702d6b71dda8548129bda568640fce716

SHA512
87dd33b31637216abeece1ba8b5fa032dac2eff9ca75812e3e27b483961e80c92bacf1642f82e19c534fbedd8cb83c4ec70a95b68a83bc0cc5d83167536e9de3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5a6206a3489650bf4a9c3ce44a428126

SHA1
3137a909ef8b098687ec536c57caa1bacc77224b

SHA256
0a9e623c6df237c02a585539bffb8249de48949c6d074fe0aaf43063731a3e28

SHA512
980da83c3142bf08433ec1770a2ec5f5560daf3ee680466f89beae8290e921c0db677489daad055fbc1f196388f8bc4f60e050600381f860b06d330062440a78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3b0ebc141f1f2d5c68e3c984f1772880

SHA1
368f75e83f60a2cd4ac4733e76cfce541923372f

SHA256
d8a36946f663ad7d78764f15c366b0fbfc19a547ebec0905c1a8d8cf70b75e00

SHA512
fa992cbba3675e96f1b35e6df12378036eb2028e7f740e6c30acb5d67b2e57cc1d80e77b7e0f659c57bf70251fde866bea1ed9807127826eda746bb27a3fe0df

Download Submit