80b6a91f55324f5907a9f4305ff46eef36197008fd4dd954ef9388c1d3307ff7

Analysis

max time kernel
154s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2023 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

minhook.x32.dll
Size

18KB
MD5

71d921951eb008c82cc6b98ce71f2c67
SHA1

91fa98d3496e5474123c94a0980a03c53dc567e8
SHA256

80b6a91f55324f5907a9f4305ff46eef36197008fd4dd954ef9388c1d3307ff7
SHA512

d8e294f90bb7178b69c03cfb817aeb65cec08e7fbfabbe6dd5e739e6fce94add8b37c5d3d98a109b597fc01e917d1e12b1f19df2f19fbd65b63e867be5620843
SSDEEP

384:r8KH3kQ7Ti7RiPvT4Q5XsjhUnOBFKMWYx:YKhf+cPv0O4UnAF

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2772	msedge.exe
2772	msedge.exe
5040	msedge.exe
5040	msedge.exe
1732	identity_helper.exe
1732	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2404	2084	rundll32.exe	89
PID 2084 wrote to memory of 2404	2084	rundll32.exe	89
PID 2084 wrote to memory of 2404	2084	rundll32.exe	89
PID 5040 wrote to memory of 1152	5040	msedge.exe	104
PID 5040 wrote to memory of 1152	5040	msedge.exe	104
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 4712	5040	msedge.exe	106
PID 5040 wrote to memory of 2772	5040	msedge.exe	107
PID 5040 wrote to memory of 2772	5040	msedge.exe	107
PID 5040 wrote to memory of 2116	5040	msedge.exe	108
PID 5040 wrote to memory of 2116	5040	msedge.exe	108
PID 5040 wrote to memory of 2116	5040	msedge.exe	108
PID 5040 wrote to memory of 2116	5040	msedge.exe	108
PID 5040 wrote to memory of 2116	5040	msedge.exe	108
PID 5040 wrote to memory of 2116	5040	msedge.exe	108
PID 5040 wrote to memory of 2116	5040	msedge.exe	108
PID 5040 wrote to memory of 2116	5040	msedge.exe	108
PID 5040 wrote to memory of 2116	5040	msedge.exe	108
PID 5040 wrote to memory of 2116	5040	msedge.exe	108
PID 5040 wrote to memory of 2116	5040	msedge.exe	108
PID 5040 wrote to memory of 2116	5040	msedge.exe	108
PID 5040 wrote to memory of 2116	5040	msedge.exe	108
PID 5040 wrote to memory of 2116	5040	msedge.exe	108
PID 5040 wrote to memory of 2116	5040	msedge.exe	108
PID 5040 wrote to memory of 2116	5040	msedge.exe	108
PID 5040 wrote to memory of 2116	5040	msedge.exe	108

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\minhook.x32.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\minhook.x32.dll,#1
  2⤵
  PID:2404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa228046f8,0x7ffa22804708,0x7ffa22804718
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,16387784139425802586,4168849292654824950,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,16387784139425802586,4168849292654824950,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,16387784139425802586,4168849292654824950,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,16387784139425802586,4168849292654824950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,16387784139425802586,4168849292654824950,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,16387784139425802586,4168849292654824950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,16387784139425802586,4168849292654824950,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,16387784139425802586,4168849292654824950,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,16387784139425802586,4168849292654824950,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3272

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
efc9c7501d0a6db520763baad1e05ce8

SHA1
60b5e190124b54ff7234bb2e36071d9c8db8545f

SHA256
7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a

SHA512
bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
19d3c54f186492112de88b1735d8dd8d

SHA1
f39ce3a5c260d672cabea02129c14d6bc118f846

SHA256
3b0004b966c982c3350189e3eee53e9bb7f2bd27fa06d5e9072403dbbb237d5a

SHA512
1627d03d0b136f3f64c97baeaa0aa89a6e9ee7169f710adbf2dc63deb8c33ee2324a61ad2c3cce353997700568c8af6f16973dd43110ae4dba00a5b54cea23f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3bc2e3306352dc0375a73bf318cc1441

SHA1
b318eafd40e72a3b0be64480d65b3e1ebb6a76bc

SHA256
a4be0bc19e0535960bbe0d72a30aef4a6d2a1ce0a587d092355aeeb7e477008a

SHA512
78a3be73c38a6044bbc30675e649921ef606ff98fe6feb43af1ce762ba43dc7aabf0035df1da0269b5923ede1c6cbcf047150d4409c6b3380cfcc5bfecf2a142

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a3effd77157e3384efc60e6b97390d41

SHA1
d67d9294e089fc0b1bda08edb46f3510a9754f3f

SHA256
35a84444fef8b79dafaf0f8eb332fd1152ce6d0639e3b41183d3a75a6b5d9e71

SHA512
4cd12b8b30c3156ee8e2860ef10cab7ee13d1bbd55eca9bf005f66a5bb0c712922b47f3dd3b5a19ff2bfe53ff17c5f49257e0ae44dac5b8a9f28c95d7a14ed82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
121510c1483c9de9fdb590c20526ec0a

SHA1
96443a812fe4d3c522cfdbc9c95155e11939f4e2

SHA256
cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c

SHA512
b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9c0dd64682525214e1957e7a4788dc5c

SHA1
c144698058acf812dc53c102634258e17a8856d2

SHA256
e886e7a32284abc0004197aab17609af171ddd94b270d751c117268bf9326587

SHA512
9ffc050d148c5f84e647ad90eab75a17d4800c553626a1e30be91e77eb2144432716c0d051ca167a4e4e9cf08f9e44c80597f28eca82575c92860588303526be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0d498d7398e2348ba31a20956c384ecb

SHA1
54e22cd998ddcb8469ed15b5553824c435f06528

SHA256
3a9c5982e4b67adcd31d6bade66ef3d6cb2b5dfa6160ba75983f15846875b85a

SHA512
627b156402b9638427c5acec608da964c5847f257b7233162ae845ee3c9e3816bfe51f3990fcda61583051a825eac95ab099b42e9f8e5ec66b2a6aa09b92c9b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3d80fc9cfce2ea269d68c46329fedf1e

SHA1
e79134609e8a54b21be8dc63d1c74742714053e8

SHA256
24986dc1b8e1770b33e5b111aad2172bd3b343b7392033c0887adf642199e0ad

SHA512
12abb1f96908b05faa7d1f646eff0378e2eb536d67d0402a64f2d9927705b04a36a9dd6ae6ba565aa0d4f0937b2de397115517ecd0fe341f7cdbe9939510a0c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit