d34a15e7ce2c08273e48a5138890d27821f6c32a8112e7d2f7f3a6f7d3a61911

Analysis

max time kernel
332s
max time network
381s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MediaCoder/MediaCoder.url
Size

52B
MD5

bb2c01b3651bf34924129ac7cc386805
SHA1

99c5cd55b983d1a06a9fc3869b6d9fb0cd980d14
SHA256

4af4d47d83c105b3836ee97c2be849b7ea2e88d894d4e0a252310ba0e2681792
SHA512

c9189934e5f025661bdb848d273c939687c394870299be441214f0294fb2642ba0c76f92bb7d4aa8347fe9b7cc86809a9cbf0aa3ba295092f1f7df3ba115517b

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3108	msedge.exe
3108	msedge.exe
3196	msedge.exe
3196	msedge.exe
4772	identity_helper.exe
4772	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 3196	3600	rundll32.exe	85
PID 3600 wrote to memory of 3196	3600	rundll32.exe	85
PID 3196 wrote to memory of 4472	3196	msedge.exe	89
PID 3196 wrote to memory of 4472	3196	msedge.exe	89
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 1920	3196	msedge.exe	93
PID 3196 wrote to memory of 3108	3196	msedge.exe	94
PID 3196 wrote to memory of 3108	3196	msedge.exe	94
PID 3196 wrote to memory of 5116	3196	msedge.exe	95
PID 3196 wrote to memory of 5116	3196	msedge.exe	95
PID 3196 wrote to memory of 5116	3196	msedge.exe	95
PID 3196 wrote to memory of 5116	3196	msedge.exe	95
PID 3196 wrote to memory of 5116	3196	msedge.exe	95
PID 3196 wrote to memory of 5116	3196	msedge.exe	95
PID 3196 wrote to memory of 5116	3196	msedge.exe	95
PID 3196 wrote to memory of 5116	3196	msedge.exe	95
PID 3196 wrote to memory of 5116	3196	msedge.exe	95
PID 3196 wrote to memory of 5116	3196	msedge.exe	95
PID 3196 wrote to memory of 5116	3196	msedge.exe	95
PID 3196 wrote to memory of 5116	3196	msedge.exe	95
PID 3196 wrote to memory of 5116	3196	msedge.exe	95
PID 3196 wrote to memory of 5116	3196	msedge.exe	95
PID 3196 wrote to memory of 5116	3196	msedge.exe	95
PID 3196 wrote to memory of 5116	3196	msedge.exe	95
PID 3196 wrote to memory of 5116	3196	msedge.exe	95
PID 3196 wrote to memory of 5116	3196	msedge.exe	95

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\MediaCoder\MediaCoder.url
1⤵
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://forum.mediacoder.cn/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb661346f8,0x7ffb66134708,0x7ffb66134718
    3⤵
    PID:4472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,13619971158514106923,5841084723858516017,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1956 /prefetch:2
    3⤵
    PID:1920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,13619971158514106923,5841084723858516017,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,13619971158514106923,5841084723858516017,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
    3⤵
    PID:5116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13619971158514106923,5841084723858516017,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
    3⤵
    PID:1708
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13619971158514106923,5841084723858516017,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
    3⤵
    PID:5096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13619971158514106923,5841084723858516017,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
    3⤵
    PID:4824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13619971158514106923,5841084723858516017,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
    3⤵
    PID:4540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13619971158514106923,5841084723858516017,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
    3⤵
    PID:3688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13619971158514106923,5841084723858516017,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
    3⤵
    PID:1648
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,13619971158514106923,5841084723858516017,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1864 /prefetch:8
    3⤵
    PID:2644
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,13619971158514106923,5841084723858516017,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1864 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fa070c9c9ab8d902ee4f3342d217275f

SHA1
ac69818312a7eba53586295c5b04eefeb5c73903

SHA256
245b396ed1accfae337f770d3757c932bc30a8fc8dd133b5cefe82242760c2c7

SHA512
df92ca6d405d603ef5f07dbf9516d9e11e1fdc13610bb59e6d4712e55dd661f756c8515fc2c359c1db6b8b126e7f5a15886e643d93c012ef34a11041e02cc0dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2a8d2833b0c3de55d7a24e72bc16a49c

SHA1
9673b583e5ad0247fded71d6d17a8188f984f7e8

SHA256
114ea6adecba16ebfa9826036228598ac4dbb399769c6daf420f1e5f4e547cb8

SHA512
8b1f30e77a9cd0e87213b6e6360ab52f8aa404f1c836f912066a310500ae104284f03cfaef41ef6170acfb5e948c67e0ed40cd62295a1af43e4f3a818f030b03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dbdf0421d91d5d5b3dc3467f37b5f9e4

SHA1
0b3c9288dbe8837b0fb8a819f7e81dbcf7e4e7df

SHA256
59ae37cff74273824d27d8748683f4397402b170a01622ea0f0eab882a648a58

SHA512
a3647bf6cea4c01b377a8061d59d978564c213cee34ec570894ac55fab0493231f2c4233d2030ce80f9af9d37d9d2476faaddd3bcdfe12f0640a0016684af73c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e8ee4f36b429127d523fa17a048190aa

SHA1
ec3e0412aeffc8338fabff13d545aec77026ba6c

SHA256
0dcb4f9ca8fb97c11c05a68359a0e968de0803464f83e628962a9b5f05c8da5c

SHA512
ce02d6b3029f7eec810da3f5590bc2f5ab2dc62d91079cf45b40d9306e0c26d144efa2ced9743ce4ce809e6a96975050d63c7703f8d0d13068050af886621e1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
917dedf44ae3675e549e7b7ffc2c8ccd

SHA1
b7604eb16f0366e698943afbcf0c070d197271c0

SHA256
9692162e8a88be0977395cc0704fe882b9a39b78bdfc9d579a8c961e15347a37

SHA512
9628f7857eb88f8dceac00ffdcba2ed822fb9ebdada95e54224a0afc50bccd3e3d20c5abadbd20f61eba51dbf71c5c745b29309122d88b5cc6752a1dfc3be053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
dde1c047aa401a063a1d8ab70f1d2994

SHA1
3d4918b2bd211d43a8ca98f0a09e668fa6cd692d

SHA256
e653c2f6f09986a54a6da3956161aaaff4fc3bdb14e5c6b0c5656b1f81caa55d

SHA512
afb4a002c0e46b1ff4355db45eeee73322168bcac4e9af93b775e868d3b6bee51f672bbe0a26fba0af7e3c59bf4058e2a10cb728cf85bd89403c44436b4e4b5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
abc415e6406cb68f23231f74c962dcda

SHA1
c87aef85bf4b712e35520f7650cbcba11ee65461

SHA256
ec94ff879c7d124264d92bf3d3832e88e712cdeb4b83c4c4a2c14f3be0789930

SHA512
a45191a06fb01b6d5d5ca7cca39ae0338eec0c14dc5ab041df5220bcafe4c97c3ec07283a6a649389b7dcc52c71ddd9eb6f5e2f3c5a0b0293e20e82d5dde6676

Download Submit