hxxps://mail[.]163[.]com/large-attachment-download/index[.]html?p=X-NETEASE-HUGE-ATTAC HMENT&file=djAyWENkZUN2SmZ1RkJFdGtGMFFucUR2dz09&title=对猪八戒股份有限公司赴港上市的举报

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/01/2024, 08:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://mail.163.com/large-attachment-download/index.html?p=X-NETEASE-HUGE-ATTAC HMENT&file=djAyWENkZUN2SmZ1RkJFdGtGMFFucUR2dz09&title=对猪八戒股份有限公司赴港上市的举报

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
760	msedge.exe
760	msedge.exe
1372	msedge.exe
1372	msedge.exe
3672	identity_helper.exe
3672	identity_helper.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 3772	1372	msedge.exe	14
PID 1372 wrote to memory of 3772	1372	msedge.exe	14
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 4792	1372	msedge.exe	18
PID 1372 wrote to memory of 760	1372	msedge.exe	26
PID 1372 wrote to memory of 760	1372	msedge.exe	26
PID 1372 wrote to memory of 212	1372	msedge.exe	19
PID 1372 wrote to memory of 212	1372	msedge.exe	19
PID 1372 wrote to memory of 212	1372	msedge.exe	19
PID 1372 wrote to memory of 212	1372	msedge.exe	19
PID 1372 wrote to memory of 212	1372	msedge.exe	19
PID 1372 wrote to memory of 212	1372	msedge.exe	19
PID 1372 wrote to memory of 212	1372	msedge.exe	19
PID 1372 wrote to memory of 212	1372	msedge.exe	19
PID 1372 wrote to memory of 212	1372	msedge.exe	19
PID 1372 wrote to memory of 212	1372	msedge.exe	19
PID 1372 wrote to memory of 212	1372	msedge.exe	19
PID 1372 wrote to memory of 212	1372	msedge.exe	19
PID 1372 wrote to memory of 212	1372	msedge.exe	19
PID 1372 wrote to memory of 212	1372	msedge.exe	19
PID 1372 wrote to memory of 212	1372	msedge.exe	19
PID 1372 wrote to memory of 212	1372	msedge.exe	19
PID 1372 wrote to memory of 212	1372	msedge.exe	19
PID 1372 wrote to memory of 212	1372	msedge.exe	19
PID 1372 wrote to memory of 212	1372	msedge.exe	19
PID 1372 wrote to memory of 212	1372	msedge.exe	19

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbdd9946f8,0x7ffbdd994708,0x7ffbdd994718
1⤵
PID:3772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mail.163.com/large-attachment-download/index.html?p=X-NETEASE-HUGE-ATTAC HMENT&file=djAyWENkZUN2SmZ1RkJFdGtGMFFucUR2dz09&title=对猪八戒股份有限公司赴港上市的举报
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,15959603263907094383,15687863488218442759,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,15959603263907094383,15687863488218442759,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15959603263907094383,15687863488218442759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15959603263907094383,15687863488218442759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:1416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,15959603263907094383,15687863488218442759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,15959603263907094383,15687863488218442759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  PID:1268
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,15959603263907094383,15687863488218442759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15959603263907094383,15687863488218442759,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
  2⤵
  PID:780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15959603263907094383,15687863488218442759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15959603263907094383,15687863488218442759,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15959603263907094383,15687863488218442759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1992 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,15959603263907094383,15687863488218442759,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5192 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5e77545b7e1c504b2f5ce7c5cc2ce1fe

SHA1
d81a6af13cf31fa410b85471e4509124ebeaff7e

SHA256
cbb617cd6cde793f367df016b200d35ce3c521ab901bbcb52928576bb180bc11

SHA512
cbc65c61334a8b18ece79acdb30a4af80aa9448c3edc3902b00eb48fd5038bf6013d1f3f6436c1bcb637e78c485ae8e352839ca3c9ddf7e45b3b82d23b0e6e37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7d04abee-5e8d-45ac-a38e-61c7606f0a3e.tmp

Filesize
5KB

MD5
00253443edbd2d081b463606862b45b7

SHA1
c20074b232d70a387a01a32cddada5eee7d39fc7

SHA256
4f34e198c2f4ff0000ae372e5c62edb1ca2acb57e8a94de9cdccaf884d104272

SHA512
2d8e41dedec9dc02cdaf46e68d17feb96bf2f46e3d51352c3c475fd53da31ec4360a08bb397ed121977611b52b84a33e9058d6a13df48c5c50c8ef48dca57ded

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
e2b329b5c80e3af26ec992b6e558c0a5

SHA1
0886cbe5feb6c77ac2620387945dd8fd79616e33

SHA256
8454403244dea9750499942424b14cbbb0fe4265ca9635d2d7d8dbf135c81c46

SHA512
484f2a1db2eca8cfd9b7946770aa9d8c0d7190aea39237e84637ff76d2c2a4abba4a0ada6da4956ab74b7690eae3e3943b1a44d97f49e96f72653d4712b0fa94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
388b6436c2bd759781519a863402c168

SHA1
4ef572ffb16b4c40d29d8db1a3bce5c41509d606

SHA256
b012aa057240140425e28690193ab49e404b7f1c70d19f734e43566bac8bad09

SHA512
3737307592975d652a119989599c92f555adc4dc40ec1bfe30cfd18b4330be60c48a97cd2636504a5841d3e233c8a5c30085b4ac754545acca41332883be6a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
250B

MD5
1d3af2fd832401241d4dab5058f76f5b

SHA1
c47f632533cf4c05518b0e28660c47e61780d3e3

SHA256
ab5e60662a5e31043f83ba559fa9126a377ae31199fd25e0241a7115c12eeea4

SHA512
0d6f6b5dfbc190cba8f6d8ae5ff3f50da01f3fff3adea147e1723df703c3768ffcd67a83bd3b4670d4331843b046f3e3167714eb52dac94960971f8ed6b436ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6c6bb171af9a5ac78b91654f7dd50838

SHA1
3f6fd90d359a98a6e3e158c6d235128b52311773

SHA256
e04f3d63dd2926e14528d39788c604001977422babd5363a3a66b3d3e10642e1

SHA512
dcec52c155917dfc6db5e74f1ce022fdfe612bc037d03b3561a2cf10f5dba71b10d4f085fc21b8ec0c6697912b99d1e04166ea0de451a95bbd3a985061db7aa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
53ba65fd2ca400b6b001d013fbee981f

SHA1
1c61bf93a7f4d9d000c3f4d79aa09b3d1a929eff

SHA256
dc58a0c06617dbb22624d9374e7892a0e5db4dc076aabfdb26cdab8e6c394423

SHA512
bcba2026b5e6bcc1422accf9e7239feb4273c141c4f11ae7b6c61a734ed81395f60f5c74221832707909cd22de3e55dbdb5bc4f73e339176fcd30b36a662aaa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
344d01a0aa7e2c1d13af7e90a5f50984

SHA1
a3f207e27bb91aebf0c36dcf8d0736dd4acf11ab

SHA256
adc26407e70407f0cd0a7cd13941bca11fd4df2ceca544b58319a2bc323cfb76

SHA512
7b0faf370676fd1b354d966048d08f5507b481c3d6340ff3ca66fde48b9697dacae88cfcaedf1a0b20aa43fd1ea9db834e47d93a33e0d5c0adf00467b35fd3b0

Download Submit