1f7574a0db44315a31c5dc9d87f4c64c4a746b1532aafd209d58b1b3c262eb48

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2024, 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

677d0e269ab9cdfe860f3c2d53335638.exe
Size

41KB
MD5

677d0e269ab9cdfe860f3c2d53335638
SHA1

2617cef597abe21abfb7095bf5fd7e4c37c4e80f
SHA256

1f7574a0db44315a31c5dc9d87f4c64c4a746b1532aafd209d58b1b3c262eb48
SHA512

ef14f2d796e14c13180267949fc4daa110de2b153529abe9302b2e26213dcf63e32bceaa92a66288968b568e823b322b168c74444f3b37156f68a1ea56f8a0b5
SSDEEP

768:WC5qVQgwBcxcYeUmoL76iP98LhyvXW7yDyUtcZQ4ktPdv7T8x:R5qVQyh9j7EhyNPD7v7Ax

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1516	msedge.exe
1516	msedge.exe
648	msedge.exe
648	msedge.exe
4508	identity_helper.exe
4508	identity_helper.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 648	3496	677d0e269ab9cdfe860f3c2d53335638.exe	88
PID 3496 wrote to memory of 648	3496	677d0e269ab9cdfe860f3c2d53335638.exe	88
PID 648 wrote to memory of 4920	648	msedge.exe	89
PID 648 wrote to memory of 4920	648	msedge.exe	89
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1148	648	msedge.exe	91
PID 648 wrote to memory of 1516	648	msedge.exe	90
PID 648 wrote to memory of 1516	648	msedge.exe	90
PID 648 wrote to memory of 500	648	msedge.exe	92
PID 648 wrote to memory of 500	648	msedge.exe	92
PID 648 wrote to memory of 500	648	msedge.exe	92
PID 648 wrote to memory of 500	648	msedge.exe	92
PID 648 wrote to memory of 500	648	msedge.exe	92
PID 648 wrote to memory of 500	648	msedge.exe	92
PID 648 wrote to memory of 500	648	msedge.exe	92
PID 648 wrote to memory of 500	648	msedge.exe	92
PID 648 wrote to memory of 500	648	msedge.exe	92
PID 648 wrote to memory of 500	648	msedge.exe	92
PID 648 wrote to memory of 500	648	msedge.exe	92
PID 648 wrote to memory of 500	648	msedge.exe	92
PID 648 wrote to memory of 500	648	msedge.exe	92
PID 648 wrote to memory of 500	648	msedge.exe	92
PID 648 wrote to memory of 500	648	msedge.exe	92
PID 648 wrote to memory of 500	648	msedge.exe	92
PID 648 wrote to memory of 500	648	msedge.exe	92
PID 648 wrote to memory of 500	648	msedge.exe	92

C:\Users\Admin\AppData\Local\Temp\677d0e269ab9cdfe860f3c2d53335638.exe
"C:\Users\Admin\AppData\Local\Temp\677d0e269ab9cdfe860f3c2d53335638.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com.br/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc82ae46f8,0x7ffc82ae4708,0x7ffc82ae4718
    3⤵
    PID:4920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,354959154637726616,6417760766040286293,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,354959154637726616,6417760766040286293,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
    3⤵
    PID:1148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,354959154637726616,6417760766040286293,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
    3⤵
    PID:500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,354959154637726616,6417760766040286293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
    3⤵
    PID:2292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,354959154637726616,6417760766040286293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
    3⤵
    PID:1608
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,354959154637726616,6417760766040286293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
    3⤵
    PID:100
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,354959154637726616,6417760766040286293,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
    3⤵
    PID:1944
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,354959154637726616,6417760766040286293,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,354959154637726616,6417760766040286293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
    3⤵
    PID:2984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,354959154637726616,6417760766040286293,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
    3⤵
    PID:2860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,354959154637726616,6417760766040286293,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
    3⤵
    PID:3424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,354959154637726616,6417760766040286293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
    3⤵
    PID:1644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,354959154637726616,6417760766040286293,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3120 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
efc9c7501d0a6db520763baad1e05ce8

SHA1
60b5e190124b54ff7234bb2e36071d9c8db8545f

SHA256
7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a

SHA512
bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
16d30e5a510714bc1536bc2ae50d403f

SHA1
889b2d57236a536ca4cc6aa59154d50ee10e0061

SHA256
eb155577db93a28eb4f8f8c73e07289a31252d90969bcef1fa02fc92a68a26ff

SHA512
0da62baac216b9a2797421d644c1a2ca44f165830978a70b3ae8ad3ee3415dfb71ef7ba0739973f2f76bc79133f9c6c367a6509a81f8dec0430eec31c5f20424

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
990B

MD5
371016a995d7cfcc1be97a73b05700b0

SHA1
0ea45a20d1ded9925c1e816599d6bc911177a115

SHA256
217c1c09377436a0ac94801b6101997cae221cb54d7a7d0acb70c843a3c079e2

SHA512
0e13988a92871c55dc9aa0d000df4e945a87f2fc455e0312cbb177055c48994739b0d2d17c0166b2f9eafbda36893b2c3d996fb7937d67889c5bc58f0f95fb1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cc1c1b733a39e2947c461001b36d9412

SHA1
52f529ad0ff04d67530a685422ed701feaf55f45

SHA256
83e50c3f3718a3f6a1cb357bc08c5d7277d940a0ecd8ffd62cd53299c58686fb

SHA512
0843872e354ac601b99f156621b236c5ce98d17a86ec28dc6e59227f2c5d1696c85e0905b1647da871f880f73b8b684e3ce9c0e9b49c007aef2d94a841a79b29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7893a02baa775b115570238525e2189b

SHA1
ea541d1008949ddfbc55e82d80ce82667ab81bca

SHA256
c4f4a642b8ba886171b3df820bb97bc7d3a90cd4a3ecf083fcb414a785279dcc

SHA512
fee8ab846a9939965ef4741deff2f783f9171eca1dcbf4a9a8e2ed393b1f41892520c11f2d3d831b84054daefa73b29ed075113880fd6932b84da4c1bf28f064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
121510c1483c9de9fdb590c20526ec0a

SHA1
96443a812fe4d3c522cfdbc9c95155e11939f4e2

SHA256
cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c

SHA512
b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b3b5dd8bf1cb2a7248763021006182f8

SHA1
19b23e72dc66d701d500458056febcc0624e433a

SHA256
153f243bf28990c287dfb2c5a44c994e7b8874404490d461d51bd21ae347c65b

SHA512
1ffe2cdd164b334d88b2d432a9ab085bdc83965ac987783fc995432df072c8f43caea6e693a8861e9b3a5689d3381bc77f2422562bd74a987167b1f33d928758

Download Submit
memory/3496-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3496-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download