hxxps://prezi[.]com/i/munah-slfnfb/

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2024 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://prezi.com/i/munah-slfnfb/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2180	msedge.exe
2180	msedge.exe
2300	msedge.exe
2300	msedge.exe
4852	identity_helper.exe
4852	identity_helper.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 1392	2300	msedge.exe	84
PID 2300 wrote to memory of 1392	2300	msedge.exe	84
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 3648	2300	msedge.exe	86
PID 2300 wrote to memory of 2180	2300	msedge.exe	85
PID 2300 wrote to memory of 2180	2300	msedge.exe	85
PID 2300 wrote to memory of 4820	2300	msedge.exe	87
PID 2300 wrote to memory of 4820	2300	msedge.exe	87
PID 2300 wrote to memory of 4820	2300	msedge.exe	87
PID 2300 wrote to memory of 4820	2300	msedge.exe	87
PID 2300 wrote to memory of 4820	2300	msedge.exe	87
PID 2300 wrote to memory of 4820	2300	msedge.exe	87
PID 2300 wrote to memory of 4820	2300	msedge.exe	87
PID 2300 wrote to memory of 4820	2300	msedge.exe	87
PID 2300 wrote to memory of 4820	2300	msedge.exe	87
PID 2300 wrote to memory of 4820	2300	msedge.exe	87
PID 2300 wrote to memory of 4820	2300	msedge.exe	87
PID 2300 wrote to memory of 4820	2300	msedge.exe	87
PID 2300 wrote to memory of 4820	2300	msedge.exe	87
PID 2300 wrote to memory of 4820	2300	msedge.exe	87
PID 2300 wrote to memory of 4820	2300	msedge.exe	87
PID 2300 wrote to memory of 4820	2300	msedge.exe	87
PID 2300 wrote to memory of 4820	2300	msedge.exe	87
PID 2300 wrote to memory of 4820	2300	msedge.exe	87
PID 2300 wrote to memory of 4820	2300	msedge.exe	87
PID 2300 wrote to memory of 4820	2300	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://prezi.com/i/munah-slfnfb/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc485346f8,0x7ffc48534708,0x7ffc48534718
  2⤵
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,17928227033883594838,14972412015004988663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,17928227033883594838,14972412015004988663,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,17928227033883594838,14972412015004988663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17928227033883594838,14972412015004988663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17928227033883594838,14972412015004988663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17928227033883594838,14972412015004988663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,17928227033883594838,14972412015004988663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,17928227033883594838,14972412015004988663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17928227033883594838,14972412015004988663,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17928227033883594838,14972412015004988663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17928227033883594838,14972412015004988663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17928227033883594838,14972412015004988663,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,17928227033883594838,14972412015004988663,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3156 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7a5862a0ca86c0a4e8e0b30261858e1f

SHA1
ee490d28e155806d255e0f17be72509be750bf97

SHA256
92b4c004a9ec97ccf7a19955926982bac099f3b438cd46063bb9bf5ac7814a4b

SHA512
0089df12ed908b4925ba838e07128987afe1c9235097b62855122a03ca6d34d7c75fe4c30e68581c946b77252e7edf1dd66481e20c0a9cccd37e0a4fe4f0a6fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
192KB

MD5
5036f7c363373f5d9cc2b6519806feae

SHA1
3caf2148a2eb7c82f9aff0f3a2f4594ee70327bf

SHA256
715c5d3e3839c1b47c3008e8a89f929e60858ee379724a20775003c692e9fd6c

SHA512
4661cd6fb02dccc48a42fe127b1e88f7e794cd4eb1d8a5a8f5075f772dad63211efa349bab579c5bb81bfb2c4b1be201c6725a56f617f8913a2235e3565fe645

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
6ca7934dd021aa7ed90d254354d771d5

SHA1
a598d7703959fcf0242593856f10f65cff55bb3e

SHA256
187a2a5d855e2a75347b706baa1b85cc95e8a7c328214a7004f57d497df76786

SHA512
e4dd935a5d916204e3c7ca4ea1f8d017207794a8ae106921ddfe33991cea5a85113eec79da6348832c259b533343b4cabb09c128331c4988d03c93d680519ab6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7ffc099d432bf034e65bdbd9aabd2004

SHA1
e6811e0e0a76bc437b3ba2262307e11f49082327

SHA256
3441e124a1765b100b38be3b2c0b5529f1525c276fad1191a87956e92650ca94

SHA512
81ef4c38de7e7884ce83e617b21445d4644b6015fc25b658eead66cd86398baa1270f09a635a965063e8a10dbfc59d835ca0e6061861522376c80d9446938516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
14373400a4621c24749bd46a1b6f05ca

SHA1
42304d3dcd4f3dffd4a69c5c61458b8f5f1bc455

SHA256
149305a5cd88fc3dfb1deab822a96950978480081f70a498d40059dc82e57b6e

SHA512
b051737ba475bc1df4f66f132848f2b8b5e22abbb30cef21e4dcecbf00a937fd0b3ac5f7d3f7524fa071a4f25792477136a65037ab2a914bd9b6fb0f5cb58332

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
52826cef6409f67b78148b75e442b5ea

SHA1
a675db110aae767f5910511751cc3992cddcc393

SHA256
98fc43994599573e7181c849e5865f23b4f05f85c1115dff53c58764d80373fb

SHA512
f18df18cab6b5ecd71b79c81a2a1fdac42cc9960f62f06ac25f4d6487792705f2766ee3a10239eaac940d090186e6bc820e4eb7a5ee138f6e5c1c64f951b960c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f44437d5-04aa-4571-bf4f-16816870cbe7.tmp

Filesize
5KB

MD5
d2c6fa47abb7eee6bf58a230f103f770

SHA1
de05a8faa843283869a7ba28414afdf6643465e9

SHA256
9c2d52c399047fefc063e528e7e913de4795f51c203ace5e4c42bb20d941e91a

SHA512
9c3232f6d5f45eace896a713aae637696f0a2ad6162775cf601dbe079015f026de140276cc6bd54bb5de8d8f3d6ebbcd44492b1146fd12383c6db95ae358bc66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f0a63c6f62856d3e827b020197d72bf8

SHA1
1fc635da1d8a2d4e04eb8f90549059b996635ebf

SHA256
76b0a5683e70d7920815b5660a105be823337c00e5a88dff90229953ea320372

SHA512
2b65191296b4cd1d1682a3b4f81458db72f7aaa183faa56f00591b573d121712aa2a025e2bf80d468fa7df938d0bd703efa52b5f31e04fd0a1120296e903f2bb

Download Submit