e56afaf430e63ba2367446ebefb6356f1d04a0c7e10416d3851d8f43efe01a7e

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2024 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

readme.url
Size

328B
MD5

63ce37659e34f6542d31a4bc64ec19e5
SHA1

31938110d10a8ebce18ce02d1ebaca0e344a797c
SHA256

36dcd2cc9ef2a279014b4f85915100f62d36bd0c2cf439638d4ce0e9c18cc2ff
SHA512

39dc956c870a2bd80786dd215b503e5f22a1259bb858ff37ae601cb11d425afd5304e6472512c99afcb98569f08990e1d03df5e3d392ec484b1a98dd3f7b86e2

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4032	msedge.exe
4032	msedge.exe
3684	msedge.exe
3684	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3684	msedge.exe
3684	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 3684	1504	rundll32.exe	86
PID 1504 wrote to memory of 3684	1504	rundll32.exe	86
PID 3684 wrote to memory of 2104	3684	msedge.exe	88
PID 3684 wrote to memory of 2104	3684	msedge.exe	88
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 3640	3684	msedge.exe	89
PID 3684 wrote to memory of 4032	3684	msedge.exe	90
PID 3684 wrote to memory of 4032	3684	msedge.exe	90
PID 3684 wrote to memory of 3388	3684	msedge.exe	91
PID 3684 wrote to memory of 3388	3684	msedge.exe	91
PID 3684 wrote to memory of 3388	3684	msedge.exe	91
PID 3684 wrote to memory of 3388	3684	msedge.exe	91
PID 3684 wrote to memory of 3388	3684	msedge.exe	91
PID 3684 wrote to memory of 3388	3684	msedge.exe	91
PID 3684 wrote to memory of 3388	3684	msedge.exe	91
PID 3684 wrote to memory of 3388	3684	msedge.exe	91
PID 3684 wrote to memory of 3388	3684	msedge.exe	91
PID 3684 wrote to memory of 3388	3684	msedge.exe	91
PID 3684 wrote to memory of 3388	3684	msedge.exe	91
PID 3684 wrote to memory of 3388	3684	msedge.exe	91
PID 3684 wrote to memory of 3388	3684	msedge.exe	91
PID 3684 wrote to memory of 3388	3684	msedge.exe	91
PID 3684 wrote to memory of 3388	3684	msedge.exe	91
PID 3684 wrote to memory of 3388	3684	msedge.exe	91
PID 3684 wrote to memory of 3388	3684	msedge.exe	91
PID 3684 wrote to memory of 3388	3684	msedge.exe	91

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\readme.url
1⤵
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.baidu.com/s?wd=%e4%b8%8b%e8%bd%bd%e7%8e%8b
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe0adb46f8,0x7ffe0adb4708,0x7ffe0adb4718
    3⤵
    PID:2104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,11209167849544109063,17636183591186255691,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
    3⤵
    PID:3640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,11209167849544109063,17636183591186255691,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,11209167849544109063,17636183591186255691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
    3⤵
    PID:3388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11209167849544109063,17636183591186255691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
    3⤵
    PID:2772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11209167849544109063,17636183591186255691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
    3⤵
    PID:4600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,11209167849544109063,17636183591186255691,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3156 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
efc9c7501d0a6db520763baad1e05ce8

SHA1
60b5e190124b54ff7234bb2e36071d9c8db8545f

SHA256
7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a

SHA512
bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
72c8fed6825981eb1359065591b08739

SHA1
2bc2167c64cdf60428f862aa4923ca26105109f1

SHA256
f83ae753ea0f84703e2592bbb3a0ce082229d6b198202f83a4bafc9e9a981d88

SHA512
5d389d36d8c81d96aa9c951ea150fa2842e122bfd563085e8861caea1534bd68ab31e82167c609b6f9685c34bc8e4486b93673c709df37d774b07567e16a53d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
184B

MD5
e07c35e0086b77ec93f2266861152c7d

SHA1
97bf1f4bb085ae1dbca944da62895381bcef8835

SHA256
4da5337dcfdd9a385475af0bf9c4841fcb75add192013d61e8b6677322cb0c73

SHA512
5c788928f59801e39653dc11bbc5f068ad7485c519cc92c490c01d3133c45d494ee327710cd4833e6c11c5795dc77a1689e8936f990a913602c5bf8f6153ce8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9e8ca55daf07d734340534114185ab7c

SHA1
59dcd511d6b02747ed1a9ac6370f80236baeaf4e

SHA256
f86cf5129b9f17f163debba8d73e15bc00ce3cd2e7527c5ddce41ccce512248c

SHA512
497c7a8dd068462319af23e75dd3d6c3ddee385265d9cfc404242039093dd0f52e7331c8e3a8ab2b9dda7dacac29f300e57dea7f08899195bcc4b94192fed8df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b5599a3d6b89866327897e665d5d7949

SHA1
dd7aad2b6d2948f989c285e81c7645dea1778246

SHA256
d06f06e1171e6c13de4721fcebcbb870af91b22927859a243a04897a9e5ff2c1

SHA512
3f7909d6d0160a13478d6842a0a0a0690b7b63501a3d74ebc3f475d4eab7ff9f994e4c515f497bbf98fa9c56058bbe18224ffae64972bdcc8431276876667fbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f96df0f0-b84d-49a8-b8f6-b5474224119b.tmp

Filesize
24KB

MD5
121510c1483c9de9fdb590c20526ec0a

SHA1
96443a812fe4d3c522cfdbc9c95155e11939f4e2

SHA256
cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c

SHA512
b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c1c074e692daa51768ce2708d765c1cb

SHA1
38ace6854f2d412f8ea3678c2239e64d18c46c96

SHA256
cd485ffb988c09a4f24396178393ae9095439ab73b2f5750973548f546b0a7df

SHA512
c28cfbf39166685172b5ed463a90cd3010293db1f2225c274caea4e6b3936f2e70db2e69332cf394324278b8118529df57d53c52e1ceb638831e341b93b72840

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bdc563734707d371ee141e9c72c9cc1c

SHA1
1d89c31de67f5da1972f922ec110d7ec4a2bb7ff

SHA256
4efa95b65c3a2e347be9ebdceb4890d4ac9a68f76239765c8bba412876f3e5f8

SHA512
5e634128b36b93e063af1998e68325daaa73ed6a471e657f20ff2df526c81dfdea2825bb03fd00b144ed337be4db0695a4ff4be61f7eca475d6f4499d6c38806

Download Submit