10c33fb1bee390444430006c5274f928bbb45e87a944ff50fc33261d8453489a

Analysis

max time kernel
144s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
02-02-2024 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nouveau document texte.txt
Size

76B
MD5

8cbb5483765db903966c77908e33eed2
SHA1

354ffaf98fbfccfcc28bd01d0f7750aa17451f00
SHA256

10c33fb1bee390444430006c5274f928bbb45e87a944ff50fc33261d8453489a
SHA512

b2e1fde4ef28067ede595480a969d4d5fe369dabd1215055a9bc9ea6990d0c5e30bbf3a751fffd57188ff1c5097d091063da2fc92a752a2137d832addfed82a4

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5104	msedge.exe
5104	msedge.exe
3140	msedge.exe
3140	msedge.exe
484	msedge.exe
484	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 2888	3720	cmd.exe	79
PID 3720 wrote to memory of 2888	3720	cmd.exe	79
PID 3140 wrote to memory of 5044	3140	msedge.exe	84
PID 3140 wrote to memory of 5044	3140	msedge.exe	84
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 3816	3140	msedge.exe	85
PID 3140 wrote to memory of 5104	3140	msedge.exe	86
PID 3140 wrote to memory of 5104	3140	msedge.exe	86
PID 3140 wrote to memory of 2632	3140	msedge.exe	87
PID 3140 wrote to memory of 2632	3140	msedge.exe	87
PID 3140 wrote to memory of 2632	3140	msedge.exe	87
PID 3140 wrote to memory of 2632	3140	msedge.exe	87
PID 3140 wrote to memory of 2632	3140	msedge.exe	87
PID 3140 wrote to memory of 2632	3140	msedge.exe	87
PID 3140 wrote to memory of 2632	3140	msedge.exe	87
PID 3140 wrote to memory of 2632	3140	msedge.exe	87
PID 3140 wrote to memory of 2632	3140	msedge.exe	87
PID 3140 wrote to memory of 2632	3140	msedge.exe	87
PID 3140 wrote to memory of 2632	3140	msedge.exe	87
PID 3140 wrote to memory of 2632	3140	msedge.exe	87
PID 3140 wrote to memory of 2632	3140	msedge.exe	87
PID 3140 wrote to memory of 2632	3140	msedge.exe	87
PID 3140 wrote to memory of 2632	3140	msedge.exe	87
PID 3140 wrote to memory of 2632	3140	msedge.exe	87
PID 3140 wrote to memory of 2632	3140	msedge.exe	87
PID 3140 wrote to memory of 2632	3140	msedge.exe	87

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Nouveau document texte.txt"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Nouveau document texte.txt
  2⤵
  PID:2888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffabeea3cb8,0x7ffabeea3cc8,0x7ffabeea3cd8
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1824,5745701438497118631,7063949419857761105,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1824,5745701438497118631,7063949419857761105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1824,5745701438497118631,7063949419857761105,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:8
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,5745701438497118631,7063949419857761105,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,5745701438497118631,7063949419857761105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,5745701438497118631,7063949419857761105,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,5745701438497118631,7063949419857761105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1824,5745701438497118631,7063949419857761105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab16bd4ff2a8053c32cae8e2c4d25a66

SHA1
c1e041f30745a24f337adae3f4561d0f94f9e7cf

SHA256
5bafe572e81800f2a0bcd73872edb58a34972bf6134fac1432bdda1b7c0ebb70

SHA512
e4d7ee26645efa73e97b3453de0a3cf4a2374f758f625fac76e074c90413ad22fe17183e1611d5262cd1012da41a8d80b9718912af6bd5d807f4e972f591e69d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
b1db3c9dadbcc3f2369dd75810b816f7

SHA1
4f8e4fd03a938f54f2d825fa3e81b96e5209a1ba

SHA256
b4b725d5f9006e4419f939af2baa0b7c028c972adbca75f5914397ac3cfe9dd4

SHA512
273f3ec9ba5c5954f63ff97b90e4e6c2a722c181077b7f64d24f390d3e6ca5b418c8bae685b764414c4ee5e6dfc456e225eb8f723ae8518e7304a8e4a78fafe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a2300bca0d4e17e2e82bab861645059d

SHA1
e0375e937c0d21605aaf9e9540875da4c27dcaa6

SHA256
c00336c8d2ebc240cb2d90661b2be2385da7a9bda2cbb64157d5d656a2a8079c

SHA512
480ef93c5789f4e1677f910edfe3b87abb923f34117ab31e3574e18b735b59f3684b4d8cd9dc327bc023c9c063520eaae030ea5c44a296b4e02f62506751c3b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
ce1a520c0391b9bc488c3247f6ef97fa

SHA1
e5f17460b8523ee81baf57f42fe8805bb8a785c2

SHA256
ba7e3b507503627a92c7357505138fb2141cab277631cd5da4e0147502532b27

SHA512
39b0888ddec8610fe98ce71c71a64231c81bd37b64e541a879d9bde92ddff22037eb537c0c7d196edd1eb739a9625d7dfe24b1becf6837fa973b8e510852a6c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
225acd81a5b2ad6b2d45fcc03796206e

SHA1
ba49b0b4e4f4f44019047bd45a8190a54905be91

SHA256
a76cf92b4dc4308d53037a5abfa37da76e6156073dcb14df95284d8ce8f15515

SHA512
09a8ccea00a2f0583205c32656e26b4d6d723153248d06020a0e289a1d6d9754e097e0882cb4bc89f95c12a1e40b96a191b2b246f87eac7c580dc04eca44c984

Download Submit