hxxps://c[.]clarity[.]ms/c[.]gif?ctsa=mr&CtsSyncId=9763A59ADAFD49C7A526A6C23ADBA872&MUID=08D2CF95239564B42255DBB6223F6516

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://c.clarity.ms/c.gif?ctsa=mr&CtsSyncId=9763A59ADAFD49C7A526A6C23ADBA872&MUID=08D2CF95239564B42255DBB6223F6516

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2752	msedge.exe
2752	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
876	identity_helper.exe
876	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3688	msedge.exe
3688	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 3132	3688	msedge.exe	84
PID 3688 wrote to memory of 3132	3688	msedge.exe	84
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 4680	3688	msedge.exe	86
PID 3688 wrote to memory of 2752	3688	msedge.exe	85
PID 3688 wrote to memory of 2752	3688	msedge.exe	85
PID 3688 wrote to memory of 3856	3688	msedge.exe	87
PID 3688 wrote to memory of 3856	3688	msedge.exe	87
PID 3688 wrote to memory of 3856	3688	msedge.exe	87
PID 3688 wrote to memory of 3856	3688	msedge.exe	87
PID 3688 wrote to memory of 3856	3688	msedge.exe	87
PID 3688 wrote to memory of 3856	3688	msedge.exe	87
PID 3688 wrote to memory of 3856	3688	msedge.exe	87
PID 3688 wrote to memory of 3856	3688	msedge.exe	87
PID 3688 wrote to memory of 3856	3688	msedge.exe	87
PID 3688 wrote to memory of 3856	3688	msedge.exe	87
PID 3688 wrote to memory of 3856	3688	msedge.exe	87
PID 3688 wrote to memory of 3856	3688	msedge.exe	87
PID 3688 wrote to memory of 3856	3688	msedge.exe	87
PID 3688 wrote to memory of 3856	3688	msedge.exe	87
PID 3688 wrote to memory of 3856	3688	msedge.exe	87
PID 3688 wrote to memory of 3856	3688	msedge.exe	87
PID 3688 wrote to memory of 3856	3688	msedge.exe	87
PID 3688 wrote to memory of 3856	3688	msedge.exe	87
PID 3688 wrote to memory of 3856	3688	msedge.exe	87
PID 3688 wrote to memory of 3856	3688	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://c.clarity.ms/c.gif?ctsa=mr&CtsSyncId=9763A59ADAFD49C7A526A6C23ADBA872&MUID=08D2CF95239564B42255DBB6223F6516
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa9f046f8,0x7fffa9f04708,0x7fffa9f04718
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,10802746566010586487,11259827782700222852,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,10802746566010586487,11259827782700222852,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,10802746566010586487,11259827782700222852,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10802746566010586487,11259827782700222852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10802746566010586487,11259827782700222852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,10802746566010586487,11259827782700222852,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,10802746566010586487,11259827782700222852,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7a5862a0ca86c0a4e8e0b30261858e1f

SHA1
ee490d28e155806d255e0f17be72509be750bf97

SHA256
92b4c004a9ec97ccf7a19955926982bac099f3b438cd46063bb9bf5ac7814a4b

SHA512
0089df12ed908b4925ba838e07128987afe1c9235097b62855122a03ca6d34d7c75fe4c30e68581c946b77252e7edf1dd66481e20c0a9cccd37e0a4fe4f0a6fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0aa47566-33b6-474b-a0d7-314e10f0cc8f.tmp

Filesize
5KB

MD5
c8e82a1522df34d0f3c8f8f361626b0f

SHA1
2d124817be0cda6a5da3946f42ae1315ad4a0793

SHA256
b75eb22fa6abd1a64939e727d6e231b119d8d59d104e67ec0bf1c8595f804041

SHA512
a774b9ba9dc6e2877534abea141d4832f78936f319f6435e71905d5b821b4f87dc893072afde3e7c52a6a202cde956480b4c7cdc637e9c753d194a3e4d07f567

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
248B

MD5
0e992035fa3ed44aa1b58f998bcbb118

SHA1
29310c2710bae613122cbd099bc813717df17d64

SHA256
9b0fa036e1b8a6b1a4a8b15cddd744a99c04f6b677ba74dad099dc2b0cea2dcb

SHA512
c828fd1de1be1e083b29ac3f383bc62f075d10b02ae44813334e896701c08e9b6e9704acccfbf14f4395bf30ae71de563310dd7b2f2a6720fa56d6ce632dca71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8834e460c551fbacb322d18caada7bc4

SHA1
d37fa5deee23a3c884df35db3edca2c0fe4ec409

SHA256
721a141de7fdbdd9fe30f01c9424ad7451ef7dd815f62fe004f10a4a8dd41c3e

SHA512
e92f56f1034e98aa67bc343b0781d9db1589d989d4e89e55fb94c0c948126fd765982d48f7fe27f3ab1654c2ce42314d2c1704a97ed76938d51f5e5c50d8b450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1edb43815f179ee65a9cb46a070f17d9

SHA1
66ed9210742c826eec6e2abd6915fd72150cc187

SHA256
40945dae54c84b363e1985b86673e773d34a842471a9fd60a4854542360ea8de

SHA512
8fdf0cc389fcbc1bfef26f5b7a31737bb39300283fe1769f8b6105bbebddcf0b35641545954a34ae9e6cec22e48c6f7082e50380a742d6258e0ea7b644375a5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
52826cef6409f67b78148b75e442b5ea

SHA1
a675db110aae767f5910511751cc3992cddcc393

SHA256
98fc43994599573e7181c849e5865f23b4f05f85c1115dff53c58764d80373fb

SHA512
f18df18cab6b5ecd71b79c81a2a1fdac42cc9960f62f06ac25f4d6487792705f2766ee3a10239eaac940d090186e6bc820e4eb7a5ee138f6e5c1c64f951b960c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fd433d15258153bfe856aee4f42bac72

SHA1
eb02ac24a244b7e90dd293f5315ac3c67d88a8f1

SHA256
eaa2518bc552f59e826c320cee4a5e59bce00fe296d84f4b93422b9def45aed1

SHA512
888d8516bcb0be086fb3032e2397169c6b1c701ba0a6b4186a1b359a8cf81c533dc6fdf366363ac65d87384b1ca764dab36d4e19e157b49568bd233759777fa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
77008adafab53e9e73b615d7a55d4041

SHA1
7f4a0cfb8d7d6ccc6cc7899ce00b02ff4f94098c

SHA256
1cd6ed42124c1a72ae769065506cec2f9e95d037121b2cd055377534bf5d582d

SHA512
f05361db8d5fba92743c0ba67334a2b4e4282e9049ba25eea49e39f96fd75ea18d06a1c7937e3291e2003504eb324584cb08841a986c97247a7528678d5dc9bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit