037f55b1ae020abdacc7cae120999588c08c9c95188ed44bd716caab39377e1e

Analysis

max time kernel
145s
max time network
147s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
20/02/2024, 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LICENSES.chromium.html
Size

6.4MB
MD5

c3528648bedbde1223a2faab1a3f9af3
SHA1

934d3c8f184258338ff380964ed89053ce69ac5b
SHA256

57b8e5a3f2cd62805001aefca035c7348b4d1abac157e6df3d798bb31f2ec3d2
SHA512

3e3cc0fd7a55f67ee0afff9696beef33bdc9524375bbe9d8e8f7660fd408c756c1156ca0b02ecccdc22799c7b8e74dbde012732ad6b3ebe0a3cfc54ff5132b35
SSDEEP

24576:d7t05kvWS99LVoFIUmf2p6y6E6c666r8HHdE/pG6:RI8j

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3608	msedge.exe
3608	msedge.exe
244	msedge.exe
244	msedge.exe
3660	msedge.exe
3660	msedge.exe
2124	identity_helper.exe
2124	identity_helper.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 244 wrote to memory of 3856	244	msedge.exe	81
PID 244 wrote to memory of 3856	244	msedge.exe	81
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3332	244	msedge.exe	82
PID 244 wrote to memory of 3608	244	msedge.exe	83
PID 244 wrote to memory of 3608	244	msedge.exe	83
PID 244 wrote to memory of 4956	244	msedge.exe	84
PID 244 wrote to memory of 4956	244	msedge.exe	84
PID 244 wrote to memory of 4956	244	msedge.exe	84
PID 244 wrote to memory of 4956	244	msedge.exe	84
PID 244 wrote to memory of 4956	244	msedge.exe	84
PID 244 wrote to memory of 4956	244	msedge.exe	84
PID 244 wrote to memory of 4956	244	msedge.exe	84
PID 244 wrote to memory of 4956	244	msedge.exe	84
PID 244 wrote to memory of 4956	244	msedge.exe	84
PID 244 wrote to memory of 4956	244	msedge.exe	84
PID 244 wrote to memory of 4956	244	msedge.exe	84
PID 244 wrote to memory of 4956	244	msedge.exe	84
PID 244 wrote to memory of 4956	244	msedge.exe	84
PID 244 wrote to memory of 4956	244	msedge.exe	84
PID 244 wrote to memory of 4956	244	msedge.exe	84
PID 244 wrote to memory of 4956	244	msedge.exe	84
PID 244 wrote to memory of 4956	244	msedge.exe	84
PID 244 wrote to memory of 4956	244	msedge.exe	84
PID 244 wrote to memory of 4956	244	msedge.exe	84
PID 244 wrote to memory of 4956	244	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffee8d63cb8,0x7ffee8d63cc8,0x7ffee8d63cd8
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,16336707167019547918,8944071262647642575,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,16336707167019547918,8944071262647642575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,16336707167019547918,8944071262647642575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,16336707167019547918,8944071262647642575,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,16336707167019547918,8944071262647642575,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,16336707167019547918,8944071262647642575,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,16336707167019547918,8944071262647642575,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,16336707167019547918,8944071262647642575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,16336707167019547918,8944071262647642575,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,16336707167019547918,8944071262647642575,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,16336707167019547918,8944071262647642575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,16336707167019547918,8944071262647642575,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4848 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53b9b1800c90e0f055e0daabb68cc97e

SHA1
beb76399e32e4ca5c634228e2d4001e197249cf0

SHA256
edac0665854b4e7aa3f2b866e6172c71b2e1c6a169a2a04cf1e74102ee9c0e5e

SHA512
87d516b7ae594902b2544e13c6224760e1ec40d676a2f699da3242b5d3a9eb962dc7b3ca7e2a3eed1dac5375cc6fd8379dfe47d127fd3c18a653a05a8f67c31b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5578feaa-0032-450d-8f60-ab1419fa02ae.tmp

Filesize
5KB

MD5
61cb34ab5e4fc19a63041e24dd536176

SHA1
1c2ce7645e7c78f30a8483fc151f507d447af5fe

SHA256
3c60f7204e26a170b3cc52d62548eca557f49f0568615c2b692369ac94e713c0

SHA512
22e150a291a9394df057cad9ede2b156b04ae73aec8634803352135d332c07c0bd72371dc5c9d893a88229eb25f78762bfe59b55d0bb57daeec6cdfdfa488d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
019778bc43f8037384060a954565892d

SHA1
d8fc26f055221e78bbecfaaed55acd77e7581d84

SHA256
f078d9bfde75972f9d1d7b5caa7b48e497e1c9ccc581148a858afc257b2fe43a

SHA512
e20dc62bc6cc5029f888f6cae43449774a8c5f2cd927c22ba5de46ec5973cf60dd43ff1f78ce84e370e2d85eaf83d94534c3e226dc2a79d86f7018d3dabc5f8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
c82ad8ad14e526ec66559c47de1a763f

SHA1
b10b0f130da2c65e86f90dea7ee0a7023d5c2113

SHA256
daf64997d996dd9b5fa74cfcf401181709c99c832ecac0765dfa2685a4de2d26

SHA512
77f20db71a5452fe0de763080ca73b3e55cb0f38bce7805eed977eff6d932b7b081f896be7d9baa8758cb0677e12848f60e08dc2b19985dad0476962b0ffcf66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
33112026596ca3cdeb277831cf23dffd

SHA1
fbb63e17c9d4a1e070800bb9b3b5df36c719c1fd

SHA256
42b23dd82de2c30726de93e21c74f2a7819dd888caf4df1fbedd5d29b223faed

SHA512
38cc63da0b93ef936b79309d273d03a46256b0062de9f749b92ef24449bcdd662fe16e7e6e6e3069bbca72d72291cab39759134e540e88645edb827cc51dc428

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1113c23e56d1fa865d296bbc22bec496

SHA1
f3ea9ee20beca712b63baf970faed880cc5c35f7

SHA256
4676ca188fe0140624b4b55a0e10993c5b09e3b7d429e360d0eabe69d730b475

SHA512
8df11a4f5d1ff3f58a82c6047301029cb53093e05315223b07246c62d84c3fa6055de3cd747d30c062e5080b751122ebf89e306d5e3307b851018d1a220c9094

Download Submit