hxxp://google[.]com

Analysis

max time kernel
961s
max time network
974s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
21-02-2024 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
3480	msedge.exe
3480	msedge.exe
4344	msedge.exe
4344	msedge.exe
1596	identity_helper.exe
1596	identity_helper.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 3988	3480	msedge.exe	64
PID 3480 wrote to memory of 3988	3480	msedge.exe	64
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 1756	3480	msedge.exe	79
PID 3480 wrote to memory of 4856	3480	msedge.exe	78
PID 3480 wrote to memory of 4856	3480	msedge.exe	78
PID 3480 wrote to memory of 2340	3480	msedge.exe	80
PID 3480 wrote to memory of 2340	3480	msedge.exe	80
PID 3480 wrote to memory of 2340	3480	msedge.exe	80
PID 3480 wrote to memory of 2340	3480	msedge.exe	80
PID 3480 wrote to memory of 2340	3480	msedge.exe	80
PID 3480 wrote to memory of 2340	3480	msedge.exe	80
PID 3480 wrote to memory of 2340	3480	msedge.exe	80
PID 3480 wrote to memory of 2340	3480	msedge.exe	80
PID 3480 wrote to memory of 2340	3480	msedge.exe	80
PID 3480 wrote to memory of 2340	3480	msedge.exe	80
PID 3480 wrote to memory of 2340	3480	msedge.exe	80
PID 3480 wrote to memory of 2340	3480	msedge.exe	80
PID 3480 wrote to memory of 2340	3480	msedge.exe	80
PID 3480 wrote to memory of 2340	3480	msedge.exe	80
PID 3480 wrote to memory of 2340	3480	msedge.exe	80
PID 3480 wrote to memory of 2340	3480	msedge.exe	80
PID 3480 wrote to memory of 2340	3480	msedge.exe	80
PID 3480 wrote to memory of 2340	3480	msedge.exe	80
PID 3480 wrote to memory of 2340	3480	msedge.exe	80
PID 3480 wrote to memory of 2340	3480	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdd7143cb8,0x7ffdd7143cc8,0x7ffdd7143cd8
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,626214758725300130,9550358832109190192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,626214758725300130,9550358832109190192,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,626214758725300130,9550358832109190192,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,626214758725300130,9550358832109190192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,626214758725300130,9550358832109190192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,626214758725300130,9550358832109190192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,626214758725300130,9550358832109190192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,626214758725300130,9550358832109190192,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,626214758725300130,9550358832109190192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,626214758725300130,9550358832109190192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,626214758725300130,9550358832109190192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,626214758725300130,9550358832109190192,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,626214758725300130,9550358832109190192,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5204 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
12b71c4e45a845b5f29a54abb695e302

SHA1
8699ca2c717839c385f13fb26d111e57a9e61d6f

SHA256
c353020621fa6cea80eaa45215934d5f44f181ffa1a673cdb7880f20a4e898e0

SHA512
09f0d1a739102816c5a29106343d3b5bb54a31d67ddbfcfa21306b1a6d87eaa35a9a2f0358e56cc0f78be15eeb481a7cc2038ce54d552b9b791e7bee78145241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce319bd3ed3c89069337a6292042bbe0

SHA1
7e058bce90e1940293044abffe993adf67d8d888

SHA256
34070e3eea41c0e180cb5541de76cea15ef6f9e5c641e922d82a2d97bdce3aa3

SHA512
d42f7fc32a337ecd3a24bcbf6cd6155852646cae5fb499003356f713b791881fc2e46825c4ff61d09db2289f25c0992c10d6fadb560a9bea33284bd5acc449f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
194KB

MD5
ac84f1282f8542dee07f8a1af421f2a7

SHA1
261885284826281a99ff982428a765be30de9029

SHA256
193b8f571f3fd65b98dc39601431ff6e91ade5f90ee7790bfc1fba8f7580a4b0

SHA512
9f4f58ab43ddadad903cea3454d79b99a750f05e4d850de5f25371d5bec16fc312015a875b8f418154f1124c400ae1c82e2efd862870cd35c3f0961426c8cd82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
d4afc9f06316a77f156ec2fd6c02115d

SHA1
e630dd0c11c2d40f3e3640dd84784d4c32a1e7eb

SHA256
20199838e5f78b9fe12f569d98299d2fad7db86e5102edb3b257bc55817528a1

SHA512
6118e3b3d220ce8c8b26a94e3554da0057ca0d855fdc603c907f44830791c9a833aad55bb6ef447482083a082e8d1372c8fbbe0a991bf692b1b6a6e8b83bb64c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
844B

MD5
c941486145cfed358dbd1b3c6fddebee

SHA1
2bb1317e3f3143e820e96a2e729fc1c14f8938f6

SHA256
76addb5052ff83c93f93bd6830ef9311a7ed723623b50cd50f5680f7cc7031e1

SHA512
2ce03af1ee45e444e4979d4d1a9022cdbaecdc18316162222188c4f2f582aed0a0dab9ba22dc819ce804ca38563d174937fd6aecd02bca2c92c4f17270f5b473

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
17cd62dea3d6667bc30cce96f03bb31f

SHA1
072cde7376de55963e8f10009e6085a614b5c2bb

SHA256
73c251a8f0802fbce546317526d34130f7c497576e0e2eb8cabe44855affe8db

SHA512
6927ef70de4917ca4ae85028ea3c85aa27b1b6cd04a3bbca82fbe47069f01872defc12c9ad1aa6dd39a6a3825e70d03034d034367cea1292dd9a8318d1f7d0ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5034d0f3bb5a10ca6c88d9a844b18255

SHA1
0c2545c2184074e0dd6bfb7d84ebfdeaa66aec1f

SHA256
d3b285fcee644b9f7c3cb8bd3b9b2079ccec719270ad67f63d4432bd48be95c0

SHA512
e3887990260667e780f737926e72ca9121f9eb8101b7a1feab09fe1c1d302e2110687fac251fbba8874f96796ec0f1f23a0532544c9f6771fff27b0ae70510ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dca52078f1d1bda139c1299596703334

SHA1
4325e8f53990f16c5c0477b7e481626c7c5f0f5b

SHA256
f258ebe7f168ac08e0325e7ed2a0d6425c6dc5a667caff77a4c7b84fdba36523

SHA512
92fb3acf5d4197985672f49d874140b2ef32ab5c49c318b9b94f8113ea152e5305eaab0606b7877f077dcd73fcbc69ba94a8fb7d2f43488dabfdfb77129cbc89

Download Submit