e21d58bd08e5380dbac2aa665c0371f126dab74a4420cc949fa1c1a16e860c92

Analysis

max time kernel
152s
max time network
193s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
22/02/2024, 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

doc/weka/associations/FilteredAssociationRules.html
Size

20KB
MD5

fd760f72c074e1d4a455fe9d6e0a28c6
SHA1

8e039c9d64d981181d0b9a36a70f85d957be0898
SHA256

82d56e4e938bcc3608a1777163e0ea70c6448fee5cdd4fa394a7dbdcf006bd34
SHA512

b76163865e92666c159fdf5035d4a8a850d86283ecf7bbf4ec6236370ab086ba0edbce4c1c0efc6032a9257156c5022c572308a70a588434dbcf515fdcd72ea6
SSDEEP

384:2ciYPYyq23PizWxvEdJ7XXX6QUQr5iq324kugQ+Q4mFHBc1xT:2ciYPYEPx+XvoAHgpmFHBc1xT

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1828	msedge.exe
1828	msedge.exe
1104	msedge.exe
1104	msedge.exe
3320	msedge.exe
3320	msedge.exe
2188	identity_helper.exe
2188	identity_helper.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 780	1104	msedge.exe	76
PID 1104 wrote to memory of 780	1104	msedge.exe	76
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 4536	1104	msedge.exe	77
PID 1104 wrote to memory of 1828	1104	msedge.exe	79
PID 1104 wrote to memory of 1828	1104	msedge.exe	79
PID 1104 wrote to memory of 3876	1104	msedge.exe	78
PID 1104 wrote to memory of 3876	1104	msedge.exe	78
PID 1104 wrote to memory of 3876	1104	msedge.exe	78
PID 1104 wrote to memory of 3876	1104	msedge.exe	78
PID 1104 wrote to memory of 3876	1104	msedge.exe	78
PID 1104 wrote to memory of 3876	1104	msedge.exe	78
PID 1104 wrote to memory of 3876	1104	msedge.exe	78
PID 1104 wrote to memory of 3876	1104	msedge.exe	78
PID 1104 wrote to memory of 3876	1104	msedge.exe	78
PID 1104 wrote to memory of 3876	1104	msedge.exe	78
PID 1104 wrote to memory of 3876	1104	msedge.exe	78
PID 1104 wrote to memory of 3876	1104	msedge.exe	78
PID 1104 wrote to memory of 3876	1104	msedge.exe	78
PID 1104 wrote to memory of 3876	1104	msedge.exe	78
PID 1104 wrote to memory of 3876	1104	msedge.exe	78
PID 1104 wrote to memory of 3876	1104	msedge.exe	78
PID 1104 wrote to memory of 3876	1104	msedge.exe	78
PID 1104 wrote to memory of 3876	1104	msedge.exe	78
PID 1104 wrote to memory of 3876	1104	msedge.exe	78
PID 1104 wrote to memory of 3876	1104	msedge.exe	78

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\doc\weka\associations\FilteredAssociationRules.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffdba903cb8,0x7ffdba903cc8,0x7ffdba903cd8
  2⤵
  PID:780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,10295882682196901190,7118705687733484090,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,10295882682196901190,7118705687733484090,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
  2⤵
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,10295882682196901190,7118705687733484090,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,10295882682196901190,7118705687733484090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,10295882682196901190,7118705687733484090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,10295882682196901190,7118705687733484090,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,10295882682196901190,7118705687733484090,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,10295882682196901190,7118705687733484090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,10295882682196901190,7118705687733484090,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,10295882682196901190,7118705687733484090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,10295882682196901190,7118705687733484090,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,10295882682196901190,7118705687733484090,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4552 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
341f6b71eb8fcb1e52a749a673b2819c

SHA1
6c81b6acb3ce5f64180cb58a6aae927b882f4109

SHA256
57934852f04cef38bb4acbe4407f707f137fada0c36bab71b2cdfd58cc030a29

SHA512
57ecaa087bc5626752f89501c635a2da8404dbda89260895910a9cc31203e15095eba2e1ce9eee1481f02a43d0df77b75cb9b0d77a3bc3b894fdd1cf0f6ce6f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
88e9aaca62aa2aed293699f139d7e7e1

SHA1
09d9ccfbdff9680366291d5d1bc311b0b56a05e9

SHA256
27dcdb1cddab5d56ac53cff93489038de93f61b5504f8595b1eb2d3124bbc12c

SHA512
d90dabe34504dde422f5f6dec87851af8f4849f521759a768dfa0a38f50827b099dfde256d8f8467460c289bdb168358b2678772b8b49418c23b882ba21d4793

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
814d4f8f685c1ab843d980406e3ecd93

SHA1
52ff254780969df507fbb8b7fccb3e64274f14dd

SHA256
5512234a0866bb4524ba7439898cc77fc3e136beb6850313942e54f82ed23628

SHA512
2f9bb6e381255b62d243573df58b6cc4d0bcafc881f2577886184ca407d70da8511a9dacbb06536885a6907f49ce58d87626d17804d898604105207e906fa9c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ef40437a-ccf6-4815-8313-370aeb7b2ccc.tmp

Filesize
5KB

MD5
41b20321f878cd4be072b8bf640168c9

SHA1
0254ccafbf771d89ec3d42e468bb11d08d65d116

SHA256
b9659fd2b01ddf2bbc93fd42bfeb5c88abd5a4a8dc30afe632a44f3005775dd3

SHA512
cf65cbbb9f5899ffc93df8eee3d4017254e7a574789fefe327e53c48b7a28f1aa78ab22f1f1ca7a1dab689baabfec7114b4f708ebe32bb2aaf91bd87ac8d220e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ccd64af42248f6b1bf59e30af69a3580

SHA1
20f3a93b8a2c8c8a6302b0462d58bbb5bfaba304

SHA256
d8a264ef184e36b7026f649c3481176c6bffb162820e837597dbeaaea919a25e

SHA512
749143fc2b941901d48949c1de09446955d1823ab61f00edbdcbff863e9c301b2fb5059de923f3a0b9ae920f783c7832ba1730f723f1ffb72e6697d679dadc42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c74258141dbe4f00d35059a15f8ad8a9

SHA1
ec5605f76bbbf30b69c3f2b11a84a05ece309ec5

SHA256
36b4c47365fc905db48493ac5c14e3f4f6ce4cee3a7c7a3f629f32760a31c650

SHA512
d7cfc6e80542e3d4a5fdaf8f007f7965e763af12671b008eb11241a74ee8a567caf1861c03951fdf734271300d71249756608406269ec9ba9efebc91f712dfa7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit