fb1814fb9c9f6031ec7fa4edcbab17fe010b2e8677e0cb08cfd874d5774ac956

Analysis

max time kernel
145s
max time network
142s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
22-02-2024 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vantage/build/Vantage/xref-Vantage.html
Size

243KB
MD5

98b965f2d58d780c8f5bf2c4606bbf9c
SHA1

362d4a82d0c0429d7dad66a527551e736ec06d4e
SHA256

aa0ecc1ba9ab3db83f5ece393e9ed52ee17d35be0298c64304fa17910de56905
SHA512

50c90d28ecb30b3c669d03843de1a5d377e51ba332caf0a245bf8d3d3ecb3db62dc2f504192c9c97d30d451ef17188b660f94b24291fe9a69a4190a50097091c
SSDEEP

6144:B2pSEqZvugrx8zQMPcIY7tL+cebYpn9EYuvxa7mjrDXueILMQXL1OxVXqTxXHIpX:QpY/rHpqpUpyfUO

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2208	msedge.exe
2208	msedge.exe
8	msedge.exe
8	msedge.exe
1928	msedge.exe
1928	msedge.exe
3224	identity_helper.exe
3224	identity_helper.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 4812	8	msedge.exe	79
PID 8 wrote to memory of 4812	8	msedge.exe	79
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 4876	8	msedge.exe	80
PID 8 wrote to memory of 2208	8	msedge.exe	81
PID 8 wrote to memory of 2208	8	msedge.exe	81
PID 8 wrote to memory of 2504	8	msedge.exe	82
PID 8 wrote to memory of 2504	8	msedge.exe	82
PID 8 wrote to memory of 2504	8	msedge.exe	82
PID 8 wrote to memory of 2504	8	msedge.exe	82
PID 8 wrote to memory of 2504	8	msedge.exe	82
PID 8 wrote to memory of 2504	8	msedge.exe	82
PID 8 wrote to memory of 2504	8	msedge.exe	82
PID 8 wrote to memory of 2504	8	msedge.exe	82
PID 8 wrote to memory of 2504	8	msedge.exe	82
PID 8 wrote to memory of 2504	8	msedge.exe	82
PID 8 wrote to memory of 2504	8	msedge.exe	82
PID 8 wrote to memory of 2504	8	msedge.exe	82
PID 8 wrote to memory of 2504	8	msedge.exe	82
PID 8 wrote to memory of 2504	8	msedge.exe	82
PID 8 wrote to memory of 2504	8	msedge.exe	82
PID 8 wrote to memory of 2504	8	msedge.exe	82
PID 8 wrote to memory of 2504	8	msedge.exe	82
PID 8 wrote to memory of 2504	8	msedge.exe	82
PID 8 wrote to memory of 2504	8	msedge.exe	82
PID 8 wrote to memory of 2504	8	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Vantage\build\Vantage\xref-Vantage.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffca8953cb8,0x7ffca8953cc8,0x7ffca8953cd8
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,1822127844903567984,6308455956388888766,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,1822127844903567984,6308455956388888766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,1822127844903567984,6308455956388888766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:8
  2⤵
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,1822127844903567984,6308455956388888766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,1822127844903567984,6308455956388888766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,1822127844903567984,6308455956388888766,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,1822127844903567984,6308455956388888766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,1822127844903567984,6308455956388888766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,1822127844903567984,6308455956388888766,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,1822127844903567984,6308455956388888766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,1822127844903567984,6308455956388888766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1884,1822127844903567984,6308455956388888766,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3368 /prefetch:8
  2⤵
  PID:792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,1822127844903567984,6308455956388888766,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3168 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2332

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1256

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c65e704fc47bc3d9d2c45a244bb74d76

SHA1
3e7917feebea866e0909e089e0b976b4a0947a6e

SHA256
2e5d6a5eeb72575f974d5fa3cdff7ad4d87a361399ffdd4b03f93cdbdec3a110

SHA512
36c3be0e5fbc23c5c0ad2e14cfb1cf7913bea9a5aeb83f9f6fcf5dbc52a94d8ccb370cef723b0cda82b5fba1941b6a9ff57f77ff0076a2c5cf4250711e3dd909

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c3ea95e17becd26086dd59ba83b8e84

SHA1
7943b2a84dcf26240afc77459ffaaf269bfef29f

SHA256
a241c88bb86182b5998d9818e6e054d29b201b53f4f1a6b9b2ee8ba22dd238dc

SHA512
64c905e923298528783dc64450c96390dc5edbda51f553c04d88ee944b0c660b05392dc0c823d7fb47f604b04061390b285f982dfcc767c8168ccb00d7e94e21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
910afacafda08cfacc7d8f6eb4ab6dd3

SHA1
7b99076689b71dbcbf29125e15de44aa45a7ae35

SHA256
558b307d6a98e98421e74db16588cf8877d9d29ec7783c97f6e9665233894d87

SHA512
c706f76715289e86d8a08ec3028806a9ffa0b47033cbeb6ddc9051d4cde0fde1467d34f2ba41db1ac19f17c31d15c01c389c12bf6527a92547b9eb8d5371e7e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3c7682e66681143476604dbdc11ce33e

SHA1
8d1b6222a568ae063f785ad73c961782d0509c3d

SHA256
eb0419c5dc0cca4bd5ac02c5339144e0c08ff4844b11346d0ec906add2a93098

SHA512
ecc5845a76c39165f13742e2e83c352f6bd15c42f7de060d886eee52aec40c332e61e96e6267f220cb55e5c6db39fb11280635c0cbe302347ef0e66d35566483

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4dbf7d89d7f30c5c405d66559c873a8d

SHA1
0714c1d300db5b509844a2badbb5e80db88b9232

SHA256
5205242e7d24fb85e39fcc6329a61d7dcead1f77742f1066e8a4097fc427700a

SHA512
e29790226c427640766f42a488031a3d8ac622e33b708f0c2089b84cf61bb9b0ee010ac00aeac7f4de6799504d659fb0924ba570053584e107f9a33e23d618ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2fa1c1f289f2f30383f4b89d96f27c4a

SHA1
74a614b81d899975bfad8e606b8e7b52baf896e1

SHA256
97a5908190e3371c0aa254dd5408c413d440f8e5e83e0f96a535184b666f80ed

SHA512
908344eecf9a766798ec6798e5a1e780cc0d69585f354a2d2e214b6d1ad0f719acb9aedcef2fa48856cbe63762079fa905d1fff65f3e82c862e4cfe80a129037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
224e6e025649c716841e9965f66b688d

SHA1
9206de2dd4e56539d19c1ce5e0779bc024c89813

SHA256
e88906b8c4b57c99201bba492b17e3bb64e7b4b640a32372ea01775a9ed20d43

SHA512
334e0b1cdb563314cf2c7e539e00b195fa1da38e16662994124c53b945bb7dc55e6a11f1526b7afbadee7f439acf2d2239b3303507039ec3b57687b01734da5f

Download Submit