3cc951ba5d33757ea90766b47a7174ed5b1c7600f5f47d418e3b1fcfabe54f7e

max time kernel
470s
max time network
480s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23-02-2024 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MalwareDatabase
Size

285KB
MD5

8adbc73e595f87a63b1efe9dc51ce993
SHA1

942d0f1b51055b5f0ae1f319c4509da66f8295d8
SHA256

3cc951ba5d33757ea90766b47a7174ed5b1c7600f5f47d418e3b1fcfabe54f7e
SHA512

c70bd77e192dc1c5da185d37b021c0cc23649512e8c9b9b46959fe488438ba3e8c4538bddd076ad232fc02e87727175bd15387c098b695c2f1556445bb0ec8ed
SSDEEP

6144:iDuqJ5fBrVSgE29xxspm0n1vuz3U9ovZJT3CqbMrhryfQNRPaCieMjAkvCJv1Vi/:afBrVSgE29xxspm0n1vuz3U9ovZJT3CU

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1992	msedge.exe
1992	msedge.exe
4948	msedge.exe
4948	msedge.exe
2980	identity_helper.exe
2980	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 3576	4948	msedge.exe	97
PID 4948 wrote to memory of 3576	4948	msedge.exe	97
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 2356	4948	msedge.exe	98
PID 4948 wrote to memory of 1992	4948	msedge.exe	99
PID 4948 wrote to memory of 1992	4948	msedge.exe	99
PID 4948 wrote to memory of 5036	4948	msedge.exe	100
PID 4948 wrote to memory of 5036	4948	msedge.exe	100
PID 4948 wrote to memory of 5036	4948	msedge.exe	100
PID 4948 wrote to memory of 5036	4948	msedge.exe	100
PID 4948 wrote to memory of 5036	4948	msedge.exe	100
PID 4948 wrote to memory of 5036	4948	msedge.exe	100
PID 4948 wrote to memory of 5036	4948	msedge.exe	100
PID 4948 wrote to memory of 5036	4948	msedge.exe	100
PID 4948 wrote to memory of 5036	4948	msedge.exe	100
PID 4948 wrote to memory of 5036	4948	msedge.exe	100
PID 4948 wrote to memory of 5036	4948	msedge.exe	100
PID 4948 wrote to memory of 5036	4948	msedge.exe	100
PID 4948 wrote to memory of 5036	4948	msedge.exe	100
PID 4948 wrote to memory of 5036	4948	msedge.exe	100
PID 4948 wrote to memory of 5036	4948	msedge.exe	100
PID 4948 wrote to memory of 5036	4948	msedge.exe	100
PID 4948 wrote to memory of 5036	4948	msedge.exe	100
PID 4948 wrote to memory of 5036	4948	msedge.exe	100
PID 4948 wrote to memory of 5036	4948	msedge.exe	100
PID 4948 wrote to memory of 5036	4948	msedge.exe	100

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\MalwareDatabase
1⤵
PID:2688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffaacee46f8,0x7ffaacee4708,0x7ffaacee4718
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,8445835852601930118,8061514638324753755,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
  2⤵
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,8445835852601930118,8061514638324753755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,8445835852601930118,8061514638324753755,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8445835852601930118,8061514638324753755,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8445835852601930118,8061514638324753755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8445835852601930118,8061514638324753755,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8445835852601930118,8061514638324753755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,8445835852601930118,8061514638324753755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,8445835852601930118,8061514638324753755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8445835852601930118,8061514638324753755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8445835852601930118,8061514638324753755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8445835852601930118,8061514638324753755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
  2⤵
  PID:1608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a65ab4f620efd5ba6c5e3cba8713e711

SHA1
f79ff4397a980106300bb447ab9cd764af47db08

SHA256
3964e81a3b4b582e570836837b90a0539e820886a35281b416e428e9bf25fd76

SHA512
90330661b0f38ca44d6bd13a7ea2ab08a4065ec4801695e5e7e0dea154b13ac8d9b2737e36ebe9a314d2501b5ef498d03c5617c87e36986e294c701182db41b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
854f73d7b3f85bf181d2f2002afd17db

SHA1
53e5e04c78d1b81b5e6c400ce226e6be25e0dea8

SHA256
54c176976e1c56f13af90be9b8b678f17f36a943210a30274be6a777cf9a8dc4

SHA512
de14899cfaad4c312804a7fe4dcb3e9221f430088cb8bf5a9b941ac392a0bbad4e6ca974e258e34617bbffff3bf6490fa90d8c6921616f44186e267ddaa02971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9eaef74de4bda250043b856b68959968

SHA1
b04111d402232f67aa4b49eac7d57b21de75ece1

SHA256
5a99c4f1aa19dc937b74dab10bed354a9db0c6a30053287615ae9c993ced1521

SHA512
1a9112d83c61846d4a8f6f4e9e5bb49861f557b7f885ef87830940e49d4a0471852372f7b07a19ab7c16b796445d7344b8a6d919030324f31fe6ea32d91b1ce0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0e212d4f5c1e487697707f1e4dc69ae2

SHA1
e70d6e357ed9f89d3601afa691811989f1b1fdab

SHA256
cc2581ce6a06ad0971d97aba2c2e73d221fef30868f3e5c59f445adb36dcceb2

SHA512
aefc84e7173ebe90921f2cb1c1d161e2944152810686049414c245cbde65a54811fd87e65b6cdb16ee722660340f570367c3c07fe3bad823c5a11d8f854286e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
a9a757d75c9254cf5cb130b725bcd08c

SHA1
f10c733508cf200edac69f0da949bdd0f9880dc7

SHA256
422e7ac09754eeee3fcbd87dc544aeae03ab0285558fb34dcdcddedb8962e853

SHA512
bd86034238a8ad7efe63b75bd550888a5f2595b13257b21d0cb820828b24265325a953c9fbd415be0d15afbb4e31a075d64a7656db26d5bb4315763307a00e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
68d3acdde2390720aca9a930539f1ea3

SHA1
9a41d4835878b935bc69c33a026ac828297d62ee

SHA256
7ff8dea7b88d97f077479cc7cfd6f611d0795b0591ee0fecb033412d94988bb1

SHA512
ad30a57bcdeb203e02ec09a6c39146beaae22be97fe72ba537242a674bb75edac019d6ab5a11de086ef994ca0de37dfecab635e2b65876f513971cff1e718b4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit