hxxps://www[.]google[.]com/

Analysis

max time kernel
35s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25-02-2024 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.google.com/

Score

1^/10

Malware Config

Signatures

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1160	msedge.exe
1160	msedge.exe
368	msedge.exe
368	msedge.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
368	msedge.exe
368	msedge.exe
368	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3404	taskmgr.exe
Token: SeSystemProfilePrivilege	3404	taskmgr.exe
Token: SeCreateGlobalPrivilege	3404	taskmgr.exe
Token: 33	3404	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3404	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe

Suspicious use of SendNotifyMessage 63 IoCs

pid	Process
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 1796	368	msedge.exe	53
PID 368 wrote to memory of 1796	368	msedge.exe	53
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 2840	368	msedge.exe	90
PID 368 wrote to memory of 1160	368	msedge.exe	89
PID 368 wrote to memory of 1160	368	msedge.exe	89
PID 368 wrote to memory of 1736	368	msedge.exe	91
PID 368 wrote to memory of 1736	368	msedge.exe	91
PID 368 wrote to memory of 1736	368	msedge.exe	91
PID 368 wrote to memory of 1736	368	msedge.exe	91
PID 368 wrote to memory of 1736	368	msedge.exe	91
PID 368 wrote to memory of 1736	368	msedge.exe	91
PID 368 wrote to memory of 1736	368	msedge.exe	91
PID 368 wrote to memory of 1736	368	msedge.exe	91
PID 368 wrote to memory of 1736	368	msedge.exe	91
PID 368 wrote to memory of 1736	368	msedge.exe	91
PID 368 wrote to memory of 1736	368	msedge.exe	91
PID 368 wrote to memory of 1736	368	msedge.exe	91
PID 368 wrote to memory of 1736	368	msedge.exe	91
PID 368 wrote to memory of 1736	368	msedge.exe	91
PID 368 wrote to memory of 1736	368	msedge.exe	91
PID 368 wrote to memory of 1736	368	msedge.exe	91
PID 368 wrote to memory of 1736	368	msedge.exe	91
PID 368 wrote to memory of 1736	368	msedge.exe	91
PID 368 wrote to memory of 1736	368	msedge.exe	91
PID 368 wrote to memory of 1736	368	msedge.exe	91

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9735f46f8,0x7ff9735f4708,0x7ff9735f4718
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,17716682206568322171,18031113041025985393,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,17716682206568322171,18031113041025985393,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,17716682206568322171,18031113041025985393,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17716682206568322171,18031113041025985393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17716682206568322171,18031113041025985393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17716682206568322171,18031113041025985393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:2688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1124

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e189354a800c436e6cec7c07e6c0feea

SHA1
5c84fbda33c9276736ff3cb01d30ff34b032f781

SHA256
826adca1e688de79a3ec5b91c75990927fb2a33ae717f474608c68336053f427

SHA512
ceb069a5e83a634503e253846fa17b8bf7aaa539c3353ce61251633d69068e24c5eadd1b496f43058790d2b513e65d2c0b0213730813d0b58bb82a00596e05e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9e3e150cfe464e9ebf0a6db1aa5e7a2

SHA1
3cb184e2781c07ac000661bf82e3857a83601813

SHA256
2325a6292907263d1fb089a09f22fbcc6bad56f4961d427efdef1abaef097bcc

SHA512
f5eb1e76eb9441cf5000d8d4db9296077b61714ead5012779c084b37f4bba07614055738f5dce69b13b25975d9b7c03eab049b7685eee09b23fd8d4a7d71a039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
195KB

MD5
873734b55d4c7d35a177c8318b0caec7

SHA1
469b913b09ea5b55e60098c95120cc9b935ddb28

SHA256
4ee3aa3dc43cb3ef3f6bfb91ed8214659e9c2600a45bee9728ebbcb6f33b088d

SHA512
24f05ed981e994475879ca2221b6948418c4412063b9c07f46b8de581047ddd5d73401562fa9ee54d4ce5f97a6288c54eac5de0ca29b1bb5797bdac5a1b30308

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
ebc3c93ccc9139d534f73bc063fa02e9

SHA1
870e5fa9ab6b52d49427d5411cd26f0fbcf4786c

SHA256
7fc433b3787db609df1cb2003c1a4f3c8ffe66e667188a5f167de5c6d803c32a

SHA512
0b13bb47bbf73dbcc1d4e3bdd0dfe63131af4b91377d67ac69b7a35b22dca274caf4758bf9c17204b375b9ac6ce9828190cef93268bcda366debc7426fee4ce8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
815B

MD5
9016772ad46e3d1329dc18eb6e15992a

SHA1
f8255d7352efd570cad937ea9312fd0972eeb2ff

SHA256
847bdca91ba0c4f332446f885eecff8fd5ae9636f074091297963465e0ba2b32

SHA512
9f0a8316f7598b95d5c266a8475b1571e7eb7f1b014863d32bacbe6e4042068307ec62f638e1294d0fa79f4550485e46e5a4aa6e23df2aa2962d99c8405de49b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fea6db692d84c15eec4f5a887b65890e

SHA1
a62af23004320e5ec10a5985278a647b86de5a34

SHA256
fb7c5c3dadd6137a2bf4b60c29e67925d91c2e34b7a0878d257c3683f2621d90

SHA512
22a601ddd32fc7122eb4b227ce3585b11203c32443a52da64fd92af1f2c3d7ad70539a1192c31aff4078453ff6a564d851a3e11b92c246e4b259111f036dd1f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
975657a71f0e0dd37ca82affab4a8a8a

SHA1
4511423aa9a4c7a513a3dc7f29729fdd2daaf2c8

SHA256
be76afbd1896976011a0a0163db501fd658d1fb32b3c06b08efb57e942bf91cd

SHA512
5d64472896199cff3ef357e2e19e0793145b048eb17845f52eb5e54f2f8db1852972a784513900745d03f671b93febc3a2bff4005d04b4b59d7cd210133dcb56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3556c85c8f462f0dd174bd7c9eab0b9f

SHA1
2a4d9a077fc317b9346eec40025e6494d1b77522

SHA256
c8be9545e0ff22bba914017211cc16102e6df98603f5107d6cdabfca1fb56de9

SHA512
1bc309ef5284b0d1785264cb00f2f31478296156b8216d3d7958eef47aa7bdf17c2d394fc985a330452412ffe79bdb8e60ce2dd77d988385a506c0457073d787

Download Submit
memory/3404-137-0x00000187F9B20000-0x00000187F9B21000-memory.dmp

Filesize
4KB

Download
memory/3404-136-0x00000187F9B20000-0x00000187F9B21000-memory.dmp

Filesize
4KB

Download
memory/3404-135-0x00000187F9B20000-0x00000187F9B21000-memory.dmp

Filesize
4KB

Download
memory/3404-145-0x00000187F9B20000-0x00000187F9B21000-memory.dmp

Filesize
4KB

Download
memory/3404-144-0x00000187F9B20000-0x00000187F9B21000-memory.dmp

Filesize
4KB

Download
memory/3404-143-0x00000187F9B20000-0x00000187F9B21000-memory.dmp

Filesize
4KB

Download
memory/3404-142-0x00000187F9B20000-0x00000187F9B21000-memory.dmp

Filesize
4KB

Download
memory/3404-141-0x00000187F9B20000-0x00000187F9B21000-memory.dmp

Filesize
4KB

Download
memory/3404-146-0x00000187F9B20000-0x00000187F9B21000-memory.dmp

Filesize
4KB

Download
memory/3404-147-0x00000187F9B20000-0x00000187F9B21000-memory.dmp

Filesize
4KB

Download