Overview
overview
10Static
static
3ae2e1cbf84...23.exe
windows7-x64
1ae2e1cbf84...23.exe
windows10-2004-x64
10$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3UKHook40.dll
windows7-x64
3UKHook40.dll
windows10-2004-x64
3UniKey.exe
windows7-x64
1UniKey.exe
windows10-2004-x64
1ukfaq.htm
windows7-x64
1ukfaq.htm
windows10-2004-x64
1ukmanual.htm
windows7-x64
1ukmanual.htm
windows10-2004-x64
1uninst.exe
windows7-x64
1uninst.exe
windows10-2004-x64
10Analysis
-
max time kernel
145s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/02/2024, 09:31
Static task
static1
Behavioral task
behavioral1
Sample
ae2e1cbf8477077d682a9e7882e80023.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ae2e1cbf8477077d682a9e7882e80023.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
UKHook40.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
UKHook40.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
UniKey.exe
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
UniKey.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
ukfaq.htm
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
ukfaq.htm
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
ukmanual.htm
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
ukmanual.htm
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
uninst.exe
Resource
win7-20240221-en
General
-
Target
ukfaq.htm
-
Size
24KB
-
MD5
796699abf7e3066aee796dc40e4d4b85
-
SHA1
06a40c69b48d23d5c192d07e7596af935b269328
-
SHA256
034481703a0b664a7f86660a67e54e7cc755cd90d57cfa4f4b8b3b7622ff126f
-
SHA512
e120d2edafb91a1848ff0521a53f2bbbcb99900998dd1ae67dd5d214c065c3bec82c068c1e7c97c8f6f2d52cd02b7b5d05941bf630ceeff422806b1186c3b984
-
SSDEEP
384:g10z1xhd2lVTgEuNSzLE9GgzFu1EmMJpIokAuJmpJlYeJwa4eNzzxkGtQwRZ6O4b:K8hcVTgEusnJKmr+u0H/bnR4b
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3980 msedge.exe 3980 msedge.exe 1396 msedge.exe 1396 msedge.exe 3988 identity_helper.exe 3988 identity_helper.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1396 wrote to memory of 864 1396 msedge.exe 87 PID 1396 wrote to memory of 864 1396 msedge.exe 87 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 1688 1396 msedge.exe 88 PID 1396 wrote to memory of 3980 1396 msedge.exe 90 PID 1396 wrote to memory of 3980 1396 msedge.exe 90 PID 1396 wrote to memory of 2516 1396 msedge.exe 89 PID 1396 wrote to memory of 2516 1396 msedge.exe 89 PID 1396 wrote to memory of 2516 1396 msedge.exe 89 PID 1396 wrote to memory of 2516 1396 msedge.exe 89 PID 1396 wrote to memory of 2516 1396 msedge.exe 89 PID 1396 wrote to memory of 2516 1396 msedge.exe 89 PID 1396 wrote to memory of 2516 1396 msedge.exe 89 PID 1396 wrote to memory of 2516 1396 msedge.exe 89 PID 1396 wrote to memory of 2516 1396 msedge.exe 89 PID 1396 wrote to memory of 2516 1396 msedge.exe 89 PID 1396 wrote to memory of 2516 1396 msedge.exe 89 PID 1396 wrote to memory of 2516 1396 msedge.exe 89 PID 1396 wrote to memory of 2516 1396 msedge.exe 89 PID 1396 wrote to memory of 2516 1396 msedge.exe 89 PID 1396 wrote to memory of 2516 1396 msedge.exe 89 PID 1396 wrote to memory of 2516 1396 msedge.exe 89 PID 1396 wrote to memory of 2516 1396 msedge.exe 89 PID 1396 wrote to memory of 2516 1396 msedge.exe 89 PID 1396 wrote to memory of 2516 1396 msedge.exe 89 PID 1396 wrote to memory of 2516 1396 msedge.exe 89
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\ukfaq.htm1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbce1d46f8,0x7ffbce1d4708,0x7ffbce1d47182⤵PID:864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2324,8021362916137863246,5085672145017698912,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2328 /prefetch:22⤵PID:1688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2324,8021362916137863246,5085672145017698912,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2452 /prefetch:82⤵PID:2516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2324,8021362916137863246,5085672145017698912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2324,8021362916137863246,5085672145017698912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:2620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2324,8021362916137863246,5085672145017698912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵PID:4800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2324,8021362916137863246,5085672145017698912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:82⤵PID:2380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2324,8021362916137863246,5085672145017698912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2324,8021362916137863246,5085672145017698912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:12⤵PID:1680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2324,8021362916137863246,5085672145017698912,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:12⤵PID:2252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2324,8021362916137863246,5085672145017698912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:12⤵PID:2972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2324,8021362916137863246,5085672145017698912,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:12⤵PID:3192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2324,8021362916137863246,5085672145017698912,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4920 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1224
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2772
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2416
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD547b2c6613360b818825d076d14c051f7
SHA17df7304568313a06540f490bf3305cb89bc03e5c
SHA25647a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac
SHA51208d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac
-
Filesize
152B
MD5e0811105475d528ab174dfdb69f935f3
SHA1dd9689f0f70a07b4e6fb29607e42d2d5faf1f516
SHA256c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c
SHA5128374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852
-
Filesize
6KB
MD5c21ea9b91eb68689c9ecd2994078b1ed
SHA147f799891dbf324a631938d78a63941ab2a603e9
SHA2567e56b8bcfbbf8ddd4bd20044224500564aa53e6ae645e011f989c786363a6537
SHA512095900ab826a78bfbd30a1938b06d5a54e1d9a98d9df15b10cabf37fdcc77ea7c4cc392b9adaddaf357de64f9b966b287b7b36fe4be6b8f68962868f07f65f05
-
Filesize
6KB
MD51332b5a5f6a0a27c900f2146ac9b30db
SHA1a1b91a76cfa3d6d4d70d6b8874f1b81a131208ce
SHA2561b53837bd515495dadad18a2014c5934cbff506c94f819f1d3a93ec4ccf99565
SHA5122a0664bcab1eff45a8a55322c093ab596ff2d0a02441aced1a062660c2d6b409482de55070245b049d2ee207ad908b83ca8384fb31cd0074e1bebc2d5830e2ad
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD57f45edfe4ecfae243b3893fc4159995f
SHA1f36a5f003a2a5643f3f7c13aa475dd452a208607
SHA25640ad98d79e216a5e0d9a6e842502168a9226e3fefd6ab4e107af26a80125f133
SHA5127f7983ededa6982d4f1fe7b90ea217ea9e381a1c9d55b29d23ff1f0343ab1befce3292e98491ef9fe89489a08f615feb72a006bcd9f9deb602f6872f70dcef17