2b5578c87a15ef6eb56c60b59a72c6a20651572ceaaa78e7c14ccca5b575946a

Resubmissions

10-03-2024 23:24

240310-3dvdvaea44 1

10-03-2024 23:19

240310-3a9dlaeb91 1

Analysis

max time kernel
158s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-03-2024 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EMP.dll
Size

1.9MB
MD5

071b2fd20a6439f5fa61b2252b30e0ba
SHA1

d958fc3bbafe4b37cbecffdbac038b14c595718f
SHA256

2b5578c87a15ef6eb56c60b59a72c6a20651572ceaaa78e7c14ccca5b575946a
SHA512

eb29ecc0c05e217cb307f9ad7376af989e42de74e45faaeab21f875d3d42b32611b62e43c9b9dd1fd1079cf9f54cf948efd0249bbe8341740f1018aa8781705a
SSDEEP

24576:xggMy49PwJKbSleGLyC4ti91d00vEo//KWnsYE1PmLkV6:vHJ0SjL6oN0vg/5QPxw

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5484	msedge.exe
5484	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 5220	2084	msedge.exe	118
PID 2084 wrote to memory of 5220	2084	msedge.exe	118
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5476	2084	msedge.exe	119
PID 2084 wrote to memory of 5484	2084	msedge.exe	120
PID 2084 wrote to memory of 5484	2084	msedge.exe	120
PID 2084 wrote to memory of 5496	2084	msedge.exe	121
PID 2084 wrote to memory of 5496	2084	msedge.exe	121
PID 2084 wrote to memory of 5496	2084	msedge.exe	121
PID 2084 wrote to memory of 5496	2084	msedge.exe	121
PID 2084 wrote to memory of 5496	2084	msedge.exe	121
PID 2084 wrote to memory of 5496	2084	msedge.exe	121
PID 2084 wrote to memory of 5496	2084	msedge.exe	121
PID 2084 wrote to memory of 5496	2084	msedge.exe	121
PID 2084 wrote to memory of 5496	2084	msedge.exe	121
PID 2084 wrote to memory of 5496	2084	msedge.exe	121
PID 2084 wrote to memory of 5496	2084	msedge.exe	121
PID 2084 wrote to memory of 5496	2084	msedge.exe	121
PID 2084 wrote to memory of 5496	2084	msedge.exe	121
PID 2084 wrote to memory of 5496	2084	msedge.exe	121
PID 2084 wrote to memory of 5496	2084	msedge.exe	121
PID 2084 wrote to memory of 5496	2084	msedge.exe	121
PID 2084 wrote to memory of 5496	2084	msedge.exe	121
PID 2084 wrote to memory of 5496	2084	msedge.exe	121
PID 2084 wrote to memory of 5496	2084	msedge.exe	121
PID 2084 wrote to memory of 5496	2084	msedge.exe	121

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\EMP.dll,#1
1⤵
PID:1264

C:\Windows\system32\UserAccountControlSettings.exe
"C:\Windows\system32\UserAccountControlSettings.exe"
1⤵
PID:2644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultc326cb4dhe07ah4f6ch8059h878bf84ce4a0
1⤵
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9995446f8,0x7ff999544708,0x7ff999544718
  2⤵
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,3921775740086670190,550689402895058414,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
  2⤵
  PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,3921775740086670190,550689402895058414,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,3921775740086670190,550689402895058414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:5496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1e3dc6a82a2cb341f7c9feeaf53f466f

SHA1
915decb72e1f86e14114f14ac9bfd9ba198fdfce

SHA256
a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c

SHA512
0a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
571b0cf03a73843542f0dd37ef5b3c14

SHA1
49bf2a274fa48849d5f31a286814dc7bb8510130

SHA256
d5ae3a9df113a79d3b85aa50f8e0c7f7865631eb70775ace5c6e249d34abf67c

SHA512
bdb68779e5d3231985442058afbc45ad00221ccbe87e87651a12a7cf4e3fd20796aa902e669b998f10db979b0c996423c45c51eb7d4bebb994223ba2def372a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
deea51ce553cb69e0c2ba9dcc8a6fbe5

SHA1
38cc41d23a9b19079ce6098a390fc12570cf2c36

SHA256
a1d6a1da3395dce196e5dcc19805cd05a5ce978bf4f79294bca3e38e8ac352b2

SHA512
bd7ea76345d74ce9188ec561538000da3b37368be41ec52d6abab08149c5b08edd44b35d43cb584bb3980d29db71c25b8d5fcb0fc000b271448a77692fece831

Download Submit
memory/1264-0-0x0000000013000000-0x00000000131F7000-memory.dmp

Filesize
2.0MB

Download
memory/1264-1-0x0000000013000000-0x00000000131F7000-memory.dmp

Filesize
2.0MB

Download