ed3a4d2c00348ee99205c7d2f1c69405b0ab046ce10566c7d74ba0e190b75ed6

Analysis

max time kernel
150s
max time network
154s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
13/03/2024, 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UserBenchmarkInstaller.exe
Size

509KB
MD5

6123f0433fd8fa2f07d22fc2a6e7f82e
SHA1

c7d39c3b092f9e4baa81e69023a468a7f8694c02
SHA256

ed3a4d2c00348ee99205c7d2f1c69405b0ab046ce10566c7d74ba0e190b75ed6
SHA512

abefd2be86c40578eaad0f2bb1ff0174e901d7c8d13f3553325cceb19961ae7ab1906e84eb59f3b58e946af913545f555deae7db0cbd2c18cbe14734d1bd0b48
SSDEEP

6144:Sa9CzHZ74rMvRKtwws2w/VgRSkZ9sI0mVQ9KnruyFAvFv3ohG9+LSsOaWt:Sa9CzHZ75vo+eWgqbmidv3o9SwWt

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2844	UserBenchmarkSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1444	msedge.exe
1444	msedge.exe
2580	msedge.exe
2580	msedge.exe
3300	msedge.exe
3300	msedge.exe
2228	identity_helper.exe
2228	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2776	UserBenchmarkInstaller.exe
2776	UserBenchmarkInstaller.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2844	2776	UserBenchmarkInstaller.exe	82
PID 2776 wrote to memory of 2844	2776	UserBenchmarkInstaller.exe	82
PID 2776 wrote to memory of 2844	2776	UserBenchmarkInstaller.exe	82
PID 1444 wrote to memory of 4908	1444	msedge.exe	86
PID 1444 wrote to memory of 4908	1444	msedge.exe	86
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2352	1444	msedge.exe	87
PID 1444 wrote to memory of 2580	1444	msedge.exe	88
PID 1444 wrote to memory of 2580	1444	msedge.exe	88
PID 1444 wrote to memory of 2572	1444	msedge.exe	89
PID 1444 wrote to memory of 2572	1444	msedge.exe	89
PID 1444 wrote to memory of 2572	1444	msedge.exe	89
PID 1444 wrote to memory of 2572	1444	msedge.exe	89
PID 1444 wrote to memory of 2572	1444	msedge.exe	89
PID 1444 wrote to memory of 2572	1444	msedge.exe	89
PID 1444 wrote to memory of 2572	1444	msedge.exe	89
PID 1444 wrote to memory of 2572	1444	msedge.exe	89
PID 1444 wrote to memory of 2572	1444	msedge.exe	89
PID 1444 wrote to memory of 2572	1444	msedge.exe	89
PID 1444 wrote to memory of 2572	1444	msedge.exe	89
PID 1444 wrote to memory of 2572	1444	msedge.exe	89
PID 1444 wrote to memory of 2572	1444	msedge.exe	89
PID 1444 wrote to memory of 2572	1444	msedge.exe	89
PID 1444 wrote to memory of 2572	1444	msedge.exe	89
PID 1444 wrote to memory of 2572	1444	msedge.exe	89
PID 1444 wrote to memory of 2572	1444	msedge.exe	89

C:\Users\Admin\AppData\Local\Temp\UserBenchmarkInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\UserBenchmarkInstaller.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Users\Admin\AppData\Local\Temp\UserBenchmarkSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\UserBenchmarkSetup.exe"
  2⤵
  - Executes dropped EXE
  PID:2844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9bf893cb8,0x7ff9bf893cc8,0x7ff9bf893cd8
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,8147256825584028151,12717858261548782432,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,8147256825584028151,12717858261548782432,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,8147256825584028151,12717858261548782432,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2492 /prefetch:8
  2⤵
  PID:2572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8147256825584028151,12717858261548782432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8147256825584028151,12717858261548782432,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8147256825584028151,12717858261548782432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1876 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8147256825584028151,12717858261548782432,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,8147256825584028151,12717858261548782432,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8147256825584028151,12717858261548782432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8147256825584028151,12717858261548782432,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,8147256825584028151,12717858261548782432,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8147256825584028151,12717858261548782432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:2388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
577e1c0c1d7ab0053d280fcc67377478

SHA1
60032085bb950466bba9185ba965e228ec8915e5

SHA256
1d2022a0870c1a97ae10e8df444b8ba182536ed838a749ad1e972c0ded85e158

SHA512
39d3fd2d96aee014068f3fda389a40e3173c6ce5b200724c433c48ddffe864edfc6207bb0612b8a811ce41746b7771b81bce1b9cb71a28f07a251a607ce51ef5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d4604cbec2768d84c36d8ab35dfed413

SHA1
a5b3db6d2a1fa5a8de9999966172239a9b1340c2

SHA256
4ea5e5f1ba02111bc2bc9320ae9a1ca7294d6b3afedc128717b4c6c9df70bde2

SHA512
c8004e23dc8a51948a2a582a8ce6ebe1d2546e4c1c60e40c6583f5de1e29c0df20650d5cb36e5d2db3fa6b29b958acc3afd307c66f48c168e68cbb6bcfc52855

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cb3da691c3752fa97b7319b386f5626a

SHA1
a85db0c8f537862a84a6fcd62d84a20c8e6c7a12

SHA256
05869f422455434f727f29405a70e5cd803f8e8abf841385853376bf669edccb

SHA512
10780e0d8a66cce6f6f079ed0650dccbc3e83aa89daff0e5f27d5f7153b4d9f7e4bdbbc3eab7157f6693c1af435291a2574793e435874aeae946098f8b6fe687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3743e22deb586276b72e8c63af6acf42

SHA1
9e26a9f9dc3a2df59b7ec166d5b1f41f875d6452

SHA256
2c271329b85fd9c8778e2f98b40fc3a08d9a48d7c4330312affbfa4fbe3114c5

SHA512
4b8f2b17fe5293ebc0f4934c90f12378d040675ff0bbb35954faf1875dbcd41088630852aff944419da7ec0057861f41df19344be387ed7ea632674ae3375b31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c73f6c9ae1f62f46dfe9baf13938fe47

SHA1
23ca17ec8ea686da52c3f48c2af6aeaae528e072

SHA256
8c3d13da31e0064d9a155e86e3fa4c768f21c5970b32eb6f58362b79fcdc7212

SHA512
f6aa8d20393f97cc0fa54f550d0a24b0c0248677ff7b8de737b5432eeb28cfe8dfdb5a7709de872e3cae808434915e99cd86db6a900af8293cef7904f06cfa44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f32ab462f5a8a4bd793f87c66367b9a8

SHA1
fa07a3e10992252b9d509d4c533c5f8d4d134ed9

SHA256
59ddaf407b4d6fec5c33eafb966b5d0e998b1757236c3269fd4a59c03b875ab5

SHA512
757d928fb37cdaf97dfc0b9f40ec3f91abbdd94d43c513deec724cc582c1f548545c0163afe180dc1010e8046015c0512a8a3186117babe4864f0f61bb45a2b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\UserBenchmarkSetup.exe

Filesize
2.1MB

MD5
9203a7f907b83edfb78a3662a3057abe

SHA1
c572b5347f1be62fc813ba4e86759ba2b9e287ce

SHA256
1a542852c9d781bf24b18bd63a22e3f386ed21c37030e4012137c9db220b6b67

SHA512
7d2ab0ff5ee99c24e9f33e5ce7fd34c734b8dd50244aa30d15e1eec743a15d3c963af72334abaaf38ea70563e5881dff9da9e3ecd68043a37928ce3f5d2ec99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UserBenchmarkSetup.exe

Filesize
256KB

MD5
0220dbf619493fb64616e89745f6631a

SHA1
d2b02e51c670e4c3934f457148a7883e74154262

SHA256
6d509bd71de7f2d3eb5e139c4ccd8a6c35587b291d779e5b39b5d17e56c938fc

SHA512
64178f8bddadfdd672d22dea62678fc5296ca99cbc2b80c96f8ebdc91ab443f33810e9ef6670c2290f37aa7f86fb33214d57e42deb4dc18cc1be1ca409843e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\UserBenchmarkSetup.exe

Filesize
8.9MB

MD5
ad4ade2b97a4a1a0d0dba7b334af6582

SHA1
1e2a817c84dc60c3d4b6e4bea42aea4492d3420e

SHA256
9e2665ef9c48cd9decfa02856a6181c7022ab239876eecfa52e9159be0b21bc3

SHA512
c2c81233414b842624c67448ba2bb1e11803355fdc2bfc44194196f946d01d9e828a77416be1d75385f583cf0b33210c74b3d518bbc3040026f894c52965d096

Download Submit