0ecb58eff1dd7994f3af2aa57dafb3f86cc802c7cd152b9f19cdfe7e5aea9cc9

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$SMPROGRAMS/ȫַ!.lnk
Size

362B
MD5

9656c04d91ae3066cc07235e06fa0b32
SHA1

b2fcbbaaee9cdfe744909a5b6b20f88fd26ae118
SHA256

b5ed69a6cd004197ebef1742aa3c27d5d7d78cdb15b3129957ec89fe65666f0a
SHA512

93a28b9d2f0b99bc56001837183f69f7ceebe372b44ed1640c5fe35ba6b3c5616aea04326e865ae206868f0c12e04b42c1b183b19d90f0d6d65fb841340dcf63

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4476	msedge.exe
4476	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 3936	4132	cmd.exe	90
PID 4132 wrote to memory of 3936	4132	cmd.exe	90
PID 3936 wrote to memory of 4444	3936	msedge.exe	92
PID 3936 wrote to memory of 4444	3936	msedge.exe	92
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 2860	3936	msedge.exe	93
PID 3936 wrote to memory of 4476	3936	msedge.exe	94
PID 3936 wrote to memory of 4476	3936	msedge.exe	94
PID 3936 wrote to memory of 5088	3936	msedge.exe	95
PID 3936 wrote to memory of 5088	3936	msedge.exe	95
PID 3936 wrote to memory of 5088	3936	msedge.exe	95
PID 3936 wrote to memory of 5088	3936	msedge.exe	95
PID 3936 wrote to memory of 5088	3936	msedge.exe	95
PID 3936 wrote to memory of 5088	3936	msedge.exe	95
PID 3936 wrote to memory of 5088	3936	msedge.exe	95
PID 3936 wrote to memory of 5088	3936	msedge.exe	95
PID 3936 wrote to memory of 5088	3936	msedge.exe	95
PID 3936 wrote to memory of 5088	3936	msedge.exe	95
PID 3936 wrote to memory of 5088	3936	msedge.exe	95
PID 3936 wrote to memory of 5088	3936	msedge.exe	95
PID 3936 wrote to memory of 5088	3936	msedge.exe	95
PID 3936 wrote to memory of 5088	3936	msedge.exe	95
PID 3936 wrote to memory of 5088	3936	msedge.exe	95
PID 3936 wrote to memory of 5088	3936	msedge.exe	95
PID 3936 wrote to memory of 5088	3936	msedge.exe	95
PID 3936 wrote to memory of 5088	3936	msedge.exe	95

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$SMPROGRAMS\ȫַ!.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.1122i.com/?ie
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6ba946f8,0x7ffa6ba94708,0x7ffa6ba94718
    3⤵
    PID:4444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,8796150270626486885,2710704265041448402,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
    3⤵
    PID:2860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,8796150270626486885,2710704265041448402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,8796150270626486885,2710704265041448402,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
    3⤵
    PID:5088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,8796150270626486885,2710704265041448402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
    3⤵
    PID:624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,8796150270626486885,2710704265041448402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
    3⤵
    PID:4644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,8796150270626486885,2710704265041448402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
    3⤵
    PID:1856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,8796150270626486885,2710704265041448402,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2484 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cbec32729772aa6c576e97df4fef48f5

SHA1
6ec173d5313f27ba1e46ad66c7bbe7c0a9767dba

SHA256
d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e

SHA512
425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
279e783b0129b64a8529800a88fbf1ee

SHA1
204c62ec8cef8467e5729cad52adae293178744f

SHA256
3619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932

SHA512
32730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
db922f6eb16b114cbf7a9bd1bd569c28

SHA1
205b9f648845cde5bbeb46af3aa6be27a5bf839d

SHA256
c87b4b6576742ca7d80f9abf0d5131b1985651e0c08dc208c8674b95357aad9f

SHA512
233ca41bfdaed74c72ca656101692089bddc8f45288fa2231ddb25e832dc62fc107ee82b1cf676490ff1e62d112e54d59e43d8f78ca5451c423561b547748e4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
702B

MD5
13ae0e7fd32ce5474549ab897041e372

SHA1
bae35640d456945cd58ce33918a9901e3948ee45

SHA256
e28b788a2a52994abcb40171bc8a2a192c4702fab4c75538dd7e4b0e866d60c7

SHA512
43035b22221b44375b8f97f419204b92bad637bf1276f462f238aea538c9f8025c851580a84ab8a5c87419ecb8cd44e11b1c2b77630ae5ac4451bd708e38f75e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8c49dcbd1d10579bd7a09862797eabad

SHA1
73f8834fb652f4be4f06ca55cfc671af744d5969

SHA256
49184b2ca9e93816344e8330b355b8a764171025123e9b615b6fbe61d1caccd1

SHA512
916b4211f069000d320a05acf3c29a94733eadc32fe0d76569ce504b1ecc4fdc97900be7a5a09513364864c11a26f62165a64792a77592dade47ca1c871f6795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
50f7c3cc3ef651dcc99892a3696b5d23

SHA1
ba425518ee557ebb5a7243c228e806a6c5b054b2

SHA256
263d3cf65285680debd7ded7cc33bf4a363d23d369b653b9e753c9e686037d8d

SHA512
1d84f251f6e74b62d1b221bef974a61cb4ae82fff097f58592b7c5136726b2a4da7eed6126c2cbfaa5639933aface78061298931f35f3bf08ccec61e0b4e211f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
18902025d80b9f620874b84f259ea2ee

SHA1
af7dbe25f8666bfe1f240d1cefe1ba63b146e783

SHA256
11c510fd523216e087e4c0b44f6a386aa80eee6781490ebb4ab081571afe4eb6

SHA512
b481d9f01f95e379688ed766fb74ef72430be95fa0e2863f36aecefde2e5b1e95f77aa608efc8cf981d947fe1166b5ee35b1a6c32c0ac44be455834d64de1fc4

Download Submit