ef4e0e2593eaccc73632054c0244e858e1dc0bc1149cde36d74bf41fb03fddb4

Analysis

max time kernel
145s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-04-2024 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

www/backend/public/injects/html/banks/air.app.scb.breeze.android.main.my.prod.html
Size

43KB
MD5

9819046a9f984e16124741ed8c7dbb57
SHA1

e6f9b439ed9fc21ce4e6d23f5cddc9e5917fca5f
SHA256

3b3f1adcabd446f5161b913a70ddb311e3b02bf4db74a14b7cccc947a16123ce
SHA512

f5673ce7380bdd00ef07ee2000817adc44b9fca748a87f0f9415504ec73ae721da2c8ba9513724bd90843e9451950824b03243e188870463f5a69e93f20ed239
SSDEEP

768:u8g7MahDbOOD+WCn21UNqx7GACn21UNqx7G2:aAa5bPQ2eNq82eNqF

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2872	msedge.exe
2872	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4772	identity_helper.exe
4772	identity_helper.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 2740	4720	msedge.exe	87
PID 4720 wrote to memory of 2740	4720	msedge.exe	87
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 1860	4720	msedge.exe	88
PID 4720 wrote to memory of 2872	4720	msedge.exe	89
PID 4720 wrote to memory of 2872	4720	msedge.exe	89
PID 4720 wrote to memory of 4860	4720	msedge.exe	90
PID 4720 wrote to memory of 4860	4720	msedge.exe	90
PID 4720 wrote to memory of 4860	4720	msedge.exe	90
PID 4720 wrote to memory of 4860	4720	msedge.exe	90
PID 4720 wrote to memory of 4860	4720	msedge.exe	90
PID 4720 wrote to memory of 4860	4720	msedge.exe	90
PID 4720 wrote to memory of 4860	4720	msedge.exe	90
PID 4720 wrote to memory of 4860	4720	msedge.exe	90
PID 4720 wrote to memory of 4860	4720	msedge.exe	90
PID 4720 wrote to memory of 4860	4720	msedge.exe	90
PID 4720 wrote to memory of 4860	4720	msedge.exe	90
PID 4720 wrote to memory of 4860	4720	msedge.exe	90
PID 4720 wrote to memory of 4860	4720	msedge.exe	90
PID 4720 wrote to memory of 4860	4720	msedge.exe	90
PID 4720 wrote to memory of 4860	4720	msedge.exe	90
PID 4720 wrote to memory of 4860	4720	msedge.exe	90
PID 4720 wrote to memory of 4860	4720	msedge.exe	90
PID 4720 wrote to memory of 4860	4720	msedge.exe	90
PID 4720 wrote to memory of 4860	4720	msedge.exe	90
PID 4720 wrote to memory of 4860	4720	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\www\backend\public\injects\html\banks\air.app.scb.breeze.android.main.my.prod.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd383646f8,0x7ffd38364708,0x7ffd38364718
  2⤵
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,2611229770331238525,16681052977777597349,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,2611229770331238525,16681052977777597349,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,2611229770331238525,16681052977777597349,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:8
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2611229770331238525,16681052977777597349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2611229770331238525,16681052977777597349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,2611229770331238525,16681052977777597349,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,2611229770331238525,16681052977777597349,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2611229770331238525,16681052977777597349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2611229770331238525,16681052977777597349,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2611229770331238525,16681052977777597349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2611229770331238525,16681052977777597349,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,2611229770331238525,16681052977777597349,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4852 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
47b2c6613360b818825d076d14c051f7

SHA1
7df7304568313a06540f490bf3305cb89bc03e5c

SHA256
47a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac

SHA512
08d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e0811105475d528ab174dfdb69f935f3

SHA1
dd9689f0f70a07b4e6fb29607e42d2d5faf1f516

SHA256
c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c

SHA512
8374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0183b401-357f-46a0-a66d-97619bdb8173.tmp

Filesize
6KB

MD5
c5e9517b690846f3ca4509fe07b6f4e9

SHA1
fb11ff329a285d587ea73ed5a7576e9b833a3791

SHA256
9a84f9ccc053fb81e9e64049b201167fcbe9fea57869c8abf25c144a6126ec89

SHA512
17ffcaa43cef7998215b8da340233e34ec79aef786147f2370f1fac0661177c2117ac7f51a357d35c863cf1f79bb0e8f045cc492111bc6e6f45161983b23ed60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
467B

MD5
23b0a98ebfa558386581c11f8a6b54be

SHA1
b5b721578ebc96d0a5038f52d2f256db6b48e364

SHA256
cda8a369668766a9e6aaa3d25e0d7c23bfb44ca13ea39af8c5884fde7ec94014

SHA512
e01f3f253eaa4c25ef8b30286e2530330ece2ecf3ade65a08d8f04867e6d8d48da10a1571a8ffb51e91d79b3a899cb44aa68a83dd8ef87f3072f19c0abf04333

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
12b78c5cb1057a41c51510e582d8ae4d

SHA1
1a3f31931495396805d6fd7997067b5a20f87a08

SHA256
e10bbe1bbd4873613b2cbeadb8b9d4d33e924f9f62d8d756140ce162c01a58e9

SHA512
ed50ba74c74b6df50a5d23916015b8fa1af1d0836a55b2a383382538bc42a4295df96e079c29e1e345b5846790c07fb349b14c5b6d287702506a0255b19db9f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7cf68cb6250d7ca3c1d7978407513e79

SHA1
09d6007a657555b06ba387fa4abd565204890b12

SHA256
ea790e6cb5d97a230fe1ca653eda69c6a262be839a173c242d016f2b6316b8cf

SHA512
4cebbf82384b7fd99a10a5350ba41a60a95a7eeba6345bcf523d2ccbae89672d6b60793db41abd4a5df3fa9731afb8485d432589e9cd35654980d219497e3fe8

Download Submit