b2758aecc19fd55a13c86e9893c5184278c0394dcfaa1639d052d80e08ab5ceb

Analysis

max time kernel
1683s
max time network
1699s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 20:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

LICENSES.chromium.html
Size

5.2MB
MD5

df37c89638c65db9a4518b88e79350be
SHA1

6b9ba9fba54fb3aa1b938de218f549078924ac50
SHA256

dbd18fe7c6e72eeb81680fabef9b6c0262d1d2d1aa679b3b221d9d9ced509463
SHA512

93dd6df08fc0bfaf3e6a690943c090aefe66c5e9995392bebd510c5b6260533b1522dc529b8328dfe862192e1357e9e98d1cdd95117c08c76be3ab565c6eea67
SSDEEP

12288:/7etnqnVnMnBnunQ9RBvjYJEi400/Q599b769B9UOE6MwMGucMEbHDuX0YnpWQZb:sPM95FCWStQj6ERs/mfMl6H0skDpS

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3548	msedge.exe
3548	msedge.exe
4584	msedge.exe
4584	msedge.exe
3812	identity_helper.exe
3812	identity_helper.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 2536	4584	msedge.exe	84
PID 4584 wrote to memory of 2536	4584	msedge.exe	84
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3948	4584	msedge.exe	86
PID 4584 wrote to memory of 3548	4584	msedge.exe	87
PID 4584 wrote to memory of 3548	4584	msedge.exe	87
PID 4584 wrote to memory of 3352	4584	msedge.exe	88
PID 4584 wrote to memory of 3352	4584	msedge.exe	88
PID 4584 wrote to memory of 3352	4584	msedge.exe	88
PID 4584 wrote to memory of 3352	4584	msedge.exe	88
PID 4584 wrote to memory of 3352	4584	msedge.exe	88
PID 4584 wrote to memory of 3352	4584	msedge.exe	88
PID 4584 wrote to memory of 3352	4584	msedge.exe	88
PID 4584 wrote to memory of 3352	4584	msedge.exe	88
PID 4584 wrote to memory of 3352	4584	msedge.exe	88
PID 4584 wrote to memory of 3352	4584	msedge.exe	88
PID 4584 wrote to memory of 3352	4584	msedge.exe	88
PID 4584 wrote to memory of 3352	4584	msedge.exe	88
PID 4584 wrote to memory of 3352	4584	msedge.exe	88
PID 4584 wrote to memory of 3352	4584	msedge.exe	88
PID 4584 wrote to memory of 3352	4584	msedge.exe	88
PID 4584 wrote to memory of 3352	4584	msedge.exe	88
PID 4584 wrote to memory of 3352	4584	msedge.exe	88
PID 4584 wrote to memory of 3352	4584	msedge.exe	88
PID 4584 wrote to memory of 3352	4584	msedge.exe	88
PID 4584 wrote to memory of 3352	4584	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb09946f8,0x7fffb0994708,0x7fffb0994718
  2⤵
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,16308871091131878278,778230420614927720,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,16308871091131878278,778230420614927720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,16308871091131878278,778230420614927720,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16308871091131878278,778230420614927720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16308871091131878278,778230420614927720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,16308871091131878278,778230420614927720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,16308871091131878278,778230420614927720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16308871091131878278,778230420614927720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16308871091131878278,778230420614927720,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16308871091131878278,778230420614927720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16308871091131878278,778230420614927720,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,16308871091131878278,778230420614927720,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5392 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c6136bc98a5aedca2ea3004e9fbe67d

SHA1
74318d997f4c9c351eef86d040bc9b085ce1ad4f

SHA256
50c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2

SHA512
2d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c6aef82e50d05ffc0cf52a6c6d69c91

SHA1
c203efe5b45b0630fee7bd364fe7d63b769e2351

SHA256
d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32

SHA512
77ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
18c5314abb18b3741e3ebf58ed2f11e6

SHA1
b5e88966faac0848e4a84626c553c11b7f17d86e

SHA256
353637d73cae37fec231ff03e115f8fdb4e63c18a6b2e16a1d764d6b77624421

SHA512
0977dc8da61933a4bcd5da73e28f806e58a085aebbcf48f1ea3a27115369ee092c2c68188237299ecaf1845a40d9a932c2d20ec8091e57341068a7968f6d3adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f3755794-4f52-493a-9eb2-2485bacad456.tmp

Filesize
6KB

MD5
258e5a4ecaf0129f820eebd47085d7fd

SHA1
ce67c75175c49cd109dbc5c4d0bee64ba65aeed0

SHA256
bf69c52feafd98fc4d604f8b8d53052f783c782e2e889b13ec9d6abdc3fa286d

SHA512
6f8d8c52f441bfc82948b58b74642de4e9d4a72087aca3360fd9191c217b6c2d0b3d418b17f00ca581830c5c8b842b14e826d30404d1c3f15e8337e60ffed61f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
56c068571bad8e8c40e832b19e7feb0f

SHA1
479981758a58a6b5f28985bb21e763b6ab4dc111

SHA256
935931b94abb31523b6c2d7152316f7582430ac49b61f68170a034dec7b8e30f

SHA512
af2774436fd5ffc58839fe6925afc65144f83f32cc0c72f0510002f1e82fe900e5a134f4e248cc11b99b8252a905200f28ddcc174bc9ac2e275ff7117a96fb8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c4d9250d724b1b95c27dca880f0cf879

SHA1
4823c81bf839ca8c78a4a412b9cd4a9651f95d8a

SHA256
c7bf5405fdcbfcfe444881b65462f2c2a248f3fd4c6513f8803a2ab9de25ed29

SHA512
9b2e411ea089eb794c64d9390943149a2265159f29d52adc71e536417f965379a62940b16c95b491ce47f1b843a61ee6c075d15bf4abb79084695ff64ea42c71

Download Submit