bcc8812a2385f7a4db7d7633eb5ce0770e5cc3b5093873fd3e0a7c239f8daa1d

Resubmissions

11/04/2024, 06:06

240411-gt1pxagh4y 7

11/04/2024, 05:53

11/04/2024, 05:51

11/04/2024, 05:48

11/04/2024, 05:44

11/04/2024, 05:39

Analysis

max time kernel
146s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
11/04/2024, 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/app/progress.html
Size

20KB
MD5

91462d1f452add0ccac7455e010e89df
SHA1

55435ad7c270cb137c19ad90503652bc63d3ef0c
SHA256

c3cd601ed7b1ce97e9a45518af8d9011353f9629b034e9d3939ee951c417bbf8
SHA512

0e2c8dfae33141ad9fb782d742b09f6cd12f8f4bca298c9599236d0708fc9fc6b753a672e68d2d25cf1f29f1792a00ead814ffe2d5bb136713812409866cb43a
SSDEEP

192:hadqnDNlPkZHmY74+/qmtRCtmK8W9I2gHHMlxh8B39LJ1Hab4OJgJnc5w/93gAJP:5O3aMOUnbC63UA5ia6w

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1072	msedge.exe
1072	msedge.exe
1972	msedge.exe
1972	msedge.exe
2704	msedge.exe
2704	msedge.exe
244	identity_helper.exe
244	identity_helper.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 388	1972	msedge.exe	77
PID 1972 wrote to memory of 388	1972	msedge.exe	77
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 3832	1972	msedge.exe	78
PID 1972 wrote to memory of 1072	1972	msedge.exe	79
PID 1972 wrote to memory of 1072	1972	msedge.exe	79
PID 1972 wrote to memory of 1992	1972	msedge.exe	80
PID 1972 wrote to memory of 1992	1972	msedge.exe	80
PID 1972 wrote to memory of 1992	1972	msedge.exe	80
PID 1972 wrote to memory of 1992	1972	msedge.exe	80
PID 1972 wrote to memory of 1992	1972	msedge.exe	80
PID 1972 wrote to memory of 1992	1972	msedge.exe	80
PID 1972 wrote to memory of 1992	1972	msedge.exe	80
PID 1972 wrote to memory of 1992	1972	msedge.exe	80
PID 1972 wrote to memory of 1992	1972	msedge.exe	80
PID 1972 wrote to memory of 1992	1972	msedge.exe	80
PID 1972 wrote to memory of 1992	1972	msedge.exe	80
PID 1972 wrote to memory of 1992	1972	msedge.exe	80
PID 1972 wrote to memory of 1992	1972	msedge.exe	80
PID 1972 wrote to memory of 1992	1972	msedge.exe	80
PID 1972 wrote to memory of 1992	1972	msedge.exe	80
PID 1972 wrote to memory of 1992	1972	msedge.exe	80
PID 1972 wrote to memory of 1992	1972	msedge.exe	80
PID 1972 wrote to memory of 1992	1972	msedge.exe	80
PID 1972 wrote to memory of 1992	1972	msedge.exe	80
PID 1972 wrote to memory of 1992	1972	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\progress.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffabdb3cb8,0x7fffabdb3cc8,0x7fffabdb3cd8
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,8533267472382363772,8289396398894994334,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,8533267472382363772,8289396398894994334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,8533267472382363772,8289396398894994334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,8533267472382363772,8289396398894994334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,8533267472382363772,8289396398894994334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,8533267472382363772,8289396398894994334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,8533267472382363772,8289396398894994334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,8533267472382363772,8289396398894994334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,8533267472382363772,8289396398894994334,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,8533267472382363772,8289396398894994334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,8533267472382363772,8289396398894994334,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,8533267472382363772,8289396398894994334,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5124 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d459a8c16562fb3f4b1d7cadaca620aa

SHA1
7810bf83e8c362e0c69298e8c16964ed48a90d3a

SHA256
fa31bc49a2f9af06d325871104e36dd69bfe3847cd521059b62461a92912331a

SHA512
35cb00c21908e1332c3439af1ec9867c81befcc4792248ee392080b455b1f5ce2b0c0c2415e344d91537469b5eb72f330b79feb7e8a86eeb6cf41ec5be5dfd2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
656bb397c72d15efa159441f116440a6

SHA1
5b57747d6fdd99160af6d3e580114dbbd351921f

SHA256
770ed0fcd22783f60407cdc55b5998b08e37b3e06efb3d1168ffed8768751fab

SHA512
5923db1d102f99d0b29d60916b183b92e6be12cc55733998d3da36d796d6158c76e385cef320ec0e9afa242a42bfb596f7233b60b548f719f7d41cb8f404e73c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8712b01d-dbb3-4913-9ab9-bf3e061c7154.tmp

Filesize
5KB

MD5
3edf7ecbcca365c28a76d8604331a0e4

SHA1
f30f0a1a6c2cf1e4f51e1af4ab32d5df51a573be

SHA256
096b76c65f4642481ddefbb4d8427f639c8bce884e0d39f770e038edabe2979c

SHA512
4ca00562a843af7c404dea158b6f656ea8d18ecd259e7fd6e451bed37d62d9b767ac0464059444abd72f989a8cc0aece115166f4dc7446b4c99c0cbc7567719d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b23348cb4ceef3e2011e8b24ecf24506

SHA1
380cd2ae1a75ada1aff81f2e4110b3e9c4d5aa72

SHA256
6d05aea506ca1b7ef7bc9e76557a39c1d726591bf45eb91d671bcb10fc80d607

SHA512
14c494df0e4b2e2cd309198f61941db9d181355cddaccbf158150baed1e59d43a2e0a201e4e64095bf5160cc18958f27dd47a184ccfec4915ee902d593e0ea48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bfafd03e7d68b9265df50c89c4f51b04

SHA1
8a7d0e963bc94c4d11e13efaf28e17586795106d

SHA256
2a723b7086e5cee65616943eb14c5b1ac371292cead6aff64b037bfd7a3d38bb

SHA512
b418d64822a5d577da93f922978efcc47935091bc53a70a19a4956189a210c9ffef405226fc12bb6172cf33b30f456dcea4e5465aa831267494e8dd3495229bf

Download Submit