hxxp://google[.]com

Resubmissions

17/04/2024, 09:41

240417-ln55nacg6w 8

17/04/2024, 09:41

17/04/2024, 07:37

16/04/2024, 14:11

16/04/2024, 14:07

17/04/2024, 07:43

Analysis

max time kernel
1681s
max time network
1690s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
16/04/2024, 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2672	msedge.exe
2672	msedge.exe
4996	msedge.exe
4996	msedge.exe
4736	msedge.exe
4736	msedge.exe
2492	identity_helper.exe
2492	identity_helper.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 1292	4996	msedge.exe	80
PID 4996 wrote to memory of 1292	4996	msedge.exe	80
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 1444	4996	msedge.exe	82
PID 4996 wrote to memory of 2672	4996	msedge.exe	83
PID 4996 wrote to memory of 2672	4996	msedge.exe	83
PID 4996 wrote to memory of 1928	4996	msedge.exe	84
PID 4996 wrote to memory of 1928	4996	msedge.exe	84
PID 4996 wrote to memory of 1928	4996	msedge.exe	84
PID 4996 wrote to memory of 1928	4996	msedge.exe	84
PID 4996 wrote to memory of 1928	4996	msedge.exe	84
PID 4996 wrote to memory of 1928	4996	msedge.exe	84
PID 4996 wrote to memory of 1928	4996	msedge.exe	84
PID 4996 wrote to memory of 1928	4996	msedge.exe	84
PID 4996 wrote to memory of 1928	4996	msedge.exe	84
PID 4996 wrote to memory of 1928	4996	msedge.exe	84
PID 4996 wrote to memory of 1928	4996	msedge.exe	84
PID 4996 wrote to memory of 1928	4996	msedge.exe	84
PID 4996 wrote to memory of 1928	4996	msedge.exe	84
PID 4996 wrote to memory of 1928	4996	msedge.exe	84
PID 4996 wrote to memory of 1928	4996	msedge.exe	84
PID 4996 wrote to memory of 1928	4996	msedge.exe	84
PID 4996 wrote to memory of 1928	4996	msedge.exe	84
PID 4996 wrote to memory of 1928	4996	msedge.exe	84
PID 4996 wrote to memory of 1928	4996	msedge.exe	84
PID 4996 wrote to memory of 1928	4996	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffeef5f3cb8,0x7ffeef5f3cc8,0x7ffeef5f3cd8
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,7638105079226442355,9355797739890338921,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,7638105079226442355,9355797739890338921,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,7638105079226442355,9355797739890338921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7638105079226442355,9355797739890338921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7638105079226442355,9355797739890338921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7638105079226442355,9355797739890338921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7638105079226442355,9355797739890338921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7638105079226442355,9355797739890338921,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7638105079226442355,9355797739890338921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7638105079226442355,9355797739890338921,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,7638105079226442355,9355797739890338921,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,7638105079226442355,9355797739890338921,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,7638105079226442355,9355797739890338921,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4936 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
43379e1fd46bbf81afb4fa093257a7b9

SHA1
a1aa383ab51d42dadb4d670b2f8cf3cd942b6172

SHA256
ff0fb0aba84da291dd911ea4776d4e1d61d300b655644196f8c53923c39506f5

SHA512
5db08aa2770fd4ed60407be5014cd602327ec66860e7c034b635c4c7a84bc8a5cae698ea807fabee1b05f36eb5759ad65958e54a8dc01a79bf908957dbbfcea8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b3cd5e4894701b66c8551a435ee29ec2

SHA1
ac29ae9a2fc83b817e559ff6391d671122d34af4

SHA256
96f9e5444a3e9c3149465940f2254ba89befa89504edc3af41023a8e7a8c2640

SHA512
d3979c1b7d6d4d06b575e7adb7c6843224e826263272b1c3fbcad0ee8a2f3fba257ed12bc6ed60740fe815ea2fa1373749e8b63049a92d1a173340f81d9f9fee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
4b5cca2ce8c7f29a95e405459940870b

SHA1
09d4d03a2f0a0a50fd3bb13415ed78295a5887de

SHA256
87edca73d132d2b16c5d885b23ea5465a0264aa41cb8f796174d50a2bea4c75b

SHA512
c55da7159af28ec1a582dde95e441586ff4f30833419a9b14df3b0fcedcb850f1abb7016a912c46f14898532b5f8e76bde2529597928b483b77797b61515e097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
429a0e34df1a4f9b5cc572bf164b3773

SHA1
be189af9d8c09b3606bfe8ca46944b6e9cc34bf7

SHA256
7f5fb38f33af95675fd17dbb1eda6846b9aac57819d27dd5c3a9a8e374868f3a

SHA512
633ab51bfb69565b7509136dc0f6a225d2aa76fcd49d949a7a10a2cfe3fb17f33657340b912aaa6e8c109a743687204338a47bc9d88343b80d50d8ea555aa490

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
285d8344ab0cf80f685d08a1af7b7e22

SHA1
e8422e728480475a8c18c2003645f823b7accd24

SHA256
10c8b21ad6991d6d5d2adbabfdd335e54996ce028b7e57595b916b9844a9c88f

SHA512
e319c10229a6bf7337e13a3e6eb18ababedee8709fe8bfb6086dd8d385c87a3a070591c24ec1887e7eb3d012e252e8c001c07193645e2a65a319c35586f07f32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a82d85b028004ad67b741d038f1721a2

SHA1
83b2d2d81f456129d4b567d5ddc96aa1a3247070

SHA256
95952a35411cbee53112e01cf03c843f0b61006ccbed8063ee798113084b0490

SHA512
072034b1bd4e031b2a03352c6e06b71ebce69e10cdf7ad3d792458663a8ce4e5bf6d70f7b830ef64cc1a6b8fe7c37a885e244f7cda81dea2d290aa95bdcdb0b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d3dcf51357b2e6d130b26cf14a70d33b

SHA1
ab05e1130d83592bd93a2e924158214ad7c2f65f

SHA256
f019b9d2880bcb41ee372342b4cae0fdd313cb4d05c3f5de81eef8226efe7b89

SHA512
d421e2f4157c6d58ac0ca9da6bdc0422fee93bf1ea535227ed259da4e1c8a95986bfbcb0ab8a8c881d1fba68748e06e6bdae86f339878a5ed6d94b97d09a80c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
db8b8134eb47ff15f54d20caf0e6bf07

SHA1
522180d91ade60a77a7d63eee88fe570c25034ca

SHA256
d3212b2c0c5411afcc3353d00302b41e9d405a47d7a050825270275f371767ca

SHA512
0911a01029c834dbbd9ab35eade6e269178503e8e92dbabbf24a2f96a2c2e81d746011017a1b0a8abd7d08018a000c31e15f9b39a2fb50bce324fe70b9ce32da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7802d8f42c3f17014239ce936692918a

SHA1
e8aad04dbac70734d9b76fc9c218f156b5520e3a

SHA256
3ad970895b0f3afeea55773afb0353135b183f66daa39ec9856060db8665d09b

SHA512
e3ed145063765b5abdb6e6862f686d3817960b9942e538fd94258e72606cbcd5548cb1086f70c95df6ce048ccd44ca6948c2087f1ea11e8a73471a03c9feb8ff

Download Submit