hxxp://google[.]com

Resubmissions

17/04/2024, 09:41

240417-ln55nacg6w 8

17/04/2024, 09:41

17/04/2024, 07:37

16/04/2024, 14:11

16/04/2024, 14:07

17/04/2024, 07:43

Analysis

max time kernel
1680s
max time network
1684s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
17/04/2024, 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4100	msedge.exe
4100	msedge.exe
3668	msedge.exe
3668	msedge.exe
944	identity_helper.exe
944	identity_helper.exe
2200	msedge.exe
2200	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe
592	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3668 wrote to memory of 436	3668	msedge.exe	79
PID 3668 wrote to memory of 436	3668	msedge.exe	79
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4372	3668	msedge.exe	80
PID 3668 wrote to memory of 4100	3668	msedge.exe	81
PID 3668 wrote to memory of 4100	3668	msedge.exe	81
PID 3668 wrote to memory of 1972	3668	msedge.exe	82
PID 3668 wrote to memory of 1972	3668	msedge.exe	82
PID 3668 wrote to memory of 1972	3668	msedge.exe	82
PID 3668 wrote to memory of 1972	3668	msedge.exe	82
PID 3668 wrote to memory of 1972	3668	msedge.exe	82
PID 3668 wrote to memory of 1972	3668	msedge.exe	82
PID 3668 wrote to memory of 1972	3668	msedge.exe	82
PID 3668 wrote to memory of 1972	3668	msedge.exe	82
PID 3668 wrote to memory of 1972	3668	msedge.exe	82
PID 3668 wrote to memory of 1972	3668	msedge.exe	82
PID 3668 wrote to memory of 1972	3668	msedge.exe	82
PID 3668 wrote to memory of 1972	3668	msedge.exe	82
PID 3668 wrote to memory of 1972	3668	msedge.exe	82
PID 3668 wrote to memory of 1972	3668	msedge.exe	82
PID 3668 wrote to memory of 1972	3668	msedge.exe	82
PID 3668 wrote to memory of 1972	3668	msedge.exe	82
PID 3668 wrote to memory of 1972	3668	msedge.exe	82
PID 3668 wrote to memory of 1972	3668	msedge.exe	82
PID 3668 wrote to memory of 1972	3668	msedge.exe	82
PID 3668 wrote to memory of 1972	3668	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcbcb03cb8,0x7ffcbcb03cc8,0x7ffcbcb03cd8
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,1304280759767291559,7771218470398215677,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,1304280759767291559,7771218470398215677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,1304280759767291559,7771218470398215677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,1304280759767291559,7771218470398215677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,1304280759767291559,7771218470398215677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,1304280759767291559,7771218470398215677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,1304280759767291559,7771218470398215677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,1304280759767291559,7771218470398215677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3976 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,1304280759767291559,7771218470398215677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,1304280759767291559,7771218470398215677,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,1304280759767291559,7771218470398215677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,1304280759767291559,7771218470398215677,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,1304280759767291559,7771218470398215677,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1244 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae7fbf62fc07f0bdb15169d2de3dc768

SHA1
9155eb973df31a7d6fb95f03058dd523171b4f0f

SHA256
ecfebc84b01ed9071cc68bc2abc4eae4f891e1dea41a16ea6010f7acfd6cc624

SHA512
1539bd6c522e56685399616d9811435ff0197c9471404361c53370a261feb180a38aaec9aacd38ff52c94b2cac2e4da19a3de50a9b6541f6f3fd0497bf15bcae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a5e869975d65ad786022d6fc8b47b747

SHA1
14b030f53bc86bdbec766b2f3942804ca742043a

SHA256
d5f8f63c67fd06a2ae7da80cbe8cc96bab5932087eb70432df9147ba818d758f

SHA512
fd8d2b8ce13f4aca312f4856096edba99310a78a5f4c4148046a06e873a3d2514fd2dd9b4515fc89e83306d251929f2ef9c78863f85a3e017a3029dec63d98dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
f51339f2c583846006ec96223f990076

SHA1
e7211794ebc4633a99b7e41d5ba33f340e88b4fc

SHA256
885e36be284ab0bd52875490b97aa8687eb31d2e0379e55eef507a459b21d8c6

SHA512
156000a88919351020805ada631bf99fc1c0bd24da83d3385656e1c679fd6ba9448b29f4f7924a6840b5075e550757c388e50cc44541b714fe9d3c02bc9cf420

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
cd98e29cb021b198cb1420ee14df48f3

SHA1
bde2b84ea617dffe9ea16e60142967b189c4cf5a

SHA256
741b650b31576c23c00423cc1af01aa5b4393becbaae9880fedd6f3f44d029a3

SHA512
6b06c30b67d5be1c9a6ba2a91f5f028564520d9ca57d0caebe18e1901c0e86fd37e5283e6332de6316e00e8d53d5bc535b8624a318467cd9c2ad56ca654d7bea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
fa67b4d9093796ebd21174690cbe0f3d

SHA1
32ad52222484039e39b0e0c6aaec651415167532

SHA256
f5619e8ff5afebd7b486acb8dc9f735480667cc2b836fffbd8a06738f30069ad

SHA512
e954be37ce108de71b9ab0047cc637322d10573b64b5994d4903b041f463788fed6a8fb25ff3b77c0f9a181c77e7a17f0850f0d916f03cfa1144c53a755064c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9661fdd9487ee2e4935989c079d08865

SHA1
645a6e011decd49c2241bea42927357b512b7990

SHA256
bfe8bffb3f907de672966c7e1e6e34eaa9948b31faa9d28f4c36bc84bee561a6

SHA512
0fce9595a3cfbabf2fc0133cf05738aa4d03f1ad37b4da864d99c97316f00226ddae346d8b989fdf6e06d6251b52378da8429b6c67f7b167f920465bdee8ca13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f1cb55655ac817c23e7735ae7e7579b7

SHA1
09a340061bf570aab7d9325f285402d02a7d82be

SHA256
1842326a2f4322ca6e2839faaf776f8dfc7b2a245dde09531576d6e3ca29ff95

SHA512
d9be31363f8a9f4102aeb76dc24813f5d8f5a7422b4fc0c93e4a205a90a806e43f8ca635eb6b0a4d1c9468d4b806c011720f972286f6e9ec901006d099945c5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
cee70a063b2a3cb95950fc0cad3f299b

SHA1
2a426b1564ffb332ade181175d3709a295fa2367

SHA256
02e98983c5022b47b16aad017dfa4bd3fcbdd18390bb9dd3db76e5244c68d38c

SHA512
697efa916a97d6954b138cd4e895e5acd3903d6df78ef1a637ebe884373920fe83811a2f27809a4a7748d41351965921013919b649a4f714e553a07a5625c1e1

Download Submit