e836e6b37afa4eccf8b2216f4c97f8140c6dd1ea7effec8262e8f8bf4fdf603b

Analysis

max time kernel
145s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

libquicktime_plugin.dll?id=8328c31dba7c71ee20ee32f1a735d639f9e43928.html
Size

206KB
MD5

3fa5b37f8dcd1f9878f702108e2e6bc1
SHA1

c9bce2a29a36d8db694bb2caeec1972a8bd5af51
SHA256

e836e6b37afa4eccf8b2216f4c97f8140c6dd1ea7effec8262e8f8bf4fdf603b
SHA512

dd693673922713c5b6305b7229f5eb93ac6fca88402ca32cb2aa49dd18228590c6e53a2df3e9a639e3268129720e3d069e313213a0da0dba11079ab9e5285d13
SSDEEP

1536:8h/NPtbkQh6Pmym31GYQU0SAF2VMrxjcvJI/6xH5vJkVjE8B:8h/Ni+r8Rz/hcxw6vviVx

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1592	msedge.exe
1592	msedge.exe
2768	msedge.exe
2768	msedge.exe
4468	identity_helper.exe
4468	identity_helper.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 1624	2768	msedge.exe	85
PID 2768 wrote to memory of 1624	2768	msedge.exe	85
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 4952	2768	msedge.exe	86
PID 2768 wrote to memory of 1592	2768	msedge.exe	87
PID 2768 wrote to memory of 1592	2768	msedge.exe	87
PID 2768 wrote to memory of 2568	2768	msedge.exe	88
PID 2768 wrote to memory of 2568	2768	msedge.exe	88
PID 2768 wrote to memory of 2568	2768	msedge.exe	88
PID 2768 wrote to memory of 2568	2768	msedge.exe	88
PID 2768 wrote to memory of 2568	2768	msedge.exe	88
PID 2768 wrote to memory of 2568	2768	msedge.exe	88
PID 2768 wrote to memory of 2568	2768	msedge.exe	88
PID 2768 wrote to memory of 2568	2768	msedge.exe	88
PID 2768 wrote to memory of 2568	2768	msedge.exe	88
PID 2768 wrote to memory of 2568	2768	msedge.exe	88
PID 2768 wrote to memory of 2568	2768	msedge.exe	88
PID 2768 wrote to memory of 2568	2768	msedge.exe	88
PID 2768 wrote to memory of 2568	2768	msedge.exe	88
PID 2768 wrote to memory of 2568	2768	msedge.exe	88
PID 2768 wrote to memory of 2568	2768	msedge.exe	88
PID 2768 wrote to memory of 2568	2768	msedge.exe	88
PID 2768 wrote to memory of 2568	2768	msedge.exe	88
PID 2768 wrote to memory of 2568	2768	msedge.exe	88
PID 2768 wrote to memory of 2568	2768	msedge.exe	88
PID 2768 wrote to memory of 2568	2768	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\libquicktime_plugin.dll_id=8328c31dba7c71ee20ee32f1a735d639f9e43928.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf8d346f8,0x7ffcf8d34708,0x7ffcf8d34718
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,17961843023350813951,6800368657567914353,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,17961843023350813951,6800368657567914353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,17961843023350813951,6800368657567914353,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:8
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17961843023350813951,6800368657567914353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17961843023350813951,6800368657567914353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,17961843023350813951,6800368657567914353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4112 /prefetch:8
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,17961843023350813951,6800368657567914353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4112 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17961843023350813951,6800368657567914353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17961843023350813951,6800368657567914353,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17961843023350813951,6800368657567914353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17961843023350813951,6800368657567914353,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,17961843023350813951,6800368657567914353,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3096 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5e2f0fe48e7ee1aad1c24db5c01c354a

SHA1
5bfeb862e107dd290d87385dc9369bd7a1006b36

SHA256
f13b3ebe8d71bd0086d5bb82364c35f59a95d32b39753af251e8639360e291a9

SHA512
140d026437fd5e8a874cd00b03950c8f010e1a0732a0a1cc5bdde477e7f8315ccb95790bb4c15b8dbaab9468ad532eb885b6c429300a64e39412d976d079324e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7e0880992c640aca08737893588a0010

SHA1
6ceec5cb125a52751de8aeda4bab7112f68ae0fe

SHA256
8649a39877c190ec740a5422284ec5f9ff509b30b2d7896635476873dd8824e2

SHA512
52bd0a38ca7f43b26731966035045b1cbd8b60b2d81bdf9aad791cf444da8af8b722ebf3cb364a6e660bebdf23084eb0e30bc23562575b704801669817549f8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6f9f461d2957e57949d31c2b02c2f3ff

SHA1
e38c828dd9f230bbb5558aa6075544b3e66e3758

SHA256
b30bde2cd171dba4d9deb57032843803c403b8549a77f708b170174ef7aa71b4

SHA512
186600683912c613387a716d3aec8bd60de6db39c82ccd66e1e8abd3511cafee8860388169f331f9036381a8d7d0fbce023422cd383f272b27293cfb6877dad4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1bc155cfd9236014b471de90b3d529f8

SHA1
fbbe0d8f70b6cf271ccd30f34a09e4346e68f3a3

SHA256
fbb020dc01a469c6aad6ce8b1817cfcb3f60f6e0ab4d7bcd08fa5b69bf3149b8

SHA512
d1c5b34593986caf25d502fb2e9f2013d5aae3c9336af20c90378265d849fd1bdcfbde6243f19a440d08d1b69738fd55492bbe32aedbbe0ae8130e571d113272

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e8fb64ff4a1f092183e06b092c4a24d6

SHA1
d6f3bb6e0de776fcd7e2198ef09f72edc10a0938

SHA256
d8b32cba1e266bdc40aae7e60376ebd5850b59e7cb693a34d72226c323481db7

SHA512
cafe35125b63276d9ee6793faa2e48ace97a93e847e2f2a44cc6fedfa549bd03412c80e43fe16a90615e405017b1428b523ab2750388209e5e065b7c4b98680c

Download Submit