4200af4b0b8fe0c6d03de40bf2b4969e8a90b2f0f4b11ef9fda783cc2267da9a

Analysis

max time kernel
147s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

libmpc_plugin.dll.svn-base?id=8328c31dba7c71ee20ee32f1a735d639f9e43928.html
Size

475KB
MD5

2c484ad132ee64fac0bba75c74199570
SHA1

29fe282a09fef275ac639fc792bfa27fb893d568
SHA256

4200af4b0b8fe0c6d03de40bf2b4969e8a90b2f0f4b11ef9fda783cc2267da9a
SHA512

878e4317a48c2625de32d90279bcdc9f1fe8d797a9427a62e2c6f1128020ff5580176c2cf400cff3f5b78e45193b771dbfda0570e5fbcd9ba12a819820442893
SSDEEP

3072:ih/pJ/zAUfkl0YUHGRsGTrk4bCrvyB1Fxy52e9:GcUfkl/UHGRsGTrk1yB1F05/9

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1008	msedge.exe
1008	msedge.exe
4824	msedge.exe
4824	msedge.exe
3960	identity_helper.exe
3960	identity_helper.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 2964	4824	msedge.exe	86
PID 4824 wrote to memory of 2964	4824	msedge.exe	86
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 2352	4824	msedge.exe	87
PID 4824 wrote to memory of 1008	4824	msedge.exe	88
PID 4824 wrote to memory of 1008	4824	msedge.exe	88
PID 4824 wrote to memory of 4832	4824	msedge.exe	89
PID 4824 wrote to memory of 4832	4824	msedge.exe	89
PID 4824 wrote to memory of 4832	4824	msedge.exe	89
PID 4824 wrote to memory of 4832	4824	msedge.exe	89
PID 4824 wrote to memory of 4832	4824	msedge.exe	89
PID 4824 wrote to memory of 4832	4824	msedge.exe	89
PID 4824 wrote to memory of 4832	4824	msedge.exe	89
PID 4824 wrote to memory of 4832	4824	msedge.exe	89
PID 4824 wrote to memory of 4832	4824	msedge.exe	89
PID 4824 wrote to memory of 4832	4824	msedge.exe	89
PID 4824 wrote to memory of 4832	4824	msedge.exe	89
PID 4824 wrote to memory of 4832	4824	msedge.exe	89
PID 4824 wrote to memory of 4832	4824	msedge.exe	89
PID 4824 wrote to memory of 4832	4824	msedge.exe	89
PID 4824 wrote to memory of 4832	4824	msedge.exe	89
PID 4824 wrote to memory of 4832	4824	msedge.exe	89
PID 4824 wrote to memory of 4832	4824	msedge.exe	89
PID 4824 wrote to memory of 4832	4824	msedge.exe	89
PID 4824 wrote to memory of 4832	4824	msedge.exe	89
PID 4824 wrote to memory of 4832	4824	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\libmpc_plugin.dll.svn-base_id=8328c31dba7c71ee20ee32f1a735d639f9e43928.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffedb0046f8,0x7ffedb004708,0x7ffedb004718
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,16442279520384092439,1309045473921797680,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,16442279520384092439,1309045473921797680,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,16442279520384092439,1309045473921797680,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16442279520384092439,1309045473921797680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16442279520384092439,1309045473921797680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,16442279520384092439,1309045473921797680,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,16442279520384092439,1309045473921797680,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16442279520384092439,1309045473921797680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16442279520384092439,1309045473921797680,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16442279520384092439,1309045473921797680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16442279520384092439,1309045473921797680,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,16442279520384092439,1309045473921797680,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2304 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d94406b964753cc5222ab1343f54bb1

SHA1
a5e7de0781fa1fabb3cd89564f2e5693cb4dee16

SHA256
fd9923a217cd8d2c44a63dbfe52ec262e7c80b1f1e50c6e0f21f8379c90e7762

SHA512
1ad2c144e7bbd809f400f8782586d3768fc82bcef39db986f766897c344efec77ab2c0b6d9c5ee2019ef5cf9ad0c46bdd25392cbc9dbf9ea80e800577f0fc598

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
49dde89f025a1cce8848473379f7c28f

SHA1
b405956b33146b2890530e818b6aa74bba3afb88

SHA256
d6d125ba686b825bb22ab967a346051780cab1f55fc68a2f3efdf3fb5598f96b

SHA512
53050344674d8886db66e25f42d97bf46b26229972631f857286c2a303897cda58d85ee8ca768bbfb1fc07e52567315ea85d57e39b5b382916700ec389946506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
14ccef256bf122ccea47367360e2befa

SHA1
3ba6e2959b427613d6a47e8e9c069b9bb4545cc5

SHA256
4dc969141e503772b023aeacd1622bd83fe077954f07affe8207dfb7eb7c427c

SHA512
c700edee27c0c270c0fb40287a0a73f88d9b98c7fa24d1d2dfbc62713dce9c819bd7ff69dd493968764ceacbac396f7bdc452d4fe79440144f56f076477e953a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
13b9ab2b344bfb6187fcdbda420f2d80

SHA1
87d26e12e50fae1c113cb917e67a180682a95bf9

SHA256
581c3d3bf31cd0b15896c986c685fb50a6ffbd8b6713968edb8062c16f3edf5b

SHA512
55bb2e680764d648ef78ec5d00ec6ba783aa385ff6642ae326d582227a13596a9a509dd3d96271931ec7d4d3ab0c21726d3cc6c127735c582eae6062239757ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
7c43199d1e5acf5a31e1cbef990fbc47

SHA1
df7bd524b9b3175325c0aff3469ea7f2211d3061

SHA256
52a6fd2a2fff53c738c77a6385e7e1677f8990781699f78c63d5a4b0fe566d22

SHA512
aae886642b40ffb0676534fd85abe43ab588526b8e952b12a1bcafc73cb05103c76aee4fa32cc18c74af6c59aa1dc84bcda09ebccb7d11adc79fee3bfc93e2d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bd973a270e1440f94359daab9138ed6d

SHA1
e57c5660cb27ba843baefdc7ff4a7145ecb9250f

SHA256
ac869b83bb4e8da2c81f78bdfb4edd2efdaee24827267323c1624d9090b30f52

SHA512
7e87ee09a878b107429f440a6eefe77e5374e7bf845a65adfb60c07fb5c908ecb907b6709a34f1b6a9fcb652e47e86dd66fa66d876c0d85d2325845e4f72c82b

Download Submit