cdf2bd6cb6dd8e7cb1a9fda508d2c840a22cdb8c26bd296c3a3c3765ce202880

Analysis

max time kernel
147s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

libmpc_plugin.dll.svn-base?id=e3b43bd36fd50840467669364014ee53553872c1.html
Size

475KB
MD5

001d53534ada203cd149ad94d2894257
SHA1

1e8daba3a4411fbf0db03217dd6e50b5d932d156
SHA256

cdf2bd6cb6dd8e7cb1a9fda508d2c840a22cdb8c26bd296c3a3c3765ce202880
SHA512

148fec7e3374061bd0625ec2652505eaf8a7b6094c79b811bf5122541914c7dabc3c643b47adf1bb4b3bdc83249802005779414d6b95b79ae522720b88443a0c
SSDEEP

3072:ih/ADY5/zAUfkl0YUHGRsGTrk4bCrvyB1Fxy52e9:ecUfkl/UHGRsGTrk1yB1F05/9

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
5028	msedge.exe
5028	msedge.exe
1456	msedge.exe
1456	msedge.exe
2204	identity_helper.exe
2204	identity_helper.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 1968	1456	msedge.exe	81
PID 1456 wrote to memory of 1968	1456	msedge.exe	81
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 2992	1456	msedge.exe	84
PID 1456 wrote to memory of 5028	1456	msedge.exe	85
PID 1456 wrote to memory of 5028	1456	msedge.exe	85
PID 1456 wrote to memory of 1472	1456	msedge.exe	86
PID 1456 wrote to memory of 1472	1456	msedge.exe	86
PID 1456 wrote to memory of 1472	1456	msedge.exe	86
PID 1456 wrote to memory of 1472	1456	msedge.exe	86
PID 1456 wrote to memory of 1472	1456	msedge.exe	86
PID 1456 wrote to memory of 1472	1456	msedge.exe	86
PID 1456 wrote to memory of 1472	1456	msedge.exe	86
PID 1456 wrote to memory of 1472	1456	msedge.exe	86
PID 1456 wrote to memory of 1472	1456	msedge.exe	86
PID 1456 wrote to memory of 1472	1456	msedge.exe	86
PID 1456 wrote to memory of 1472	1456	msedge.exe	86
PID 1456 wrote to memory of 1472	1456	msedge.exe	86
PID 1456 wrote to memory of 1472	1456	msedge.exe	86
PID 1456 wrote to memory of 1472	1456	msedge.exe	86
PID 1456 wrote to memory of 1472	1456	msedge.exe	86
PID 1456 wrote to memory of 1472	1456	msedge.exe	86
PID 1456 wrote to memory of 1472	1456	msedge.exe	86
PID 1456 wrote to memory of 1472	1456	msedge.exe	86
PID 1456 wrote to memory of 1472	1456	msedge.exe	86
PID 1456 wrote to memory of 1472	1456	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\libmpc_plugin.dll.svn-base_id=e3b43bd36fd50840467669364014ee53553872c1.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc837046f8,0x7ffc83704708,0x7ffc83704718
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,15303798883716811344,897651303173831692,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,15303798883716811344,897651303173831692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,15303798883716811344,897651303173831692,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15303798883716811344,897651303173831692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15303798883716811344,897651303173831692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,15303798883716811344,897651303173831692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,15303798883716811344,897651303173831692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15303798883716811344,897651303173831692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15303798883716811344,897651303173831692,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15303798883716811344,897651303173831692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15303798883716811344,897651303173831692,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,15303798883716811344,897651303173831692,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4800 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8c91c8582b0c918416d14bd7eedd686e

SHA1
b2ff8149bc21144fdcec64111afda492965c6621

SHA256
1e839706b748c04adf8efa2790564ca1efd707fdf6451e71af6862e07123717e

SHA512
a93be868d9f08097bff39069378a0bfa0f5c78e74e9e8df820be9b0426cbfe84e03e9638b329b6142279ed140a120c4c4c21857f410fc4789a370445c3919dcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2579d07b98bbefadc929d80fb3dbd32a

SHA1
1ceb57c4b81f0f23500e118a4b9a225116a467de

SHA256
b8443c289ad36568a2bf794ac9ec1f259a9dd930c36680dafc8d0cb4de81feb6

SHA512
53522ad5e8e2a272d5b1bff9b9226b7d976d47413891c60d7efebd4365baff12b6891e3f79b20e14892ec7c654ad2d437941014290c428c6b1bd78a7b3e557de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
14a7d04d38ffdcae3199fdf08d0dcb9b

SHA1
bf02feee8bd8ec506b9058cc5e2d27919962eb34

SHA256
ce8bcac3e90e929d7c5b40680d9bd08666263add6c9d299510d2eddff3e2327b

SHA512
1be0b871eefab4f1504bee20fc7fc539ac984d5a2e9a8167b5228a6dd6576215b5792e68138ee361bc48ee1c81b3bbaaa944824f48b7dfee979bba8732268b38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3c86777e06d7b7636b69d0ebc8f2f13a

SHA1
cddfb4ee75006d393793a7ac4f51aa1844a79caa

SHA256
bf38bc222ab10b5a2496d926bad8254922f14d711a9f6b7c7793bacf2ad51477

SHA512
0321b7ff257d313485ad99f398c49f573038cb1c3ca9493a31f678bf471de232745482eca928e6d1efda6fb223c7843a10f09dd618b23d505eb1de9d72414e80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
20da7250afe0bff0dc8aa37afc7eb745

SHA1
7884a57fb7548e9862c7fbece357bc8c14d513c1

SHA256
f4fd08320fba2dfa89835ba58e9fe85d43c1229a2ef571dcc9c8347bef831aef

SHA512
ebdf8431e9bf22b8608edf659b6e2dfcf299397342b52a310b9b1a0a80a2b6c3f669429f90b2df1844fa87460e4790a95f4784bc8c351bfaa0b539676fe3c9e4

Download Submit