e705ce7c714dc3554163aaf48a6db11564c58c104683d8834ef637d30e054ab9

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

libtaglib_plugin.dll.svn-base?id=8328c31dba7c71ee20ee32f1a735d639f9e43928.html
Size

6.5MB
MD5

26c8f3c129bad20d23cb0bbc5b490a54
SHA1

932bc529bc1174e2d7002dd55b95dd1bc71975f7
SHA256

e705ce7c714dc3554163aaf48a6db11564c58c104683d8834ef637d30e054ab9
SHA512

0f4724d685a1686f2d77891202111706ab28ed9d3d03747eb295f0127f33a8a7eb3dc0965ff3cc419dcf9f6af38dfb14f14c83367a92c40b58c12b68a07f6953
SSDEEP

196608:Y8Mr7zGawTt9tAw45+/F3ZqA0AX3Ba8Tmj0vg6nVpfn1PYdpReUH:6

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1668	msedge.exe
1668	msedge.exe
2532	msedge.exe
2532	msedge.exe
3788	identity_helper.exe
3788	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2028	2532	msedge.exe	82
PID 2532 wrote to memory of 2028	2532	msedge.exe	82
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 2548	2532	msedge.exe	86
PID 2532 wrote to memory of 1668	2532	msedge.exe	87
PID 2532 wrote to memory of 1668	2532	msedge.exe	87
PID 2532 wrote to memory of 4640	2532	msedge.exe	88
PID 2532 wrote to memory of 4640	2532	msedge.exe	88
PID 2532 wrote to memory of 4640	2532	msedge.exe	88
PID 2532 wrote to memory of 4640	2532	msedge.exe	88
PID 2532 wrote to memory of 4640	2532	msedge.exe	88
PID 2532 wrote to memory of 4640	2532	msedge.exe	88
PID 2532 wrote to memory of 4640	2532	msedge.exe	88
PID 2532 wrote to memory of 4640	2532	msedge.exe	88
PID 2532 wrote to memory of 4640	2532	msedge.exe	88
PID 2532 wrote to memory of 4640	2532	msedge.exe	88
PID 2532 wrote to memory of 4640	2532	msedge.exe	88
PID 2532 wrote to memory of 4640	2532	msedge.exe	88
PID 2532 wrote to memory of 4640	2532	msedge.exe	88
PID 2532 wrote to memory of 4640	2532	msedge.exe	88
PID 2532 wrote to memory of 4640	2532	msedge.exe	88
PID 2532 wrote to memory of 4640	2532	msedge.exe	88
PID 2532 wrote to memory of 4640	2532	msedge.exe	88
PID 2532 wrote to memory of 4640	2532	msedge.exe	88
PID 2532 wrote to memory of 4640	2532	msedge.exe	88
PID 2532 wrote to memory of 4640	2532	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\libtaglib_plugin.dll.svn-base_id=8328c31dba7c71ee20ee32f1a735d639f9e43928.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbb40346f8,0x7ffbb4034708,0x7ffbb4034718
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,16815713534044102675,16721434521019866881,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  PID:2548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,16815713534044102675,16721434521019866881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,16815713534044102675,16721434521019866881,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16815713534044102675,16721434521019866881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16815713534044102675,16721434521019866881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16815713534044102675,16721434521019866881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16815713534044102675,16721434521019866881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16815713534044102675,16721434521019866881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16815713534044102675,16721434521019866881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,16815713534044102675,16721434521019866881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,16815713534044102675,16721434521019866881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e2ece0fcb9f6256efba522462a9a9288

SHA1
ccc599f64d30e15833b45c7e52924d4bd2f54acb

SHA256
0eff6f3011208a312a1010db0620bb6680fe49d4fa3344930302e950b74ad005

SHA512
ead68dd972cfb1eccc194572279ae3e4ac989546bfb9e8d511c6bc178fc12aaebd20b49860d2b70ac1f5d4236b0df1b484a979b926edbe23f281b8139ff1a9ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
864aa9768ef47143c455b31fd314d660

SHA1
09d879e0e77698f28b435ed0e7d8e166e28fafa2

SHA256
3118d55d1f04ecdd849971d8c49896b5c874bdbea63e5288547b9812c0640e10

SHA512
75dce411fce8166c8905ed8da910adb1dd08ab1c9d7cd5431ef905531f2f0374caf73dedd5d238b457ece61273f6c81e632d23eb8409efbb6bf0d01442008488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6cdebf77f24d920eeede4b44e43dd732

SHA1
f08bb838ce8770df47ddc52454e3dee2f5e905b4

SHA256
27735987ee43ff44adf8655cb3ed7aabc443d686d6e70c530403b9c560ee8b4a

SHA512
7aa14cfb582f8dc6ef7f47f3759281ce67e26840dac71b04dc561a274308727799039aa47dcb9502cd0668ddc7d858b138a1abc66321b700d6da90f5ab6ce6fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
405a0cd36b22ad9dd16cb7144f285708

SHA1
68cb1be659e7f0e2c1cb70a00c29da610c8cb2e3

SHA256
80c0c1382f74ab3a6135e75c5aec9b395f27fe914e6a159ae381ee7ea7faf981

SHA512
5d108e04aa3e162010ead4db28d1de9a097d1f4ee544e2730f05b4472bf768faa9f5623eba1666b640f5b3222ee369336b4a454938f5db6501d77d27a9949b93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c793df6e1c03206ea836091e7e019b84

SHA1
386cab32d4ce3278a42ffb3a5312f378f626ea67

SHA256
aac3970ff5a840bcdbe8982c50c887376ffd5f819b1aa7cffa1dce05716166a6

SHA512
655e6c2f786fece2e4acae9d8548e774416ca251841396c71a0c8f9d06c8a19d08afb3a82d2b54d88bd508942524dc95c12a745bd6fb39e94d1c83abaa3a727b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2c3ce86d36dccab260a185611e5519b6

SHA1
2a90cdd5a07145db64722dc1db33d902026988f4

SHA256
542a4453bcef1ed3f8c1cfb05f3b1213ff8169ce46437ed28d09138c6b5837a6

SHA512
b88bc73f3839df64a0fce5b9847a6fee4183259bffeaaccfd0487754adcc1019060df36a713569a107b201424a89b2ed2c4afc0a01c499327365a3cf9c8996e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5d2c313813bff916f252af059cce2203

SHA1
80cff54bb1791e2df777be9d7ffd065fcc95a8ab

SHA256
1682366c6558ec48b3b0335f6bf628bbb01afa36ad86033b0f661904b8b82a66

SHA512
8be71d5538836600ea722258da646daa9bf03e39d13e3a98ffe2b770f37454e55ab7466766a8ab3b70ee671b482a57ab8026584f3d047f186de9f18f0bf337c8

Download Submit