Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 10:56
Static task
static1
Behavioral task
behavioral1
Sample
libtaglib_plugin.dll.svn-base?id=8328c31dba7c71ee20ee32f1a735d639f9e43928.html
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
libtaglib_plugin.dll.svn-base?id=8328c31dba7c71ee20ee32f1a735d639f9e43928.html
Resource
win10v2004-20240412-en
General
-
Target
libtaglib_plugin.dll.svn-base?id=8328c31dba7c71ee20ee32f1a735d639f9e43928.html
-
Size
6.5MB
-
MD5
26c8f3c129bad20d23cb0bbc5b490a54
-
SHA1
932bc529bc1174e2d7002dd55b95dd1bc71975f7
-
SHA256
e705ce7c714dc3554163aaf48a6db11564c58c104683d8834ef637d30e054ab9
-
SHA512
0f4724d685a1686f2d77891202111706ab28ed9d3d03747eb295f0127f33a8a7eb3dc0965ff3cc419dcf9f6af38dfb14f14c83367a92c40b58c12b68a07f6953
-
SSDEEP
196608:Y8Mr7zGawTt9tAw45+/F3ZqA0AX3Ba8Tmj0vg6nVpfn1PYdpReUH:6
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1668 msedge.exe 1668 msedge.exe 2532 msedge.exe 2532 msedge.exe 3788 identity_helper.exe 3788 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe 2532 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2028 2532 msedge.exe 82 PID 2532 wrote to memory of 2028 2532 msedge.exe 82 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 2548 2532 msedge.exe 86 PID 2532 wrote to memory of 1668 2532 msedge.exe 87 PID 2532 wrote to memory of 1668 2532 msedge.exe 87 PID 2532 wrote to memory of 4640 2532 msedge.exe 88 PID 2532 wrote to memory of 4640 2532 msedge.exe 88 PID 2532 wrote to memory of 4640 2532 msedge.exe 88 PID 2532 wrote to memory of 4640 2532 msedge.exe 88 PID 2532 wrote to memory of 4640 2532 msedge.exe 88 PID 2532 wrote to memory of 4640 2532 msedge.exe 88 PID 2532 wrote to memory of 4640 2532 msedge.exe 88 PID 2532 wrote to memory of 4640 2532 msedge.exe 88 PID 2532 wrote to memory of 4640 2532 msedge.exe 88 PID 2532 wrote to memory of 4640 2532 msedge.exe 88 PID 2532 wrote to memory of 4640 2532 msedge.exe 88 PID 2532 wrote to memory of 4640 2532 msedge.exe 88 PID 2532 wrote to memory of 4640 2532 msedge.exe 88 PID 2532 wrote to memory of 4640 2532 msedge.exe 88 PID 2532 wrote to memory of 4640 2532 msedge.exe 88 PID 2532 wrote to memory of 4640 2532 msedge.exe 88 PID 2532 wrote to memory of 4640 2532 msedge.exe 88 PID 2532 wrote to memory of 4640 2532 msedge.exe 88 PID 2532 wrote to memory of 4640 2532 msedge.exe 88 PID 2532 wrote to memory of 4640 2532 msedge.exe 88
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\libtaglib_plugin.dll.svn-base_id=8328c31dba7c71ee20ee32f1a735d639f9e43928.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbb40346f8,0x7ffbb4034708,0x7ffbb40347182⤵PID:2028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,16815713534044102675,16721434521019866881,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:22⤵PID:2548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,16815713534044102675,16721434521019866881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,16815713534044102675,16721434521019866881,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:82⤵PID:4640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16815713534044102675,16721434521019866881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:12⤵PID:4440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16815713534044102675,16721434521019866881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:12⤵PID:3848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16815713534044102675,16721434521019866881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:12⤵PID:1592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16815713534044102675,16721434521019866881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:12⤵PID:3252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16815713534044102675,16721434521019866881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:12⤵PID:4636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16815713534044102675,16721434521019866881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:12⤵PID:1428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,16815713534044102675,16721434521019866881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:82⤵PID:3372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,16815713534044102675,16721434521019866881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3788
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3212
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:652
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e2ece0fcb9f6256efba522462a9a9288
SHA1ccc599f64d30e15833b45c7e52924d4bd2f54acb
SHA2560eff6f3011208a312a1010db0620bb6680fe49d4fa3344930302e950b74ad005
SHA512ead68dd972cfb1eccc194572279ae3e4ac989546bfb9e8d511c6bc178fc12aaebd20b49860d2b70ac1f5d4236b0df1b484a979b926edbe23f281b8139ff1a9ac
-
Filesize
152B
MD5864aa9768ef47143c455b31fd314d660
SHA109d879e0e77698f28b435ed0e7d8e166e28fafa2
SHA2563118d55d1f04ecdd849971d8c49896b5c874bdbea63e5288547b9812c0640e10
SHA51275dce411fce8166c8905ed8da910adb1dd08ab1c9d7cd5431ef905531f2f0374caf73dedd5d238b457ece61273f6c81e632d23eb8409efbb6bf0d01442008488
-
Filesize
6KB
MD56cdebf77f24d920eeede4b44e43dd732
SHA1f08bb838ce8770df47ddc52454e3dee2f5e905b4
SHA25627735987ee43ff44adf8655cb3ed7aabc443d686d6e70c530403b9c560ee8b4a
SHA5127aa14cfb582f8dc6ef7f47f3759281ce67e26840dac71b04dc561a274308727799039aa47dcb9502cd0668ddc7d858b138a1abc66321b700d6da90f5ab6ce6fa
-
Filesize
6KB
MD5405a0cd36b22ad9dd16cb7144f285708
SHA168cb1be659e7f0e2c1cb70a00c29da610c8cb2e3
SHA25680c0c1382f74ab3a6135e75c5aec9b395f27fe914e6a159ae381ee7ea7faf981
SHA5125d108e04aa3e162010ead4db28d1de9a097d1f4ee544e2730f05b4472bf768faa9f5623eba1666b640f5b3222ee369336b4a454938f5db6501d77d27a9949b93
-
Filesize
6KB
MD5c793df6e1c03206ea836091e7e019b84
SHA1386cab32d4ce3278a42ffb3a5312f378f626ea67
SHA256aac3970ff5a840bcdbe8982c50c887376ffd5f819b1aa7cffa1dce05716166a6
SHA512655e6c2f786fece2e4acae9d8548e774416ca251841396c71a0c8f9d06c8a19d08afb3a82d2b54d88bd508942524dc95c12a745bd6fb39e94d1c83abaa3a727b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD52c3ce86d36dccab260a185611e5519b6
SHA12a90cdd5a07145db64722dc1db33d902026988f4
SHA256542a4453bcef1ed3f8c1cfb05f3b1213ff8169ce46437ed28d09138c6b5837a6
SHA512b88bc73f3839df64a0fce5b9847a6fee4183259bffeaaccfd0487754adcc1019060df36a713569a107b201424a89b2ed2c4afc0a01c499327365a3cf9c8996e3
-
Filesize
11KB
MD55d2c313813bff916f252af059cce2203
SHA180cff54bb1791e2df777be9d7ffd065fcc95a8ab
SHA2561682366c6558ec48b3b0335f6bf628bbb01afa36ad86033b0f661904b8b82a66
SHA5128be71d5538836600ea722258da646daa9bf03e39d13e3a98ffe2b770f37454e55ab7466766a8ab3b70ee671b482a57ab8026584f3d047f186de9f18f0bf337c8