c4ecb765855246f24454e3e85cfbb61975e89c2c27680afb3cbb20dae9759a62

Analysis

max time kernel
167s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

libvorbis_plugin.dll.svn-base?id=3053a167982e379b031fe9fbe2a1d57c23026a90.html
Size

7KB
MD5

30e7d4559490c2d8157ea140ec3c0eb5
SHA1

74382f069d3382557d4a8433c7d0ccbe336700dd
SHA256

c4ecb765855246f24454e3e85cfbb61975e89c2c27680afb3cbb20dae9759a62
SHA512

847e74aa2c147238a4add66c7b55969a136a69c5e952900de55989aadd7020237c902f521abcfc3d4f4d5ab9024206c79112c273383355fa268fdd78a7914e8c
SSDEEP

192:ZapvTPMcMHyx1lpvYpv/Opv/dIpv/1pvCXpv0mXHP5BxSmpv/opvST/lo3flpvvr:ZCPMcMHyx1KQdufmXHP5BxSIhT/2KUrN

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4128	msedge.exe
4128	msedge.exe
1556	msedge.exe
1556	msedge.exe
4480	identity_helper.exe
4480	identity_helper.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 4632	1556	msedge.exe	79
PID 1556 wrote to memory of 4632	1556	msedge.exe	79
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 2360	1556	msedge.exe	81
PID 1556 wrote to memory of 4128	1556	msedge.exe	83
PID 1556 wrote to memory of 4128	1556	msedge.exe	83
PID 1556 wrote to memory of 1832	1556	msedge.exe	84
PID 1556 wrote to memory of 1832	1556	msedge.exe	84
PID 1556 wrote to memory of 1832	1556	msedge.exe	84
PID 1556 wrote to memory of 1832	1556	msedge.exe	84
PID 1556 wrote to memory of 1832	1556	msedge.exe	84
PID 1556 wrote to memory of 1832	1556	msedge.exe	84
PID 1556 wrote to memory of 1832	1556	msedge.exe	84
PID 1556 wrote to memory of 1832	1556	msedge.exe	84
PID 1556 wrote to memory of 1832	1556	msedge.exe	84
PID 1556 wrote to memory of 1832	1556	msedge.exe	84
PID 1556 wrote to memory of 1832	1556	msedge.exe	84
PID 1556 wrote to memory of 1832	1556	msedge.exe	84
PID 1556 wrote to memory of 1832	1556	msedge.exe	84
PID 1556 wrote to memory of 1832	1556	msedge.exe	84
PID 1556 wrote to memory of 1832	1556	msedge.exe	84
PID 1556 wrote to memory of 1832	1556	msedge.exe	84
PID 1556 wrote to memory of 1832	1556	msedge.exe	84
PID 1556 wrote to memory of 1832	1556	msedge.exe	84
PID 1556 wrote to memory of 1832	1556	msedge.exe	84
PID 1556 wrote to memory of 1832	1556	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\libvorbis_plugin.dll.svn-base_id=3053a167982e379b031fe9fbe2a1d57c23026a90.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa34a746f8,0x7ffa34a74708,0x7ffa34a74718
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,10853407533081692394,17361556832799257262,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,10853407533081692394,17361556832799257262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2776 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,10853407533081692394,17361556832799257262,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10853407533081692394,17361556832799257262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10853407533081692394,17361556832799257262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2520 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10853407533081692394,17361556832799257262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10853407533081692394,17361556832799257262,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10853407533081692394,17361556832799257262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10853407533081692394,17361556832799257262,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,10853407533081692394,17361556832799257262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 /prefetch:8
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,10853407533081692394,17361556832799257262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,10853407533081692394,17361556832799257262,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4137cdac56dfb2abaffcdf9d6763faca

SHA1
712b17c5dbf1ee79303667bcb6abe244a338f998

SHA256
b6316f5945612dc73d5af794086f860730d88210424031c046471dd341b318ee

SHA512
83cff2c0b89d24c5529e060f89925ee285ce7f20d039a0db624a63f368193f24bedfacdeb0e3ba9a5e0fdf826b56815c394b0136466822362a68e33a63f6c15f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
87764a12f732824d60ea907572f441df

SHA1
0c1381fd6903f19e31c5d1080a9221f4c973f30e

SHA256
3d8b66fdaf729ec716e15eb856c8b442f4719e9a0a04d833fd27f767bb17b8fd

SHA512
ea4c9466b4295219962aac62182730e6c0875ea8da2e679083fc2cd771ab8c945fad46025a122b3269d02e6d13fcafb0fa976a3ffc8ed30c5d736be264a15e2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
328d35d038162e6c11838ebc255d82c0

SHA1
12406b304e92b1c901b5b25dfcf9566a9d4e71e3

SHA256
cce84d4649ba4b6669d933154505049c50adf1b3d0bae1f082158bddf513e04f

SHA512
709e61d33654ea8192793edf3c68832a60cccd2556d13ee860ce92092f7d8a01e1fdd0befb332c21e00eaf953744edd7b1744d28215c7090a47265ba650977fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
72f485ea108645a55dcfd58baecb3c3c

SHA1
b1259de426bcb232b242f1f21419e48a2e30a494

SHA256
fa74668715736df6d964992feb2a6a47cd58d948942032d914c909ba9dfa9322

SHA512
dc3c54c63c436f37b8f532d7b9c4a6214eaf7179403e5df7e71b72a9c64684bbff5d5efd29c38a913c33b4b653bda54c863a0cb84fe25205862f1385fe99ee84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3623b335cc798268e5797287a8b532fc

SHA1
559cc8c5cd086abd2735e8e23c3c064df755ed7d

SHA256
46555c030b2be5bd797cf6cd6c32798c4e832fe1b8cff22a1eac40fc9839dc1d

SHA512
effdfe961238b293d639337779980242a1c3515f089e68a0ab76f77bbbbfd0f18d3b87f21c9e0e24a344f605bb764b3ff64d7cfbc15fe80f8daba4197cb01fac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fc805eb196d61a69e52cb9214712c7a9

SHA1
4dfc7039e29ee2ec36ae234ba710efabed3254fa

SHA256
e094cdff8dfa3e4adbf3b5a30ecbabb63cf5a0ec4d4ba9694f9dca07eef06db3

SHA512
faff1a1fed392b2597513dabe50613bfc16b247f0bf74a4f55ebccc626a9a713de55e2fb82165c0ac8ecb58621571120fb58f9ef4f7947fe95e7a95b279b7243

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
15de4aa8801455a5769c11e83c54f422

SHA1
0f6c5aa1ef0a63a95329a622e9e104521bc86372

SHA256
51773677043758f9c3c27dc4c4228da3abc164ed933f36226d82e2c67feb1b6e

SHA512
ab899647fb07b914d68300c54030c92dc2cd3cd98de4b4937087085248447188e6a9f57d758c5918e01f5414e520922cf4cece7ef2a1f3e6257a459ecb82ec34

Download Submit