1149f43712f7f69a894312f990f752d28883a22c8dc5e065654f6dcd9c7dd416

Analysis

max time kernel
157s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

libyuy2_i422_plugin.dll?id=8328c31dba7c71ee20ee32f1a735d639f9e43928.html
Size

6KB
MD5

9aad527097ce07841ad193ecc6112483
SHA1

dc1cde157596b95188830b0079a951ba797dd0c5
SHA256

1149f43712f7f69a894312f990f752d28883a22c8dc5e065654f6dcd9c7dd416
SHA512

0ee2b206848ce2834e369db4f74533060841634158226bffe2496e403a7025aa39e89e4df3821661e5831f9d4dbf83eae5fc69e910f97f44211c3f84c962cba3
SSDEEP

192:ZiiPMcMHyZJMDwNTFX5YGB/lo3afiKgsiDUQE8uI:ZtPMcMHy6AX9/SE8uI

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
856	msedge.exe
856	msedge.exe
5008	msedge.exe
5008	msedge.exe
1792	identity_helper.exe
1792	identity_helper.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 4188	5008	msedge.exe	83
PID 5008 wrote to memory of 4188	5008	msedge.exe	83
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 4716	5008	msedge.exe	84
PID 5008 wrote to memory of 856	5008	msedge.exe	85
PID 5008 wrote to memory of 856	5008	msedge.exe	85
PID 5008 wrote to memory of 3280	5008	msedge.exe	86
PID 5008 wrote to memory of 3280	5008	msedge.exe	86
PID 5008 wrote to memory of 3280	5008	msedge.exe	86
PID 5008 wrote to memory of 3280	5008	msedge.exe	86
PID 5008 wrote to memory of 3280	5008	msedge.exe	86
PID 5008 wrote to memory of 3280	5008	msedge.exe	86
PID 5008 wrote to memory of 3280	5008	msedge.exe	86
PID 5008 wrote to memory of 3280	5008	msedge.exe	86
PID 5008 wrote to memory of 3280	5008	msedge.exe	86
PID 5008 wrote to memory of 3280	5008	msedge.exe	86
PID 5008 wrote to memory of 3280	5008	msedge.exe	86
PID 5008 wrote to memory of 3280	5008	msedge.exe	86
PID 5008 wrote to memory of 3280	5008	msedge.exe	86
PID 5008 wrote to memory of 3280	5008	msedge.exe	86
PID 5008 wrote to memory of 3280	5008	msedge.exe	86
PID 5008 wrote to memory of 3280	5008	msedge.exe	86
PID 5008 wrote to memory of 3280	5008	msedge.exe	86
PID 5008 wrote to memory of 3280	5008	msedge.exe	86
PID 5008 wrote to memory of 3280	5008	msedge.exe	86
PID 5008 wrote to memory of 3280	5008	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\libyuy2_i422_plugin.dll_id=8328c31dba7c71ee20ee32f1a735d639f9e43928.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ff9305c46f8,0x7ff9305c4708,0x7ff9305c4718
  2⤵
  PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,10469521000072746986,9438844918350475755,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,10469521000072746986,9438844918350475755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,10469521000072746986,9438844918350475755,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10469521000072746986,9438844918350475755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10469521000072746986,9438844918350475755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10469521000072746986,9438844918350475755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10469521000072746986,9438844918350475755,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,10469521000072746986,9438844918350475755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,10469521000072746986,9438844918350475755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10469521000072746986,9438844918350475755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10469521000072746986,9438844918350475755,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,10469521000072746986,9438844918350475755,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
864aa9768ef47143c455b31fd314d660

SHA1
09d879e0e77698f28b435ed0e7d8e166e28fafa2

SHA256
3118d55d1f04ecdd849971d8c49896b5c874bdbea63e5288547b9812c0640e10

SHA512
75dce411fce8166c8905ed8da910adb1dd08ab1c9d7cd5431ef905531f2f0374caf73dedd5d238b457ece61273f6c81e632d23eb8409efbb6bf0d01442008488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5cf986a441ab4f28bc9f7534e793f9f9

SHA1
33e945336041eea795c927279ae840d4f012f921

SHA256
72c950301eb91656a48af71a7e38e8857352f8111d7c49e5161eedd4afdca7cd

SHA512
d23669b65cea85aeea900a77d00bf90f7519fd842116a8c00683acc24218405b1ae47bd065ee0a4f872a95afba8746e171c85bb2b4cae53c1e5eb07dd5c6ea20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
557c7694eccf56eec3affcdd44377718

SHA1
813a6b73492a5cfebaa1a89aa354d69260936809

SHA256
558b57e0248ef8673ad5425f845e6b7378dee3e485149506cc27a2f72c04e00b

SHA512
e17f48a2174a5898830faada39c80df94d1cdcd3403e5b4f5601642594242c7607d1ec614c6d2c21bb3ff4293d2562d8eb551e80a47d724a36b50d5f794f3287

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
683dd8870c973cb0a1bb82893fcfbd8a

SHA1
6838953db93ac579cf52e28989c089de503b0620

SHA256
7b979413dda44a0aa6f1e8c7782dbd6c4fc0849ac575f0333f1b6f9bb6e39350

SHA512
f872458ab1a79adae9e94c20a2b841691d38229f407f6a57e3f9de2faf5257b37fd9210f1f4694ab43cc565dd06197a9abe4a6d257c8b7feae363fb462a53e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ae2c8e2be2b007ac482705a063da3fc6

SHA1
7f8c58d01d58822c88bb92e394971df88c9bebc0

SHA256
34904db5056c67ed36c02c9239123baf7c39e3611f48f87eef2e832a58c7a5df

SHA512
1d6f814de07bfcf33b9c3ffaccb9689d461d70429ab865a2e11dee6baa3a7b46781f97f3799d99507d90f3e4c7ba62b99440e896dd778cc603fb742fc5b735ca

Download Submit