6f2fc693d41f6b3f5b2397d5476177b93b8a78a00e04341285b768af15e9083a

Analysis

max time kernel
147s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

libi420_rgb_sse2_plugin.dll.svn-base?id=3053a167982e379b031fe9fbe2a1d57c23026a90.html
Size

7KB
MD5

27ec37a2a2f97b5817af2accb7ab7302
SHA1

6ebd93b17cdb9b3349bdf838d512e0a9ddb56e13
SHA256

6f2fc693d41f6b3f5b2397d5476177b93b8a78a00e04341285b768af15e9083a
SHA512

2747fce683551febc24310def5221e483f18587f448f85c228a05892d92aaed7965c66078b539a95e29cedf3394cf3b451d24a4f0cec63d976f5cac2296d2793
SSDEEP

192:ZWvTPMcMHyx1Vvkv/qv/dUv/lvCPv0mXHP5BxSyv/0vST/lo3fVvvEv/8vLavzvU:ZKPMcMHyx18YdKRmXHP5BxSwNT/2QgRN

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1564	msedge.exe
1564	msedge.exe
1572	msedge.exe
1572	msedge.exe
4640	identity_helper.exe
4640	identity_helper.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 2668	1572	msedge.exe	82
PID 1572 wrote to memory of 2668	1572	msedge.exe	82
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1932	1572	msedge.exe	85
PID 1572 wrote to memory of 1564	1572	msedge.exe	86
PID 1572 wrote to memory of 1564	1572	msedge.exe	86
PID 1572 wrote to memory of 3468	1572	msedge.exe	87
PID 1572 wrote to memory of 3468	1572	msedge.exe	87
PID 1572 wrote to memory of 3468	1572	msedge.exe	87
PID 1572 wrote to memory of 3468	1572	msedge.exe	87
PID 1572 wrote to memory of 3468	1572	msedge.exe	87
PID 1572 wrote to memory of 3468	1572	msedge.exe	87
PID 1572 wrote to memory of 3468	1572	msedge.exe	87
PID 1572 wrote to memory of 3468	1572	msedge.exe	87
PID 1572 wrote to memory of 3468	1572	msedge.exe	87
PID 1572 wrote to memory of 3468	1572	msedge.exe	87
PID 1572 wrote to memory of 3468	1572	msedge.exe	87
PID 1572 wrote to memory of 3468	1572	msedge.exe	87
PID 1572 wrote to memory of 3468	1572	msedge.exe	87
PID 1572 wrote to memory of 3468	1572	msedge.exe	87
PID 1572 wrote to memory of 3468	1572	msedge.exe	87
PID 1572 wrote to memory of 3468	1572	msedge.exe	87
PID 1572 wrote to memory of 3468	1572	msedge.exe	87
PID 1572 wrote to memory of 3468	1572	msedge.exe	87
PID 1572 wrote to memory of 3468	1572	msedge.exe	87
PID 1572 wrote to memory of 3468	1572	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\libi420_rgb_sse2_plugin.dll.svn-base_id=3053a167982e379b031fe9fbe2a1d57c23026a90.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc7e4d46f8,0x7ffc7e4d4708,0x7ffc7e4d4718
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,4374571452598102450,1116233493844461655,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2284 /prefetch:2
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,4374571452598102450,1116233493844461655,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,4374571452598102450,1116233493844461655,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,4374571452598102450,1116233493844461655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,4374571452598102450,1116233493844461655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,4374571452598102450,1116233493844461655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,4374571452598102450,1116233493844461655,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,4374571452598102450,1116233493844461655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,4374571452598102450,1116233493844461655,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,4374571452598102450,1116233493844461655,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,4374571452598102450,1116233493844461655,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,4374571452598102450,1116233493844461655,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4100 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8c91c8582b0c918416d14bd7eedd686e

SHA1
b2ff8149bc21144fdcec64111afda492965c6621

SHA256
1e839706b748c04adf8efa2790564ca1efd707fdf6451e71af6862e07123717e

SHA512
a93be868d9f08097bff39069378a0bfa0f5c78e74e9e8df820be9b0426cbfe84e03e9638b329b6142279ed140a120c4c4c21857f410fc4789a370445c3919dcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2579d07b98bbefadc929d80fb3dbd32a

SHA1
1ceb57c4b81f0f23500e118a4b9a225116a467de

SHA256
b8443c289ad36568a2bf794ac9ec1f259a9dd930c36680dafc8d0cb4de81feb6

SHA512
53522ad5e8e2a272d5b1bff9b9226b7d976d47413891c60d7efebd4365baff12b6891e3f79b20e14892ec7c654ad2d437941014290c428c6b1bd78a7b3e557de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dae87b0aadf13e0e6e00816c095237b5

SHA1
5854d16594fa58d222e22507ba019089a308f232

SHA256
bf1500834ce78378a6fd1e703a3e22d9d3a025223bd2912a86629f6084cf16b2

SHA512
e1ed1e0861e78dbb2e874b6d47e74f880377d9c665f2eca401c5004ad32b01ec824880154bf2a8d57d48db87414375046e267b1b8e355eceb1c27a160c5767cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
765aa2436089a04373c6dc4d946dd3bf

SHA1
730a5d50619591e127151edd17b5a136640581c1

SHA256
d300a1e6b511a915aeb1ad8bb8cb9728728271305165c6d1dad5396f23d5d2c0

SHA512
09a7e5dc9d6c06e7c1a8d03e1ab2e3129f8c1bce3ac2b234a2722f4c0aa163e217a6be1677638dbccd3bff1232e386c0d79176b412ef7b5edf7047c6408b7502

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT~RFe577f52.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5ae54578c6f09cf9f27053240c8be593

SHA1
ad8c57e70da601ebcfe4d1e9c620fc7637c2f83c

SHA256
04b4626545678a9eb9642e34f4ec964f81d81e3079fc9333aa81b64d99a8283e

SHA512
0468933f3d95c983597617dca31703fc9f13e5180ca4c86ffb4ebe9b049a04a5c63953d401c33487fe9b1698bd06d62cd11d89f6090ff901343cfb1dc2e04e62

Download Submit