ac493fa7510339536b9c16138ee089076a25b9ea511ae031c5b9857eb2c8cc9f

Analysis

max time kernel
146s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 10:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

libpng_plugin.dll.svn-base?id=e3b43bd36fd50840467669364014ee53553872c1.html
Size

15KB
MD5

56199f12e141266eb4976e1416c2d185
SHA1

c01f17917a0b3ba76853d56887edb6d140d0fd81
SHA256

ac493fa7510339536b9c16138ee089076a25b9ea511ae031c5b9857eb2c8cc9f
SHA512

c906f6a7f49873d58857d2885fc7ea59c502636549223a9bc86f2ca3b427cfc079097644e0cb7c3e86a3d687a5316f39ddf62fee2aeb4e7f7cf128f9d0ff696f
SSDEEP

384:dAPMcMHyAcaqvbqncvXkvDZ3eIdILJzl+Cq124kbrBZFE8uI:mPMcMHyAcaqvbqncvUvDZ3eIdILtFE8B

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2648	msedge.exe
2648	msedge.exe
428	msedge.exe
428	msedge.exe
2972	identity_helper.exe
2972	identity_helper.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 4664	428	msedge.exe	80
PID 428 wrote to memory of 4664	428	msedge.exe	80
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 3220	428	msedge.exe	82
PID 428 wrote to memory of 2648	428	msedge.exe	83
PID 428 wrote to memory of 2648	428	msedge.exe	83
PID 428 wrote to memory of 3904	428	msedge.exe	84
PID 428 wrote to memory of 3904	428	msedge.exe	84
PID 428 wrote to memory of 3904	428	msedge.exe	84
PID 428 wrote to memory of 3904	428	msedge.exe	84
PID 428 wrote to memory of 3904	428	msedge.exe	84
PID 428 wrote to memory of 3904	428	msedge.exe	84
PID 428 wrote to memory of 3904	428	msedge.exe	84
PID 428 wrote to memory of 3904	428	msedge.exe	84
PID 428 wrote to memory of 3904	428	msedge.exe	84
PID 428 wrote to memory of 3904	428	msedge.exe	84
PID 428 wrote to memory of 3904	428	msedge.exe	84
PID 428 wrote to memory of 3904	428	msedge.exe	84
PID 428 wrote to memory of 3904	428	msedge.exe	84
PID 428 wrote to memory of 3904	428	msedge.exe	84
PID 428 wrote to memory of 3904	428	msedge.exe	84
PID 428 wrote to memory of 3904	428	msedge.exe	84
PID 428 wrote to memory of 3904	428	msedge.exe	84
PID 428 wrote to memory of 3904	428	msedge.exe	84
PID 428 wrote to memory of 3904	428	msedge.exe	84
PID 428 wrote to memory of 3904	428	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\libpng_plugin.dll.svn-base_id=e3b43bd36fd50840467669364014ee53553872c1.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0xe4,0x7ffa059846f8,0x7ffa05984708,0x7ffa05984718
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,4416284794276782342,14289270047044435711,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,4416284794276782342,14289270047044435711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,4416284794276782342,14289270047044435711,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4416284794276782342,14289270047044435711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4416284794276782342,14289270047044435711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4416284794276782342,14289270047044435711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4416284794276782342,14289270047044435711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,4416284794276782342,14289270047044435711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,4416284794276782342,14289270047044435711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4416284794276782342,14289270047044435711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:60
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4416284794276782342,14289270047044435711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,4416284794276782342,14289270047044435711,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4052 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4137cdac56dfb2abaffcdf9d6763faca

SHA1
712b17c5dbf1ee79303667bcb6abe244a338f998

SHA256
b6316f5945612dc73d5af794086f860730d88210424031c046471dd341b318ee

SHA512
83cff2c0b89d24c5529e060f89925ee285ce7f20d039a0db624a63f368193f24bedfacdeb0e3ba9a5e0fdf826b56815c394b0136466822362a68e33a63f6c15f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
87764a12f732824d60ea907572f441df

SHA1
0c1381fd6903f19e31c5d1080a9221f4c973f30e

SHA256
3d8b66fdaf729ec716e15eb856c8b442f4719e9a0a04d833fd27f767bb17b8fd

SHA512
ea4c9466b4295219962aac62182730e6c0875ea8da2e679083fc2cd771ab8c945fad46025a122b3269d02e6d13fcafb0fa976a3ffc8ed30c5d736be264a15e2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
920e5a186520a23b9f9189669270a8d7

SHA1
108cd9c9af618efe83bd8c6ee711b7f85c78df3d

SHA256
7b97d5a52bce25a5cf911e705f8c9fe9a96304add6b8ef7c6f8f75090468597f

SHA512
d540d9d8b2ba89908374ef07c7486ac306d9bb8b49a72bb8bb41e38aa9d22d64b164ccbd1ef1896f9f28bb1220a51b3dbb3319de503c5d72fe24d921ad7d3762

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c324c34c10b3d077920f79feb2693026

SHA1
5428f1fb8568162efa2e521322a82e014e2049cb

SHA256
fd83fa5464af4c1eb523343f912b7a475867a3f71a3a4fc770bec882b19c0f7b

SHA512
de8cf1174097f08af7bb323f95aa1eb6e1abcafde21261e7c7545684a4013c972688b478c31ebbbd9f73c28c1042a9e7d7403f2ee2f148b6cd70afce21e87e3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e44ccee70c404cbef4834ff9d3f246bd

SHA1
fd40ff847b411a532709df93f35166ced40be008

SHA256
6777e5e62864a8581489de1e6659a6f4f26500c781bbbfcada05139e9eda278b

SHA512
e33dfdf0b024a067085211b753edc37b67573a69965e9ad21a4e9aa9d4a30f84c51856d31b8d5a0f26c7a9d701c67cbb8bd551e9db9ea846a28271300647d4a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3623b335cc798268e5797287a8b532fc

SHA1
559cc8c5cd086abd2735e8e23c3c064df755ed7d

SHA256
46555c030b2be5bd797cf6cd6c32798c4e832fe1b8cff22a1eac40fc9839dc1d

SHA512
effdfe961238b293d639337779980242a1c3515f089e68a0ab76f77bbbbfd0f18d3b87f21c9e0e24a344f605bb764b3ff64d7cfbc15fe80f8daba4197cb01fac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bee2d4c0746f19f1b406b9fe58b4a352

SHA1
ae4f66e52a5b3547ff7a4bccc5dc90fd35fa6d87

SHA256
b437e91435fdbe2fb9bd240e875d0114ebe0e63fc8b116d814039432091a75b1

SHA512
b602ec8c2173702c1e9072598ca4ba55705a06bd3030dda1f930ceda228388cf652f3715e8125ab3c4a0e5cf8292ba3547682cd854770969072de15890506fd5

Download Submit