8d7c1f4f7bca64b9b9efbe2f2f6c20dbd28d9b25fdc2738b309c7e1635f20b9c

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/Register.html
Size

17KB
MD5

c649701632a1503ee019494dae581f75
SHA1

22c6c13486f878598fb5650b142fb90f2d03051c
SHA256

e84b9c03bd612c8b1c43dd04f73e8110602e0e8f8e42ef07eddcff55f8bc9d37
SHA512

d4821624fd9e856e5045babdc5433a6e8e97f8207fb158a2637d0d214653921539c10572209275d593fb80db4809f0c572f7aa1b40f0d052b0a7fcc0e8895bf4
SSDEEP

192:zjBxr5ufCnTOV6oNLB2vOXQyuv48238xglTWlNr33G+y2SeSpUwWSh:qCS/2mG48238xkT4rm+yg9U

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2144	msedge.exe
2144	msedge.exe
4992	msedge.exe
4992	msedge.exe
4148	identity_helper.exe
4148	identity_helper.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 3724	4992	msedge.exe	85
PID 4992 wrote to memory of 3724	4992	msedge.exe	85
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 3148	4992	msedge.exe	86
PID 4992 wrote to memory of 2144	4992	msedge.exe	87
PID 4992 wrote to memory of 2144	4992	msedge.exe	87
PID 4992 wrote to memory of 448	4992	msedge.exe	88
PID 4992 wrote to memory of 448	4992	msedge.exe	88
PID 4992 wrote to memory of 448	4992	msedge.exe	88
PID 4992 wrote to memory of 448	4992	msedge.exe	88
PID 4992 wrote to memory of 448	4992	msedge.exe	88
PID 4992 wrote to memory of 448	4992	msedge.exe	88
PID 4992 wrote to memory of 448	4992	msedge.exe	88
PID 4992 wrote to memory of 448	4992	msedge.exe	88
PID 4992 wrote to memory of 448	4992	msedge.exe	88
PID 4992 wrote to memory of 448	4992	msedge.exe	88
PID 4992 wrote to memory of 448	4992	msedge.exe	88
PID 4992 wrote to memory of 448	4992	msedge.exe	88
PID 4992 wrote to memory of 448	4992	msedge.exe	88
PID 4992 wrote to memory of 448	4992	msedge.exe	88
PID 4992 wrote to memory of 448	4992	msedge.exe	88
PID 4992 wrote to memory of 448	4992	msedge.exe	88
PID 4992 wrote to memory of 448	4992	msedge.exe	88
PID 4992 wrote to memory of 448	4992	msedge.exe	88
PID 4992 wrote to memory of 448	4992	msedge.exe	88
PID 4992 wrote to memory of 448	4992	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Register.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8b14846f8,0x7ff8b1484708,0x7ff8b1484718
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,15555191191478056408,15595286729110187128,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,15555191191478056408,15595286729110187128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,15555191191478056408,15595286729110187128,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:8
  2⤵
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15555191191478056408,15595286729110187128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15555191191478056408,15595286729110187128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,15555191191478056408,15595286729110187128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,15555191191478056408,15595286729110187128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15555191191478056408,15595286729110187128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2504 /prefetch:1
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15555191191478056408,15595286729110187128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15555191191478056408,15595286729110187128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15555191191478056408,15595286729110187128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:1332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,15555191191478056408,15595286729110187128,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3056 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
120a75f233314ba1fe34e9d6c09f30b9

SHA1
a9f92f2d3f111eaadd9bcf8fceb3c9553753539c

SHA256
e04101215c3534dbc77c0b5df2e1d1ff74c277d2946f391f939c9a7948a22dd0

SHA512
3c4eb93e425b50e8bcc1712f4cc2be11888a0273c3a619fc6bf72ccab876a427158f661bfc80d0c1e47ef4116febf76a3aaa31a60ec662eae0e51c7f1d3d89b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bc2edd0741d97ae237e9f00bf3244144

SHA1
7c1e5d324f5c7137a3c4ec85146659f026c11782

SHA256
dbce3287c7ae69ccbd1d780c39f3ffa3c98bd4609a939fff8ee9c99f14265041

SHA512
00f505a0b4ea0df626175bf9d39a205f18f9754b62e4dba6fbb5b4a716b3539e7809723e1596bcfe1ba3041e22342e3a9cbaad88e84ce9c8c6531331bbc25093

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
89d9d7df79d474fde980195d43d712ae

SHA1
5ddcc2652f594467965faf4ae7b66737a04150f8

SHA256
329ca4a0761893c2f9d899e758d493f5eb02a00b309ab1955a898cf39f8b7181

SHA512
67f5aa2c8856821b76f87fa857332875372a51dd65188ca9edafbe0b97f86bd37d451d88c8d73d4653db1acde1a76ce0220af11e71e95d5c89690b69154ba2e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2be94b7b2c083dcc7ed788741daf7a3e

SHA1
e9fc786ede1de0cd7ca458f0b3a79c0b1bacf793

SHA256
43eeb73daa0b2b9b1d0651fa347b295924059d87553db41d9dded7df88f554ab

SHA512
0e6fdbda49ea351c2ca415f5340e42218f2cea5f8eab01e1661e758940ce12eba604ff0ab232313e564c8d0b84ffb2a8d717931d54c93764a6b796f280acdf2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8c42a015adba5e4fa8336e836b49987f

SHA1
cb3f9980fc34060da225d5064f5563e709b2b363

SHA256
ca3fcc3af666073b1f51de83b7ebead16237b2fff62c15a133065bad14196f95

SHA512
1a2e5d28b4689cc6c909fd5e184ca27dd7e942b32c6ab9bc7291cdd2e7d7bd9d9426adcb7327a6d912bc00756d32f09a75b2927fe0b77bcfdc8938a1d318ec76

Download Submit