78e4ea3e99415c528612791836fa3ce641176526adfbdd7c50ded222f29d8d00

Analysis

max time kernel
145s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

blogid=321536463764.html
Size

23KB
MD5

ccc65a8593a809e1b3665dc1ff7c0286
SHA1

f8a7bf2ce9f171771d940568d0b62dbb35881c8e
SHA256

5bb67ce78c62d4f8c2b3867acf7ee24e2b967661a6223ad54f46c48c3b0d82c0
SHA512

294863882d156bc2515c7db73adf63b2bdde85ecefc499af7a09d2b65faf52c2f91000a959bbd5e1df09915f651748316396667fd1fd9ca4ad7ccb4c171a0ca7
SSDEEP

384:azZ6ej63Rwhm4hxQ2hXqhInpheBmAqt8NzzW5JIzw:kQ+hXhxbh6hIhX8NzzW8zw

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
3628	msedge.exe
3628	msedge.exe
2368	msedge.exe
2368	msedge.exe
3968	identity_helper.exe
3968	identity_helper.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

2368 msedge.exe
2368 msedge.exe
2368 msedge.exe
2368 msedge.exe
2368 msedge.exe
2368 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2368 wrote to memory of 2824	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 2824	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 460	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 3628	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 3628	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 2340	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 2340	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 2340	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 2340	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 2340	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 2340	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 2340	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 2340	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 2340	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 2340	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 2340	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 2340	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 2340	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 2340	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 2340	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 2340	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 2340	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 2340	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 2340	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 2340	2368	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\blogid=321536463764.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed93d46f8,0x7ffed93d4708,0x7ffed93d4718
2⤵
PID:2824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,3700672663742813257,13302323933855235010,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
2⤵
PID:460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,3700672663742813257,13302323933855235010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,3700672663742813257,13302323933855235010,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
2⤵
PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,3700672663742813257,13302323933855235010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
2⤵
PID:1664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,3700672663742813257,13302323933855235010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
2⤵
PID:1264

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,3700672663742813257,13302323933855235010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:8
2⤵
PID:4156

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,3700672663742813257,13302323933855235010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,3700672663742813257,13302323933855235010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
2⤵
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,3700672663742813257,13302323933855235010,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
2⤵
PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,3700672663742813257,13302323933855235010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
2⤵
PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,3700672663742813257,13302323933855235010,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
2⤵
PID:3084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,3700672663742813257,13302323933855235010,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5332 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4e96ed67859d0bafd47d805a71041f49

SHA1
7806c54ae29a6c8d01dcbc78e5525ddde321b16b

SHA256
bd13ddab4dc4bbf01ed50341953c9638f6d71faf92bc79fbfe93687432c2292d

SHA512
432201c3119779d91d13da55a26d4ff4ce4a9529e00b44ec1738029f92610d4e6e25c05694adf949c3e9c70fbbbbea723f63c29287906729f5e88a046a2edcb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1cbd0e9a14155b7f5d4f542d09a83153

SHA1
27a442a921921d69743a8e4b76ff0b66016c4b76

SHA256
243d05d6af19bfe3e06b1f7507342ead88f9d87b84e239ad1d144e9e454b548c

SHA512
17e5217d5bf67571afb0e7ef30ac21c11ea6553f89457548d96ee4461011f641a7872a37257239fa5f25702f027afb85d5bd9faf2f2f183992b8879407e56a0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c1d0e79f3aabaaabc383e4b4047f6fbd

SHA1
a58e48c2483e54033f0ac9b726814f98d35d6448

SHA256
c7b1394e78ecf8a43615c210ecf4f55418c506c72a5d7e388f87a2a8540035e9

SHA512
9543081ac08676f8179c610494e3f7889d8a85969e948476f20455f65042446ea3a9e635ade19e6393622da6e68c2106fb1db074e1b3ead3c81cd7683a0aa3b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fe8edc87fc6d18fb1606e6b693518032

SHA1
8c685388eda43ff40aa82561a2c2dd4d430d37c0

SHA256
a2b0fa00ffe2f7c65c2b6df0c88924ef1c5b9249a36ef7221a9dd421fc62c82d

SHA512
a80a8c0f805a33981e1f568efda1d495ebd293f5a2e7c27915b736add85c8d58b3c9065ae95dffad8f07aeff0e491df52d34a1ef8c159322fb46b14e6e8888bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
25e9fbdf8e075c192de9474b80b79a04

SHA1
118fd5324bfd2d4aa2c98568533701519d69a242

SHA256
5da1e50ddb21a155c8e853e5048c61f6727fe32de71ab49fde4fcfa3d553bef3

SHA512
2610bc5b51bf11721281ca66b024f10b73910b46a77a71f24f986edd27f8bc7f190441bd1159dd363909021f38cd1fa6d85d9b8b8d942f7c07518923dcc84271

Download Submit
\??\pipe\LOCAL\crashpad_2368_HRNOLBPNLPMGOLNE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit