hxxp://Google[.]com

Resubmissions

02/05/2024, 15:35

240502-s1kstaca4w 1

02/05/2024, 15:32

02/05/2024, 15:29

02/05/2024, 15:27

02/05/2024, 15:23

02/05/2024, 15:19

02/05/2024, 15:16

02/05/2024, 15:13

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240419-de
resource tags

arch:x64arch:x86image:win10v2004-20240419-delocale:de-deos:windows10-2004-x64systemwindows
submitted
02/05/2024, 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://Google.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2944	msedge.exe
2944	msedge.exe
4588	msedge.exe
4588	msedge.exe
1736	identity_helper.exe
1736	identity_helper.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 2716	4588	msedge.exe	83
PID 4588 wrote to memory of 2716	4588	msedge.exe	83
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2712	4588	msedge.exe	84
PID 4588 wrote to memory of 2944	4588	msedge.exe	85
PID 4588 wrote to memory of 2944	4588	msedge.exe	85
PID 4588 wrote to memory of 316	4588	msedge.exe	86
PID 4588 wrote to memory of 316	4588	msedge.exe	86
PID 4588 wrote to memory of 316	4588	msedge.exe	86
PID 4588 wrote to memory of 316	4588	msedge.exe	86
PID 4588 wrote to memory of 316	4588	msedge.exe	86
PID 4588 wrote to memory of 316	4588	msedge.exe	86
PID 4588 wrote to memory of 316	4588	msedge.exe	86
PID 4588 wrote to memory of 316	4588	msedge.exe	86
PID 4588 wrote to memory of 316	4588	msedge.exe	86
PID 4588 wrote to memory of 316	4588	msedge.exe	86
PID 4588 wrote to memory of 316	4588	msedge.exe	86
PID 4588 wrote to memory of 316	4588	msedge.exe	86
PID 4588 wrote to memory of 316	4588	msedge.exe	86
PID 4588 wrote to memory of 316	4588	msedge.exe	86
PID 4588 wrote to memory of 316	4588	msedge.exe	86
PID 4588 wrote to memory of 316	4588	msedge.exe	86
PID 4588 wrote to memory of 316	4588	msedge.exe	86
PID 4588 wrote to memory of 316	4588	msedge.exe	86
PID 4588 wrote to memory of 316	4588	msedge.exe	86
PID 4588 wrote to memory of 316	4588	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://Google.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff2c746f8,0x7ffff2c74708,0x7ffff2c74718
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,8284668332646453092,859089647471413191,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,8284668332646453092,859089647471413191,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,8284668332646453092,859089647471413191,131072 --lang=de --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
  2⤵
  PID:316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8284668332646453092,859089647471413191,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8284668332646453092,859089647471413191,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8284668332646453092,859089647471413191,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,8284668332646453092,859089647471413191,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:8
  2⤵
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,8284668332646453092,859089647471413191,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8284668332646453092,859089647471413191,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1
  2⤵
  PID:812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8284668332646453092,859089647471413191,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8284668332646453092,859089647471413191,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8284668332646453092,859089647471413191,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,8284668332646453092,859089647471413191,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3620 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9dc60aef38e7832217e7fa02d6f0d9f6

SHA1
4f8539dc7d5739b36fe976a932338f459d066db6

SHA256
8a0ee0b6fafabb256571b691c2faf77c7244945faa749c72124d5eb43a197a32

SHA512
18371541811910992c2b84a8eae7e997e8627640bdb60b9e82751389e50931db9b3e206d31f4d9d2dc3ca25ea3a82c0be413ecb0ef3ac227a14e54f406eaa7e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7ac03b15b68af2d5cb5c8063057cc83e

SHA1
9b2d4db737f57322ff5c4bbddd765b3177f930ab

SHA256
b90d7596301470b389842eecb46bd3a8e614260b0d374d5c35a36afb9c71a700

SHA512
a5e9f40dd9040803046b0218fab6b058d49e5e2a3ada315e161fe9fc80ebb8d6d4442ccc1c98d19e561fc7c61bcf43d662fe2231cacacb447876a2113c2e3732

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
202KB

MD5
14ab2f761595c786bb4dd7fe3190a016

SHA1
17088348ffd5a394261eac019024cab0c4af36fb

SHA256
d25e48857d52105de9b99056890de75dd72f3b43410f407a2b3afdc1a2fb02d4

SHA512
e8728eab10c048afb8607f54af8a1b1a7ecfa56df0a8309820f353635862e7ef428cdd3b482a19f7634d924f44c787859f18ada2e1ae64987bd8b2dd3e9971d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
52944e7a8cd4d2d196e622dc764669a2

SHA1
b513f4417ec9e6cdf4a50448a2017fa69f7ec44a

SHA256
29c77785968781a5925bb2473b4bc60b71fffb758ead73a2eee02398b9f79063

SHA512
207aeea9530791a0c8eb7d8c5510c1e8517248d4463cb47dd7a58da3ca01760d22c9e5a1de99aaea3c0addf4ee6f45be4e21ed730e1c750c91b4c5024f14a959

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
964B

MD5
4bf42c7b6c65e6c70652043d14fe0bbd

SHA1
2d0bb923b53a76d85c22f5409444a4ba8a46cfaf

SHA256
65815c06149dfed2a3679e263f33282881e7ec1ba9aa87e98726bd132cbf6bbb

SHA512
ddff33ee26558006904d419f6156262d3982597a572867b015994635eed91da9067bd272063d057af6d23f9d1844acdde645c8d12c52d528a7a7be5f870f5949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
36e84718d8184fdb015cffb59c8d16c2

SHA1
3601daff30d7e52f36d8cfe22ac087d3e626bf96

SHA256
d3af8eaf396b20e880a106e680db7c993021c7999d0942af67cf437dfdc58f3b

SHA512
c8215f62b788bee6f9f2ee1bdb5c217130ea28143901d2f61d2217f51f5c3917d48d5f387a2e1c80154657d364c9573ec5dc9a3d68a8ccf5fe179d1ea0db29d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e8ab46690692191157bb59f309644039

SHA1
47f879c9e555ba9ec4e605eebc5c2a114fcdc745

SHA256
a554a8123f137f26d238526c1f73d85ca6f79196e123b73aae7c97bb07dab808

SHA512
d6039414ea23a02eed0f6d794b8feff8fca25c1006cd61919e647d8ff1748b7c9ac514f6760a03e6027a8201937a9241964a581ef780dfd0055d3df68bdc49b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8855c158490d57f34332045be1b075ff

SHA1
d9642de066bec47124a62ba9a32b413db2309c11

SHA256
2f4dbfccb716fb9baddb388edbfb448b9347b2a851509a43374b5937ed6d6788

SHA512
b33dcd8eeacb042807766c3b70f6fe54b7694fef78983244bae27863a94154cd44b47640bd96076ab65f60dfcd58505ee3396ba5545d55759b1929d6c2a5dfea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6a79306896bef7e7a5575a444b1064ab

SHA1
f4b3bf285cdb5e015aa93b29376793410c0f8475

SHA256
5717f39fe76189eae77b41f0be07c8ada75dd452ef0752a0fe9555b01adc7fe7

SHA512
d6686cea8d34b42763538739f8aac16be2fd42b31fb7007fe5cc84b732cdb1983da12e6f2e722a0af3f5743b2b32d4bf76e4ca64bff11a18a0e4e4daf197058a

Download Submit