6ff4e388b357e08e45b267ca9dc14db093251cca969108e62aee62b56967868c

Analysis

max time kernel
145s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2024 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

html/resources/views/admin/blog/_form.blade.html
Size

7KB
MD5

b9b4c801960097a5d53342664b4f97bc
SHA1

2c9e6dabb30d1076fd617cf80a05bf9d7b1aefaa
SHA256

b1200a38773603f899dc8af23f693ebdce18f5c051ee67cdaeb446049a83e77a
SHA512

e3cbf77212b9135767477f807665b405ac7d80b3b02cb3901375157272ffb060403ce84f0297060c2fa63e90e6e93ada740b6e629fad594000f5a2c69998dabf
SSDEEP

192:SopklzZE1MoLo8o3vovOgHbCv1CBuUmPvZYw6K:3wZE1PM//cOgHbCv1CBuUmPvSw3

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4768	msedge.exe
4768	msedge.exe
1740	msedge.exe
1740	msedge.exe
4348	identity_helper.exe
4348	identity_helper.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2568	1740	msedge.exe	88
PID 1740 wrote to memory of 2568	1740	msedge.exe	88
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 844	1740	msedge.exe	89
PID 1740 wrote to memory of 4768	1740	msedge.exe	90
PID 1740 wrote to memory of 4768	1740	msedge.exe	90
PID 1740 wrote to memory of 2388	1740	msedge.exe	91
PID 1740 wrote to memory of 2388	1740	msedge.exe	91
PID 1740 wrote to memory of 2388	1740	msedge.exe	91
PID 1740 wrote to memory of 2388	1740	msedge.exe	91
PID 1740 wrote to memory of 2388	1740	msedge.exe	91
PID 1740 wrote to memory of 2388	1740	msedge.exe	91
PID 1740 wrote to memory of 2388	1740	msedge.exe	91
PID 1740 wrote to memory of 2388	1740	msedge.exe	91
PID 1740 wrote to memory of 2388	1740	msedge.exe	91
PID 1740 wrote to memory of 2388	1740	msedge.exe	91
PID 1740 wrote to memory of 2388	1740	msedge.exe	91
PID 1740 wrote to memory of 2388	1740	msedge.exe	91
PID 1740 wrote to memory of 2388	1740	msedge.exe	91
PID 1740 wrote to memory of 2388	1740	msedge.exe	91
PID 1740 wrote to memory of 2388	1740	msedge.exe	91
PID 1740 wrote to memory of 2388	1740	msedge.exe	91
PID 1740 wrote to memory of 2388	1740	msedge.exe	91
PID 1740 wrote to memory of 2388	1740	msedge.exe	91
PID 1740 wrote to memory of 2388	1740	msedge.exe	91
PID 1740 wrote to memory of 2388	1740	msedge.exe	91

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\html\resources\views\admin\blog\_form.blade.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9dfbd46f8,0x7ff9dfbd4708,0x7ff9dfbd4718
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,15243633646492250152,17761870515648708662,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,15243633646492250152,17761870515648708662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,15243633646492250152,17761870515648708662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15243633646492250152,17761870515648708662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15243633646492250152,17761870515648708662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,15243633646492250152,17761870515648708662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,15243633646492250152,17761870515648708662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15243633646492250152,17761870515648708662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15243633646492250152,17761870515648708662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15243633646492250152,17761870515648708662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15243633646492250152,17761870515648708662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,15243633646492250152,17761870515648708662,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1260 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9dc60aef38e7832217e7fa02d6f0d9f6

SHA1
4f8539dc7d5739b36fe976a932338f459d066db6

SHA256
8a0ee0b6fafabb256571b691c2faf77c7244945faa749c72124d5eb43a197a32

SHA512
18371541811910992c2b84a8eae7e997e8627640bdb60b9e82751389e50931db9b3e206d31f4d9d2dc3ca25ea3a82c0be413ecb0ef3ac227a14e54f406eaa7e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7ac03b15b68af2d5cb5c8063057cc83e

SHA1
9b2d4db737f57322ff5c4bbddd765b3177f930ab

SHA256
b90d7596301470b389842eecb46bd3a8e614260b0d374d5c35a36afb9c71a700

SHA512
a5e9f40dd9040803046b0218fab6b058d49e5e2a3ada315e161fe9fc80ebb8d6d4442ccc1c98d19e561fc7c61bcf43d662fe2231cacacb447876a2113c2e3732

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
399B

MD5
d505a6a46ab437302482494f78daa185

SHA1
27716de8b0ed15d415b700ce85a660ad8de2d1a3

SHA256
143f421af071fe065a4c783d19118824106825452ef9991bbfa85b24f3edb07d

SHA512
e9ca458d58905e43428b5078dc0bf9eb6a3b8542608338a8a2dd36b0502d178b8b06e6eb2b61056ea544942bb1f39d575740f0fc180bf613e2fc7af6f39212db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ac0d327dd279ca89fb580ac7a6284da9

SHA1
8e9bdf413122a83d99c83b256f2c87b3e3731d94

SHA256
c7d37ce094f1470daa8874afbd64775d03c309fcdc4d680ff40cd162d06e23a5

SHA512
6dd9f5be11a286c786b69e1d1831653ce0808ff5cf07151267f0fa618a147986fc61a56ddf9faa6dce6a8b698517df371151a1d9014132887d316c22d0c1ab1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a0045012-e225-47e3-8ff6-7c0a7457e2d7.tmp

Filesize
6KB

MD5
59a05150f77980f621413127836693eb

SHA1
31007ed131e69b2f343893add7efbf87221d4ccd

SHA256
17c402c9b5f8d159ddd5c73cef9bac8dd9f3abca78c634c5caf79379d9086fb3

SHA512
df7ece443e7e155b76c7edb07dfd853dcf44133a3df299df36441b001e91c847d625a6ffd48dd6ad80e35e1a083d48c0de79626af15030444c3b36dd490ecf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2c56fd74ad00f3ba46e7b4622e909937

SHA1
becdfefd7d328257e4e18d73cfd5f2d6d703157f

SHA256
102acf8fb538787bbd30848259d810cbb4494a0f08147109bf6ef8c8ce6d8a23

SHA512
a69fb0151e9e36efcdac507d6a2d47de219c58f01f07e9f218569d6af9f027b0a0d77a93faf037f6055404041dc0c8b9cf71241e16e70259e59d1d9845ce8de2

Download Submit