hxxp://abuse[.]ch

Analysis

max time kernel
1680s
max time network
1685s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
03/05/2024, 10:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://abuse.ch

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5044	msedge.exe
5044	msedge.exe
1364	msedge.exe
1364	msedge.exe
3316	msedge.exe
3316	msedge.exe
4820	identity_helper.exe
4820	identity_helper.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 3696	1364	msedge.exe	80
PID 1364 wrote to memory of 3696	1364	msedge.exe	80
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 908	1364	msedge.exe	81
PID 1364 wrote to memory of 5044	1364	msedge.exe	82
PID 1364 wrote to memory of 5044	1364	msedge.exe	82
PID 1364 wrote to memory of 2088	1364	msedge.exe	83
PID 1364 wrote to memory of 2088	1364	msedge.exe	83
PID 1364 wrote to memory of 2088	1364	msedge.exe	83
PID 1364 wrote to memory of 2088	1364	msedge.exe	83
PID 1364 wrote to memory of 2088	1364	msedge.exe	83
PID 1364 wrote to memory of 2088	1364	msedge.exe	83
PID 1364 wrote to memory of 2088	1364	msedge.exe	83
PID 1364 wrote to memory of 2088	1364	msedge.exe	83
PID 1364 wrote to memory of 2088	1364	msedge.exe	83
PID 1364 wrote to memory of 2088	1364	msedge.exe	83
PID 1364 wrote to memory of 2088	1364	msedge.exe	83
PID 1364 wrote to memory of 2088	1364	msedge.exe	83
PID 1364 wrote to memory of 2088	1364	msedge.exe	83
PID 1364 wrote to memory of 2088	1364	msedge.exe	83
PID 1364 wrote to memory of 2088	1364	msedge.exe	83
PID 1364 wrote to memory of 2088	1364	msedge.exe	83
PID 1364 wrote to memory of 2088	1364	msedge.exe	83
PID 1364 wrote to memory of 2088	1364	msedge.exe	83
PID 1364 wrote to memory of 2088	1364	msedge.exe	83
PID 1364 wrote to memory of 2088	1364	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://abuse.ch
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcca433cb8,0x7ffcca433cc8,0x7ffcca433cd8
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1720,16811023906291911288,16791790395119393124,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1836 /prefetch:2
  2⤵
  PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1720,16811023906291911288,16791790395119393124,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1720,16811023906291911288,16791790395119393124,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,16811023906291911288,16791790395119393124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,16811023906291911288,16791790395119393124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,16811023906291911288,16791790395119393124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,16811023906291911288,16791790395119393124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1720,16811023906291911288,16791790395119393124,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1720,16811023906291911288,16791790395119393124,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,16811023906291911288,16791790395119393124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,16811023906291911288,16791790395119393124,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,16811023906291911288,16791790395119393124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:1
  2⤵
  PID:3800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,16811023906291911288,16791790395119393124,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1720,16811023906291911288,16791790395119393124,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1724 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\55ab9d00-d794-46d8-85e4-4f55931bca87.tmp

Filesize
11KB

MD5
2298196d85ace54098b30f62273820ab

SHA1
68723b5c7c9048f0c85fb316add0cc8e24b18142

SHA256
fe8b925f027f584786f338fbe09ee23458679028cba2ba9682564a4ca841697c

SHA512
257ffcecaa49b10ba6e2a708bf0e63cbefe68490fdc76e438c0de5005389ab0416e84cf7149220f6318b953dc7e4e96d3413b538e22e782668e571d0d31bf263

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
046d49efac191159051a8b2dea884f79

SHA1
d0cf8dc3bc6a23bf2395940cefcaad1565234a3a

SHA256
00dfb1705076450a45319666801a3a7032fc672675343434cb3d68baccb8e1f7

SHA512
46961e0f0e4d7f82b4417e4aac4434e86f2130e92b492b53a194255bd3bba0855069524cd645f910754d4d2dbf3f1dc467bcc997f01dc6b1d8d6028e2d957236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d22039bc7833a3a27231b8eb834f70

SHA1
79c4290a2894b0e973d3c4b297fad74ef45607bb

SHA256
402defe561006133623c2a4791b2baf90b92d5708151c2bcac6d02d2771cd3d6

SHA512
c69ee22d8c52a61e59969aa757d58ab4f32492854fc7116975efc7c6174f5d998cc236bbf15bce330d81e39a026b18e29683b6d69c93d21fea6d14e21460a0a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
1990f73bf091dd8b3c310183c82d8215

SHA1
89539b5f06d8b940914cda1347768b12b0c65260

SHA256
3c67285172fb855cca740368fd9864229770e391704ce32f8fcae16f4c636478

SHA512
507a5bff6b62bea2fc65221a2bbce74f8b3a51cb4aba13f5ca8420663342e33a8b68c92830ebf4c19ba5ae2dd696acf1b64a35e638b75b03f02fefcd21554eb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
823B

MD5
ba6d1d5c35f622bb8f35dd2395e7072b

SHA1
4bcf0c336c5fdd49a353c0e60f3629518d01a9a8

SHA256
7202eba715d33a006758f9222ae56ef26a96b176920971047bcee1dc55a02f60

SHA512
5bd582cbbbe45d4f276abd5e712ac4904c144250c9bbb9f800c18b4997428727dcd5a112828d576862cea3878128a15af757a87e94df6dea99cba189de425c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
53eb2cdafcda7e553ba13b30e140b129

SHA1
5bb4b66d7714a93d4139c259cc38958388a997a5

SHA256
db116a683c67943ffe06c5c32f57f7ea3b22df4c4bcd1a05250c2bfc5de93c15

SHA512
9c1d3fbcebf8ef4f149e903e09ebdf4f2fd029a849da986b654bf5bd2a1dc6ec0349842710eca8f8899358ccde86a90adad412cc2b79cc5dd86b2ab0dc73b28e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
098e4993be49916f8fc54d89cf74e7ba

SHA1
7862b6396873021fede14561ed3317391ebf0bbf

SHA256
a0bfebc299819eb7479e7be2657607df3a587dd78da01db31607ac94cd348b14

SHA512
0b431ec08e20d31cf072de4358cd380201033335849fabb6a4eec2da211fcaaae9972424d8bda90ad9d5871568c56e59f01224e023990a05b8b95feaa6419f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c8d7392f8c2e4b7bd79dfe1c69722e5a

SHA1
ccd1c9f457cd40f02404348eaad50617ef7de169

SHA256
36129bd03bb015e5e5cb6e69749469d94a97fd026c8b9b39218b52a5b222f8a4

SHA512
0cdcfa1761afbf7e8dfae05f4384c584166e25d7bb22a69915a4a9dd1e46538dd8145c7b4514125f9f2e13d9ec64cb764a146e8ba1499f41656050a783402181

Download Submit