Analysis
-
max time kernel
145s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 18:04
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.google.com/&q=EgTAGggEGNmuvbIGIik5gCHZG-xl4P7-OErkFuHA9Hq7RBSFqDYo_biGbWnAw_N-kqKL9balaDIBcloBQw
Resource
win10v2004-20240426-en
General
-
Target
https://www.google.com/&q=EgTAGggEGNmuvbIGIik5gCHZG-xl4P7-OErkFuHA9Hq7RBSFqDYo_biGbWnAw_N-kqKL9balaDIBcloBQw
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 1712 msedge.exe 1712 msedge.exe 3496 msedge.exe 3496 msedge.exe 3764 identity_helper.exe 3764 identity_helper.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3496 wrote to memory of 3396 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 3396 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 5108 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 1712 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 1712 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 1000 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 1000 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 1000 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 1000 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 1000 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 1000 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 1000 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 1000 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 1000 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 1000 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 1000 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 1000 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 1000 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 1000 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 1000 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 1000 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 1000 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 1000 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 1000 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 1000 3496 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/&q=EgTAGggEGNmuvbIGIik5gCHZG-xl4P7-OErkFuHA9Hq7RBSFqDYo_biGbWnAw_N-kqKL9balaDIBcloBQw1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ffda88e46f8,0x7ffda88e4708,0x7ffda88e47182⤵PID:3396
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,17910271158271946167,10464060098447134316,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:22⤵PID:5108
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,17910271158271946167,10464060098447134316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2560 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1712 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,17910271158271946167,10464060098447134316,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:82⤵PID:1000
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,17910271158271946167,10464060098447134316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:5028
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,17910271158271946167,10464060098447134316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:5056
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,17910271158271946167,10464060098447134316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:82⤵PID:3732
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,17910271158271946167,10464060098447134316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3764 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,17910271158271946167,10464060098447134316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:12⤵PID:4604
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,17910271158271946167,10464060098447134316,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:12⤵PID:2708
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,17910271158271946167,10464060098447134316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:12⤵PID:2112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,17910271158271946167,10464060098447134316,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵PID:1592
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,17910271158271946167,10464060098447134316,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1292 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:912
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4020
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1276
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ae54e9db2e89f2c54da8cc0bfcbd26bd
SHA1a88af6c673609ecbc51a1a60dfbc8577830d2b5d
SHA2565009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af
SHA512e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f53207a5ca2ef5c7e976cbb3cb26d870
SHA149a8cc44f53da77bb3dfb36fc7676ed54675db43
SHA25619ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23
SHA512be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
394B
MD513a7257a4a106ce779950019e705c37a
SHA13ee8bf897386c54020e6c62eb988021ae1bec1c3
SHA256a00658b7262b0a87f252e25c05066d33ad2a2dfaf8d6152851e9a5492d31c6a7
SHA51243d2a82104147636219a3ef025e5ac08a5fd91ec83f005f09ce2cbda9ee7d7f5f9d3672d3ff94f2c811c2cec0aacbe59eab0349723766200083a26ce9a542efe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD529df0c8c67da2b7e1d9123d120132887
SHA11fdfb32ef3cb8392a313b128d9071bed8abfd74c
SHA2567f1c6fcc32c2f6f8926f1f73c8ab941a8ec84341073d09e14b4dc08ea431bb5b
SHA5123dc25bf8469eb13f3349f7946f6d8cd9e265a3c079da8d43d5b83de2bbe2b649686936dbc5c21f62b43806196131d2ba6c00793cfe9354759e941aabc970b529
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f7f29229a91d5b38ec8b53be9548bc9a
SHA164970ab7d5621120f4b07aa62e31eb673261ff75
SHA25658ba0dfa14bd7fb0ca8ea0e5a359d941cd81b0abf3e249fb43748c1e5fc46067
SHA5123d8b4b7c3585ec962d0769751c1d3be5c5ac775f4ecd77a22d315f13ec28909bb4b358c6d627675267b27f7d66d34ff893001b8bb82dafd1a7963b3b5c300570
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5b58fc42a2f1f8b8fd0ba44feca312a46
SHA1e70cf5d06d7a565d6be010d14631cf5767774932
SHA256597d6f2b141fdf8d48ef3e341add898bf43286fd7108189f7119438ebd8e9074
SHA512929271ee931cada3982aae1186187c3c55ba19003d21526367ce2ca88b97860fab02e50136e3421016420a27505122dcabe6db07b9fbd6d4ef0dca65654b02af
-
\??\pipe\LOCAL\crashpad_3496_KVZKGFMGQKQCXLYQMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e