Resubmissions
23-05-2024 18:04
240523-wnsvfabc3z 1Analysis
-
max time kernel
26s -
max time network
29s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
23-05-2024 18:04
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://lh6.googleusercontent.com/CQu-payj8BZfv1RNSO7XIVpkKmtVObbdOetnjQlONKzdaz-wZ1fucO7KLzGVr-tDxaZ0OEcUEyo=w1200-h630-p
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
https://lh6.googleusercontent.com/CQu-payj8BZfv1RNSO7XIVpkKmtVObbdOetnjQlONKzdaz-wZ1fucO7KLzGVr-tDxaZ0OEcUEyo=w1200-h630-p
Resource
win11-20240419-en
General
-
Target
https://lh6.googleusercontent.com/CQu-payj8BZfv1RNSO7XIVpkKmtVObbdOetnjQlONKzdaz-wZ1fucO7KLzGVr-tDxaZ0OEcUEyo=w1200-h630-p
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 3356 msedge.exe 3356 msedge.exe 1480 msedge.exe 1480 msedge.exe 2260 identity_helper.exe 2260 identity_helper.exe 4412 msedge.exe 4412 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.exepid process 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1480 wrote to memory of 1868 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 1868 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3608 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3356 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 3356 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 4048 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 4048 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 4048 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 4048 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 4048 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 4048 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 4048 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 4048 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 4048 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 4048 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 4048 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 4048 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 4048 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 4048 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 4048 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 4048 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 4048 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 4048 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 4048 1480 msedge.exe msedge.exe PID 1480 wrote to memory of 4048 1480 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://lh6.googleusercontent.com/CQu-payj8BZfv1RNSO7XIVpkKmtVObbdOetnjQlONKzdaz-wZ1fucO7KLzGVr-tDxaZ0OEcUEyo=w1200-h630-p1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe7ce53cb8,0x7ffe7ce53cc8,0x7ffe7ce53cd82⤵PID:1868
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,10584862638236732110,14608827722382794870,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:22⤵PID:3608
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,10584862638236732110,14608827722382794870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3356 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,10584862638236732110,14608827722382794870,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:82⤵PID:4048
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10584862638236732110,14608827722382794870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:12⤵PID:1884
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10584862638236732110,14608827722382794870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵PID:904
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,10584862638236732110,14608827722382794870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2260 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10584862638236732110,14608827722382794870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:12⤵PID:4500
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10584862638236732110,14608827722382794870,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:12⤵PID:2588
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10584862638236732110,14608827722382794870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:12⤵PID:4928
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10584862638236732110,14608827722382794870,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:12⤵PID:4836
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,10584862638236732110,14608827722382794870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4412
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4760
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ade01a8cdbbf61f66497f88012a684d1
SHA19ff2e8985d9a101a77c85b37c4ac9d4df2525a1f
SHA256f49e20af78caf0d737f6dbcfc5cc32701a35eb092b3f0ab24cf339604cb049b5
SHA512fa024bd58e63402b06503679a396b8b4b1bc67dc041d473785957f56f7d972317ec8560827c8008989d2754b90e23fc984a85ed7496f05cb4edc2d8000ae622b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5d0f84c55517d34a91f12cccf1d3af583
SHA152bd01e6ab1037d31106f8bf6e2552617c201cea
SHA2569a24c67c3ec89f5cf8810eba1fdefc7775044c71ed78a8eb51c8d2225ad1bc4c
SHA51294764fe7f6d8c182beec398fa8c3a1948d706ab63121b8c9f933eef50172c506a1fd015172b7b6bac898ecbfd33e00a4a0758b1c8f2f4534794c39f076cd6171
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
404B
MD5c1245dafa2e94f7b767a7b513050fb07
SHA13fda5b9539d4a2bd28cb8088d51fd3f77d292944
SHA256b650bd7c760fe8c302898e6a7c8cd34b7cb4e5a4d39c6c33f1f834035c04fbeb
SHA5126b563cab62a0e147cc13e6567ca574881f4b82ef8a3aa6970adaf11aa69f047d6f2517d0fd2299bdaf0b3cf8134ba34643256d79fb22c05bb07451a1d4b501e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD54542c4ca8415a06498c631ea91b2ffd1
SHA1da06f47650c2ddff2971ef9fe5e830e22520d9e8
SHA256652f001e15dbeb9701f14060849971dbcdb2fa3d6b9a0beaa23839ecfb35eb6f
SHA512119240cb7a6b301f5282d180ef83cb3e7e9afc5bd0640bb52e465360a25ed80957cb58252b7a3a1e6049d07d3a793c4ea485f5c41ba0f653b475e5e3262af70e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD56689c08663798a2e276ea6e2b330ab5a
SHA1ecc55dc69058148f7f5c9f2a8431cc76eedf756b
SHA2567d592dfc1e8ce2c04e85dbdfb40408c5a0692eb8e747c564d81b71c543d2d69f
SHA51256b9ca92cdf735c1b99365d638a3b96350b183e1b3b8655e07e276df77eff239d894130a68fa61d8d4cb7fed8e330a7dcfbe080dad6df2080bc075e7e9c25850
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5e9f9d8a194fd180e28dae5f9b53c2647
SHA155208e832313bf115648dc989831e78fda91ae75
SHA256f5b8f5197fed79bed89a5e44a497d006c55d8136126fac10e43b24665c048a89
SHA512d27b1e9c413b82a43a2a66e615712f2dfc3c402cddee2db121ee86bbcea7e2ea3aaa907baa927a38595e47b6a658187a47fda795051afb859802e6b4cddc0bff
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD50f3d23878d17728683cbe05d10b68ee9
SHA10947c3f8f3b1de6cb71c8cc135cdfa2ab085aac0
SHA256c434019f1d694a1acc7a68ba45010bd672ad457c3d6d5bcc19d33303429c331d
SHA51215cdd012f46a27d1c584dcbb2625c832d9dd56cc548cfab3850726587ac2a9eb66b24509cf70addeec4e2fc8ff6cc6d619217aa40574c56d0b72c178de166540
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\f32d1eaf-49e2-469c-a7d1-c6a6ac8a1d3a.tmpFilesize
11KB
MD5bf5cd33ba092f8799f561f7ebd96b167
SHA15e5b6502094bff8604e8e6117dac999f08bc23ad
SHA25668ffae33dd8ddeca9516295877ba0c6d2f0f494374a4f477f502269630437255
SHA512065978e4c5f3d95379fae826a2e21a7f1ef26f70d171eadac6b6b8d7217214d22ce6a6fb779765e644cbc79275a4c8ebbceab3c79645c3cfccaa2a251d1e0fb1
-
\??\pipe\LOCAL\crashpad_1480_JURVYDSXLTKXJAMKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e