hxxps://lh6[.]googleusercontent[.]com/CQu-payj8BZfv1RNSO7XIVpkKmtVObbdOetnjQlONKzdaz-wZ1fucO7KLzGVr-tDxaZ0OEcUEyo=w1200-h630-p

Resubmissions

23-05-2024 18:04

240523-wnsvfabc3z 1

Analysis

max time kernel
26s
max time network
29s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
23-05-2024 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://lh6.googleusercontent.com/CQu-payj8BZfv1RNSO7XIVpkKmtVObbdOetnjQlONKzdaz-wZ1fucO7KLzGVr-tDxaZ0OEcUEyo=w1200-h630-p

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid process

3356 msedge.exe
3356 msedge.exe
1480 msedge.exe
1480 msedge.exe
2260 identity_helper.exe
2260 identity_helper.exe
4412 msedge.exe
4412 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

1480 msedge.exe
1480 msedge.exe
1480 msedge.exe
1480 msedge.exe
1480 msedge.exe
1480 msedge.exe

pid	process
3356	msedge.exe
3356	msedge.exe
1480	msedge.exe
1480	msedge.exe
2260	identity_helper.exe
2260	identity_helper.exe
4412	msedge.exe
4412	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	process
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1480 wrote to memory of 1868	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 1868	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3608	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3356	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3356	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4048	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4048	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4048	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4048	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4048	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4048	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4048	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4048	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4048	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4048	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4048	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4048	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4048	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4048	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4048	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4048	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4048	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4048	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4048	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4048	1480	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://lh6.googleusercontent.com/CQu-payj8BZfv1RNSO7XIVpkKmtVObbdOetnjQlONKzdaz-wZ1fucO7KLzGVr-tDxaZ0OEcUEyo=w1200-h630-p
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe7ce53cb8,0x7ffe7ce53cc8,0x7ffe7ce53cd8
2⤵
PID:1868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,10584862638236732110,14608827722382794870,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
2⤵
PID:3608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,10584862638236732110,14608827722382794870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,10584862638236732110,14608827722382794870,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
2⤵
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10584862638236732110,14608827722382794870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
2⤵
PID:1884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10584862638236732110,14608827722382794870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
2⤵
PID:904

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,10584862638236732110,14608827722382794870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10584862638236732110,14608827722382794870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
2⤵
PID:4500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10584862638236732110,14608827722382794870,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
2⤵
PID:2588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10584862638236732110,14608827722382794870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
2⤵
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10584862638236732110,14608827722382794870,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
2⤵
PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,10584862638236732110,14608827722382794870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ade01a8cdbbf61f66497f88012a684d1

SHA1
9ff2e8985d9a101a77c85b37c4ac9d4df2525a1f

SHA256
f49e20af78caf0d737f6dbcfc5cc32701a35eb092b3f0ab24cf339604cb049b5

SHA512
fa024bd58e63402b06503679a396b8b4b1bc67dc041d473785957f56f7d972317ec8560827c8008989d2754b90e23fc984a85ed7496f05cb4edc2d8000ae622b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d0f84c55517d34a91f12cccf1d3af583

SHA1
52bd01e6ab1037d31106f8bf6e2552617c201cea

SHA256
9a24c67c3ec89f5cf8810eba1fdefc7775044c71ed78a8eb51c8d2225ad1bc4c

SHA512
94764fe7f6d8c182beec398fa8c3a1948d706ab63121b8c9f933eef50172c506a1fd015172b7b6bac898ecbfd33e00a4a0758b1c8f2f4534794c39f076cd6171

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
404B

MD5
c1245dafa2e94f7b767a7b513050fb07

SHA1
3fda5b9539d4a2bd28cb8088d51fd3f77d292944

SHA256
b650bd7c760fe8c302898e6a7c8cd34b7cb4e5a4d39c6c33f1f834035c04fbeb

SHA512
6b563cab62a0e147cc13e6567ca574881f4b82ef8a3aa6970adaf11aa69f047d6f2517d0fd2299bdaf0b3cf8134ba34643256d79fb22c05bb07451a1d4b501e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
4542c4ca8415a06498c631ea91b2ffd1

SHA1
da06f47650c2ddff2971ef9fe5e830e22520d9e8

SHA256
652f001e15dbeb9701f14060849971dbcdb2fa3d6b9a0beaa23839ecfb35eb6f

SHA512
119240cb7a6b301f5282d180ef83cb3e7e9afc5bd0640bb52e465360a25ed80957cb58252b7a3a1e6049d07d3a793c4ea485f5c41ba0f653b475e5e3262af70e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
6689c08663798a2e276ea6e2b330ab5a

SHA1
ecc55dc69058148f7f5c9f2a8431cc76eedf756b

SHA256
7d592dfc1e8ce2c04e85dbdfb40408c5a0692eb8e747c564d81b71c543d2d69f

SHA512
56b9ca92cdf735c1b99365d638a3b96350b183e1b3b8655e07e276df77eff239d894130a68fa61d8d4cb7fed8e330a7dcfbe080dad6df2080bc075e7e9c25850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
e9f9d8a194fd180e28dae5f9b53c2647

SHA1
55208e832313bf115648dc989831e78fda91ae75

SHA256
f5b8f5197fed79bed89a5e44a497d006c55d8136126fac10e43b24665c048a89

SHA512
d27b1e9c413b82a43a2a66e615712f2dfc3c402cddee2db121ee86bbcea7e2ea3aaa907baa927a38595e47b6a658187a47fda795051afb859802e6b4cddc0bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
0f3d23878d17728683cbe05d10b68ee9

SHA1
0947c3f8f3b1de6cb71c8cc135cdfa2ab085aac0

SHA256
c434019f1d694a1acc7a68ba45010bd672ad457c3d6d5bcc19d33303429c331d

SHA512
15cdd012f46a27d1c584dcbb2625c832d9dd56cc548cfab3850726587ac2a9eb66b24509cf70addeec4e2fc8ff6cc6d619217aa40574c56d0b72c178de166540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\f32d1eaf-49e2-469c-a7d1-c6a6ac8a1d3a.tmp
Filesize
11KB

MD5
bf5cd33ba092f8799f561f7ebd96b167

SHA1
5e5b6502094bff8604e8e6117dac999f08bc23ad

SHA256
68ffae33dd8ddeca9516295877ba0c6d2f0f494374a4f477f502269630437255

SHA512
065978e4c5f3d95379fae826a2e21a7f1ef26f70d171eadac6b6b8d7217214d22ce6a6fb779765e644cbc79275a4c8ebbceab3c79645c3cfccaa2a251d1e0fb1

Download Submit
\??\pipe\LOCAL\crashpad_1480_JURVYDSXLTKXJAMK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit