1369e64fb06d43fdd5cabee33cb3c4f734a5e4b6e388a8f2c808f8df5d275d1f

Analysis

max time kernel
1681s
max time network
1685s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
03/06/2024, 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sigma.bat
Size

155B
MD5

23a47d8f3f18b8e1f7fbea0215fd75ca
SHA1

3fb6fb3684c9cd0e565c8cfa4c8ba141573f61bd
SHA256

1369e64fb06d43fdd5cabee33cb3c4f734a5e4b6e388a8f2c808f8df5d275d1f
SHA512

cc340ba1aa1115fcaf8525a5f6491f316abb1e5c7bbc68a72ed249c804219b2d7f0c1e9a463897e23cd5b4790644886a180c387c59549f42e95204d6a124471b

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 705369.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4104	msedge.exe
4104	msedge.exe
4828	msedge.exe
4828	msedge.exe
4672	identity_helper.exe
4672	identity_helper.exe
780	msedge.exe
780	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 4828	784	cmd.exe	78
PID 784 wrote to memory of 4828	784	cmd.exe	78
PID 4828 wrote to memory of 1764	4828	msedge.exe	81
PID 4828 wrote to memory of 1764	4828	msedge.exe	81
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 3640	4828	msedge.exe	82
PID 4828 wrote to memory of 4104	4828	msedge.exe	83
PID 4828 wrote to memory of 4104	4828	msedge.exe	83
PID 4828 wrote to memory of 3836	4828	msedge.exe	84
PID 4828 wrote to memory of 3836	4828	msedge.exe	84
PID 4828 wrote to memory of 3836	4828	msedge.exe	84
PID 4828 wrote to memory of 3836	4828	msedge.exe	84
PID 4828 wrote to memory of 3836	4828	msedge.exe	84
PID 4828 wrote to memory of 3836	4828	msedge.exe	84
PID 4828 wrote to memory of 3836	4828	msedge.exe	84
PID 4828 wrote to memory of 3836	4828	msedge.exe	84
PID 4828 wrote to memory of 3836	4828	msedge.exe	84
PID 4828 wrote to memory of 3836	4828	msedge.exe	84
PID 4828 wrote to memory of 3836	4828	msedge.exe	84
PID 4828 wrote to memory of 3836	4828	msedge.exe	84
PID 4828 wrote to memory of 3836	4828	msedge.exe	84
PID 4828 wrote to memory of 3836	4828	msedge.exe	84
PID 4828 wrote to memory of 3836	4828	msedge.exe	84
PID 4828 wrote to memory of 3836	4828	msedge.exe	84
PID 4828 wrote to memory of 3836	4828	msedge.exe	84
PID 4828 wrote to memory of 3836	4828	msedge.exe	84

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sigma.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.python.org/ftp/python/3.12.3/python-3.12.3-amd64.exe
  2⤵
  - Enumerates system info in registry
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff95a433cb8,0x7ff95a433cc8,0x7ff95a433cd8
    3⤵
    PID:1764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,8063001082549748832,3947665744396933268,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1956 /prefetch:2
    3⤵
    PID:3640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,8063001082549748832,3947665744396933268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,8063001082549748832,3947665744396933268,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
    3⤵
    PID:3836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8063001082549748832,3947665744396933268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
    3⤵
    PID:3084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8063001082549748832,3947665744396933268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
    3⤵
    PID:1488
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,8063001082549748832,3947665744396933268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8063001082549748832,3947665744396933268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
    3⤵
    PID:5056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1944,8063001082549748832,3947665744396933268,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5580 /prefetch:8
    3⤵
    PID:2852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1944,8063001082549748832,3947665744396933268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8063001082549748832,3947665744396933268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
    3⤵
    PID:4072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8063001082549748832,3947665744396933268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
    3⤵
    PID:3124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8063001082549748832,3947665744396933268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
    3⤵
    PID:1476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,8063001082549748832,3947665744396933268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
    3⤵
    PID:5088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,8063001082549748832,3947665744396933268,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1e4ed4a50489e7fc6c3ce17686a7cd94

SHA1
eac4e98e46efc880605a23a632e68e2c778613e7

SHA256
fc9e8224722cb738d8b32420c05006de87161e1d28bc729b451759096f436c1a

SHA512
5c4e637ac4da37ba133cb1fba8fa2ff3e24fc4ca15433a94868f2b6e0259705634072e5563da5f7cf1fd783fa8fa0c584c00f319f486565315e87cdea8ed1c28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8ff8bdd04a2da5ef5d4b6a687da23156

SHA1
247873c114f3cc780c3adb0f844fc0bb2b440b6d

SHA256
09b7b20bfec9608a6d737ef3fa03f95dcbeaca0f25953503a321acac82a5e5ae

SHA512
5633ad84b5a003cd151c4c24b67c1e5de965fdb206b433ca759d9c62a4785383507cbd5aca92089f6e0a50a518c6014bf09a0972b4311464aa6a26f76648345e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
182B

MD5
032da7fe725e8d1e82c927eaee10ad1c

SHA1
da361bb3df3ab3be54f3422367bfd22cb525d036

SHA256
f7e523cc7678478ac7155a1330d12d3579eb12eb1be1f31f0c7686a05f0c4290

SHA512
d9b906d6710d0e786abf27b04f15cae8c9ed217477f12bd0d672a4020c35fa20b30239eb2b863f3974cde87b9c9885199902708006d054764f49455c3d53483b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
79f584665d12e5d40a79f574746b9254

SHA1
6413a5ae00e49048371c39a469ba62f88952928c

SHA256
7035e8877667f9106586f73b1f8ed32c8ac0333528451e55e0f77fa007900e4f

SHA512
4ba9007dc7b0349000b0446e21de3893c3dcef11459b2cc7fbd4cb4fe7e27d6ddff6eca2a47bfbf210651ad6e2c0d4a1a4b00f7e266c3fe99d2c5d6e86db481c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
21a38721fb4260c0de3c3b2dab598006

SHA1
2aac4afa323887c346f733468551e28c9c7ff173

SHA256
4005c27f06017813c96be1c2e91c8b15d693d59c0b3da35d888d862b48f89c61

SHA512
ffcba0677232bb4481be5286ccf0fecfba7acf268ee23bce2faa64f563143dd97cb2e8310338b7ca3e75cd64c827ac813322f0a28f3320676244fdc6e48dda4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
25c336b9f87b0c68593995962a383155

SHA1
cb414f4994a084c1fd37e4a40163048e649dc618

SHA256
dcf5360dc5b2d524561fc0928be73dc2bacb59cd9e943688cad04923d3913955

SHA512
1aaf97bce0b802ea2efe569395b2691fc60054b9d8ec9371d8750b1eed4691afb1a6a29309d0f737776fb14219a3cdc44578feb5c31883c040deeea5d6ee8b9a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 705369.crdownload

Filesize
25.5MB

MD5
c86949710e0471a065db970290819489

SHA1
b1207fba545a75841e2dbca2ad4f17b26414e0c1

SHA256
edfc6c84dc47eebd4fae9167e96ff5d9c27f8abaa779ee1deab9c3d964d0de3c

SHA512
0e19181bc121518b5ef154fecc57a837e73f36143b9cb51114bd3f54056bc09977abc1e4ef145a03344d9ad2b8e49faa483b4ef70e4176af2bc17a8e5a3cd4ac

Download Submit