Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10-06-2024 12:23
Behavioral task
behavioral1
Sample
unam.exe
Resource
win10v2004-20240426-en
General
-
Target
unam.exe
-
Size
129.3MB
-
MD5
9b9dbfc1da565ff50d7869c68d12178d
-
SHA1
e8c7e312d9848f95f17d72f45403ce0159777444
-
SHA256
17c277605769ede5442963fa5cad409a03c23077c34f9ed6a1f72835154294d3
-
SHA512
66491d4084594d0e4bbea3ac0224c691f43a023a45313056138d8494aeb80062ffba5f9c213fdc3b1b0ed07f38806d10bd3a39c80b872e45aaa824be7fb72751
-
SSDEEP
3145728:bajeamjoC0MCr7jkS4aJwVlwV7iGYQ07SLjl:baaamEC0MQkiv7i92
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4444 msedge.exe 4444 msedge.exe 5076 msedge.exe 5076 msedge.exe 3612 identity_helper.exe 3612 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5076 wrote to memory of 3768 5076 msedge.exe 100 PID 5076 wrote to memory of 3768 5076 msedge.exe 100 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 740 5076 msedge.exe 101 PID 5076 wrote to memory of 4444 5076 msedge.exe 102 PID 5076 wrote to memory of 4444 5076 msedge.exe 102 PID 5076 wrote to memory of 2128 5076 msedge.exe 103 PID 5076 wrote to memory of 2128 5076 msedge.exe 103 PID 5076 wrote to memory of 2128 5076 msedge.exe 103 PID 5076 wrote to memory of 2128 5076 msedge.exe 103 PID 5076 wrote to memory of 2128 5076 msedge.exe 103 PID 5076 wrote to memory of 2128 5076 msedge.exe 103 PID 5076 wrote to memory of 2128 5076 msedge.exe 103 PID 5076 wrote to memory of 2128 5076 msedge.exe 103 PID 5076 wrote to memory of 2128 5076 msedge.exe 103 PID 5076 wrote to memory of 2128 5076 msedge.exe 103 PID 5076 wrote to memory of 2128 5076 msedge.exe 103 PID 5076 wrote to memory of 2128 5076 msedge.exe 103 PID 5076 wrote to memory of 2128 5076 msedge.exe 103 PID 5076 wrote to memory of 2128 5076 msedge.exe 103 PID 5076 wrote to memory of 2128 5076 msedge.exe 103 PID 5076 wrote to memory of 2128 5076 msedge.exe 103 PID 5076 wrote to memory of 2128 5076 msedge.exe 103 PID 5076 wrote to memory of 2128 5076 msedge.exe 103 PID 5076 wrote to memory of 2128 5076 msedge.exe 103 PID 5076 wrote to memory of 2128 5076 msedge.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\unam.exe"C:\Users\Admin\AppData\Local\Temp\unam.exe"1⤵PID:4372
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ffaeba746f8,0x7ffaeba74708,0x7ffaeba747182⤵PID:3768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,11735344209726023138,11517211612726638307,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:22⤵PID:740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,11735344209726023138,11517211612726638307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,11735344209726023138,11517211612726638307,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:82⤵PID:2128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,11735344209726023138,11517211612726638307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵PID:1900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,11735344209726023138,11517211612726638307,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵PID:1196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,11735344209726023138,11517211612726638307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:12⤵PID:4132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,11735344209726023138,11517211612726638307,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:12⤵PID:2696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,11735344209726023138,11517211612726638307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:82⤵PID:4456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,11735344209726023138,11517211612726638307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,11735344209726023138,11517211612726638307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:12⤵PID:400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,11735344209726023138,11517211612726638307,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:12⤵PID:1624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,11735344209726023138,11517211612726638307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵PID:3652
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:764
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD58b167567021ccb1a9fdf073fa9112ef0
SHA13baf293fbfaa7c1e7cdacb5f2975737f4ef69898
SHA25626764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513
SHA512726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54
-
Filesize
152B
MD5537815e7cc5c694912ac0308147852e4
SHA12ccdd9d9dc637db5462fe8119c0df261146c363c
SHA256b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f
SHA51263969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a
-
Filesize
5KB
MD5d26b4608eb1ce6a65b33c4d77a40b682
SHA17f1bf1fc5f53e4ec531bb061af9de6196a720c5a
SHA2560fb742447a85119f88fe7f25caae73992504d8a9ea2a9cfbd2b763471014940c
SHA51214bc2429db6b9db3a17b4986022a787d2a3d642e73a12c98528fb460ff8a15bc3141cd3eeddf7a60d27ae5cded8347888c68b4ceff3225ed23ee4eda1769d097
-
Filesize
6KB
MD5367c9d3492820b9a7ea3ce056559670c
SHA1c3d18ab3a353a34125839dd9cbfac930c0fcdfa0
SHA256195587008b1922c10a62227ce42274d209a45e7e1e303b5993236b67d6e8cf8d
SHA51215e466b894de7c5bd98bf5b11edddcda303aa73529c1d4a0695cb19cb8bd9d016b281466efa813c37b3b98a058f728ed478994b041beb632e0fb55e6a1764345
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5244e36b23d3e2af5f830391650ba7e77
SHA16bf65814205bd00e42504b90c452d754554f8bdf
SHA25605b281704aada89fc55e38f4e5420eaa8b9a0d2fc54f322bbd2a41823b4b748e
SHA5127810dd9078714f5966903687b86fbb3e564e663db6d874c290f16dd230302e12af3e62ada99f17b871d3d92864d8e32e42d173790396eda9088b12304194a42b