Analysis
-
max time kernel
145s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 23:44
Static task
static1
Behavioral task
behavioral1
Sample
Methanol windows client remote1.html
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Methanol windows client remote1.html
Resource
win10v2004-20240611-en
General
-
Target
Methanol windows client remote1.html
-
Size
56KB
-
MD5
3dcf50b9787963b279a1c319274cb6c2
-
SHA1
04f420d3b5f7b9d3e7e86dc0cd4ceafcc10ec537
-
SHA256
dc2f45cca462adb58c69e10367df8e82373edebaf7582649bb63924230b66877
-
SHA512
4439ed459205222547614ea419f3a70e05c7f100716341ad015726902f0b3b1c66825e7ac30497fd1df66dcc7e3cce18af006d8f888e36981a1d09c75ea233fb
-
SSDEEP
768:gKjUxC8iR+VxbtXfA69vx5Q+A5QekbnXvM0+Z6xeg1PuVw:zjCCp+VxbxfVx5DWlkbXx+Exn12Vw
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1476 msedge.exe 1476 msedge.exe 4496 msedge.exe 4496 msedge.exe 3476 identity_helper.exe 3476 identity_helper.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4496 wrote to memory of 3188 4496 msedge.exe 81 PID 4496 wrote to memory of 3188 4496 msedge.exe 81 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 652 4496 msedge.exe 82 PID 4496 wrote to memory of 1476 4496 msedge.exe 83 PID 4496 wrote to memory of 1476 4496 msedge.exe 83 PID 4496 wrote to memory of 3688 4496 msedge.exe 84 PID 4496 wrote to memory of 3688 4496 msedge.exe 84 PID 4496 wrote to memory of 3688 4496 msedge.exe 84 PID 4496 wrote to memory of 3688 4496 msedge.exe 84 PID 4496 wrote to memory of 3688 4496 msedge.exe 84 PID 4496 wrote to memory of 3688 4496 msedge.exe 84 PID 4496 wrote to memory of 3688 4496 msedge.exe 84 PID 4496 wrote to memory of 3688 4496 msedge.exe 84 PID 4496 wrote to memory of 3688 4496 msedge.exe 84 PID 4496 wrote to memory of 3688 4496 msedge.exe 84 PID 4496 wrote to memory of 3688 4496 msedge.exe 84 PID 4496 wrote to memory of 3688 4496 msedge.exe 84 PID 4496 wrote to memory of 3688 4496 msedge.exe 84 PID 4496 wrote to memory of 3688 4496 msedge.exe 84 PID 4496 wrote to memory of 3688 4496 msedge.exe 84 PID 4496 wrote to memory of 3688 4496 msedge.exe 84 PID 4496 wrote to memory of 3688 4496 msedge.exe 84 PID 4496 wrote to memory of 3688 4496 msedge.exe 84 PID 4496 wrote to memory of 3688 4496 msedge.exe 84 PID 4496 wrote to memory of 3688 4496 msedge.exe 84
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Methanol windows client remote1.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc111646f8,0x7ffc11164708,0x7ffc111647182⤵PID:3188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,13196737267087146597,7722223315835414738,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:22⤵PID:652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,13196737267087146597,7722223315835414738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,13196737267087146597,7722223315835414738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:82⤵PID:3688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13196737267087146597,7722223315835414738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵PID:1936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13196737267087146597,7722223315835414738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:2016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,13196737267087146597,7722223315835414738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:82⤵PID:1700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,13196737267087146597,7722223315835414738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13196737267087146597,7722223315835414738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:12⤵PID:2692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13196737267087146597,7722223315835414738,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:12⤵PID:4636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13196737267087146597,7722223315835414738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:12⤵PID:1844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13196737267087146597,7722223315835414738,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:12⤵PID:3344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,13196737267087146597,7722223315835414738,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2988 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1836
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4344
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5477462b6ad8eaaf8d38f5e3a4daf17b0
SHA186174e670c44767c08a39cc2a53c09c318326201
SHA256e6bbd4933b9baa1df4bb633319174de07db176ec215e71c8568d27c5c577184d
SHA512a0acc2ef7fd0fcf413572eeb94d1e38aa6a682195cc03d6eaaaa0bc9e5f4b2c0033da0b835f4617aebc52069d0a10b52fc31ed53c2fe7943a480b55b7481dd4e
-
Filesize
152B
MD5b704c9ca0493bd4548ac9c69dc4a4f27
SHA1a3e5e54e630dabe55ca18a798d9f5681e0620ba7
SHA2562ebd5229b9dc642afba36a27c7ac12d90196b1c50985c37e94f4c17474e15411
SHA51269c8116fb542b344a8c55e2658078bd3e0d3564b1e4c889b072dbc99d2b070dacbc4394dedbc22a4968a8cf9448e71f69ec71ded018c1bacc0e195b3b3072d32
-
Filesize
306B
MD5c3a37c2b5fbf3a0960d130ed85290db5
SHA14d87b6f05cec866eea5b63bda9ac5d203cadb5ba
SHA256f375ef7e674655bfa52cf83d193ab9b51c19dda33009732646cac6ebb57df60f
SHA512ee1ff97560612cf3075b1aaa3e57359cd093123048e77b01ff1d35679f706bbd2d9f6e2af63f1ca2681aaa1e8b53823257d8e6202260f35b5c37ca5d6b892d29
-
Filesize
6KB
MD51af8c5851e5ee51762970964a9cbc5ed
SHA1b6fe7fdc7e2c572affbd6168922ce5dba343ab58
SHA256b39e3979dbe23ee4145ebee5ac55ec199237bd7c2dc761d5fb438f3e3aae8bd4
SHA5129ede1b88b72c8384661f0c49738804609ed5cf7569b78f3c77fe6f21a41b55f19088ddb6af80ac4ca0832f0babb8f1f8d69f467093ffd09a22eee0bf4e63a838
-
Filesize
6KB
MD5c44bb6ca6eeadb145073aac84c6db657
SHA1ce88ffb8e19a9f6397ce6f8951984adbf3cc93a2
SHA2567615f6e629f46be5bd5300da23ae35304a658bb2f5636b3447a58547fca97b65
SHA5122833c216c482522cce06c3385dfb09a85cbab7cdcc09ab48fffa55a70ea348b73ea5e3e8f3895dd18424dd9dd41ef7f2b6a8afd4c2f8068a486f153c67c7e69e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5b9dc2872e5e09f6c60e84ab0a5e594fa
SHA1c4b2e1e185e4a322dacfd0fa69f2571ab8a0eda2
SHA2566f11c7139750b1983ace4a9647c76ffb9e4bd808e452c1e39dda7535dd774eb6
SHA512451e5a3cf2b38d7efee67aa66145721457a7efd529d196c8f741a67faf8cbc4ae0f9d34ce869a7cc12649f8199d67aaf19c78ae3e46c371f2b563d37ce2a0074