e04bdafc01429711c069136a2caa54cf8b20d2cee700e576569de57f09a2f3c6

Resubmissions

17-06-2024 15:23

240617-ssg2ysvekg 1

14-06-2024 14:59

14-06-2024 14:57

14-06-2024 14:38

14-06-2024 14:35

14-06-2024 14:33

12-06-2024 15:02

Analysis

max time kernel
1787s
max time network
1686s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
14-06-2024 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Run desktop apps online.html
Size

704KB
MD5

635f65de088d30a34365421858161354
SHA1

c974e333c2851cc4e54132f0d5f4b133e1d2f468
SHA256

e04bdafc01429711c069136a2caa54cf8b20d2cee700e576569de57f09a2f3c6
SHA512

1d5dcfe9478960a6ac174c1b9d0c304f4f6dfbb725aaa94e737fc5155db061881c4c887d82cf8c327f32edd53af943b38dcb251e4eaac964b535a338b01656ef
SSDEEP

6144:BwG+iY07vK2VAB671FszYJT1oj8lEKHZ98eROPx0yFTpM3vn0VuFs16DFktUAY5C:BwG+iY0ZR8OyFTIu7oGt

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2380	msedge.exe
2380	msedge.exe
124	msedge.exe
124	msedge.exe
1016	identity_helper.exe
1016	identity_helper.exe
4732	msedge.exe
4732	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe
124	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 124 wrote to memory of 4028	124	msedge.exe	78
PID 124 wrote to memory of 4028	124	msedge.exe	78
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2236	124	msedge.exe	79
PID 124 wrote to memory of 2380	124	msedge.exe	80
PID 124 wrote to memory of 2380	124	msedge.exe	80
PID 124 wrote to memory of 488	124	msedge.exe	81
PID 124 wrote to memory of 488	124	msedge.exe	81
PID 124 wrote to memory of 488	124	msedge.exe	81
PID 124 wrote to memory of 488	124	msedge.exe	81
PID 124 wrote to memory of 488	124	msedge.exe	81
PID 124 wrote to memory of 488	124	msedge.exe	81
PID 124 wrote to memory of 488	124	msedge.exe	81
PID 124 wrote to memory of 488	124	msedge.exe	81
PID 124 wrote to memory of 488	124	msedge.exe	81
PID 124 wrote to memory of 488	124	msedge.exe	81
PID 124 wrote to memory of 488	124	msedge.exe	81
PID 124 wrote to memory of 488	124	msedge.exe	81
PID 124 wrote to memory of 488	124	msedge.exe	81
PID 124 wrote to memory of 488	124	msedge.exe	81
PID 124 wrote to memory of 488	124	msedge.exe	81
PID 124 wrote to memory of 488	124	msedge.exe	81
PID 124 wrote to memory of 488	124	msedge.exe	81
PID 124 wrote to memory of 488	124	msedge.exe	81
PID 124 wrote to memory of 488	124	msedge.exe	81
PID 124 wrote to memory of 488	124	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Run desktop apps online.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe7d273cb8,0x7ffe7d273cc8,0x7ffe7d273cd8
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,6465293791520908741,9262563986840894033,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,6465293791520908741,9262563986840894033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,6465293791520908741,9262563986840894033,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2504 /prefetch:8
  2⤵
  PID:488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6465293791520908741,9262563986840894033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6465293791520908741,9262563986840894033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,6465293791520908741,9262563986840894033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6465293791520908741,9262563986840894033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6465293791520908741,9262563986840894033,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,6465293791520908741,9262563986840894033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4072 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6465293791520908741,9262563986840894033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6465293791520908741,9262563986840894033,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,6465293791520908741,9262563986840894033,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4308 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ade01a8cdbbf61f66497f88012a684d1

SHA1
9ff2e8985d9a101a77c85b37c4ac9d4df2525a1f

SHA256
f49e20af78caf0d737f6dbcfc5cc32701a35eb092b3f0ab24cf339604cb049b5

SHA512
fa024bd58e63402b06503679a396b8b4b1bc67dc041d473785957f56f7d972317ec8560827c8008989d2754b90e23fc984a85ed7496f05cb4edc2d8000ae622b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d0f84c55517d34a91f12cccf1d3af583

SHA1
52bd01e6ab1037d31106f8bf6e2552617c201cea

SHA256
9a24c67c3ec89f5cf8810eba1fdefc7775044c71ed78a8eb51c8d2225ad1bc4c

SHA512
94764fe7f6d8c182beec398fa8c3a1948d706ab63121b8c9f933eef50172c506a1fd015172b7b6bac898ecbfd33e00a4a0758b1c8f2f4534794c39f076cd6171

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5ddf40238e72ab5897243af41e866c70

SHA1
a47cced70c006b01d992b16e0ccabe3a08165ed9

SHA256
68566eb053e0cca48f44d00bc15fbbbee68d21b80d8ad0b66a6aece2534ea557

SHA512
ae82125bbbb5abc8909bd7b54213b280d875c86cde63fad451a8179dfd3af76fb892f8a0bd869d95050c390351bd59ffccabe4e6fd08cd6a8ec35d12231efdd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d17ad034834424195a2a5ead6d8de260

SHA1
196b30318b8fcab71d1a29ba74dbbbb152b67528

SHA256
67a7f9e21d94043d9052142e3f737015af638f7c2c650ed1e8756c9e0c39cfa4

SHA512
02f9d829a05eda97d063ff3b7820b6acf459bfefceed9f746e0f0d08b4f40d76623b63366d1ff07b7ca2dfeefcfb92e5f36ddc795669e19612c9a7826139f8f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
ee4ed734b9c0f5fbfd3d92b77040312a

SHA1
0b789d75ba9c716422f0fa9739f0dfe050a0aee0

SHA256
0f6de1837ebaeba1c04508a3c9091a7f161be73d44e4f94782571b55952afaf6

SHA512
38d0519e60c4ea8d8db4818707611c1fc4138f94682467365376f7be37840161c7f650f8f4dcfd70cc9661dd891a66a380e9e18acd4c58fa566a75a7445e7557

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
820a4991233fa2c384793834e8ac8d83

SHA1
1bae8046dac4f08f7d09c4894714c86069c2eab9

SHA256
397de7f1d92512fa5b1371874950818c84cb757ca9f5c432dc6e876dd04d8172

SHA512
7e2d810c46453b99a561cd5a5b4c88097bd0502b4eae7b4aac90cc173b382efb3a3c72364a1ffcae602a3420b0063aefea6dc138eebd7f7fef3416cdb5ccb300

Download Submit