df3b824b5daa03558d0e1ecc3b48bdb910adf752f9b4681ff0db3fab8866462b

Analysis

max time kernel
31s
max time network
33s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
15-06-2024 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup_v1.2.1.exe
Size

43.6MB
MD5

c8406a477792b1a7c645d5b82ebeba73
SHA1

fec1b9c625fbea997a99f8f6aeeb24451b85dce0
SHA256

df3b824b5daa03558d0e1ecc3b48bdb910adf752f9b4681ff0db3fab8866462b
SHA512

8d1845a3567d52ee8466e3ad1f8f310a02da84033afb6004166d6a2d178cf947fc3ed0d1ffb6abecc226d90442de899d6840706bb044f30b3ada162138242705
SSDEEP

196608:vq22KXdSP+15Cj09ktWCFU2s4S0Td9+RsOl8NfpcPFIKXxWDtt86fh:i2hXdb1GWC639SAsOl8NfpcPaKQDT

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4324	msedge.exe
4324	msedge.exe
4056	msedge.exe
4056	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 988	4056	msedge.exe	82
PID 4056 wrote to memory of 988	4056	msedge.exe	82
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 1532	4056	msedge.exe	83
PID 4056 wrote to memory of 4324	4056	msedge.exe	84
PID 4056 wrote to memory of 4324	4056	msedge.exe	84
PID 4056 wrote to memory of 660	4056	msedge.exe	85
PID 4056 wrote to memory of 660	4056	msedge.exe	85
PID 4056 wrote to memory of 660	4056	msedge.exe	85
PID 4056 wrote to memory of 660	4056	msedge.exe	85
PID 4056 wrote to memory of 660	4056	msedge.exe	85
PID 4056 wrote to memory of 660	4056	msedge.exe	85
PID 4056 wrote to memory of 660	4056	msedge.exe	85
PID 4056 wrote to memory of 660	4056	msedge.exe	85
PID 4056 wrote to memory of 660	4056	msedge.exe	85
PID 4056 wrote to memory of 660	4056	msedge.exe	85
PID 4056 wrote to memory of 660	4056	msedge.exe	85
PID 4056 wrote to memory of 660	4056	msedge.exe	85
PID 4056 wrote to memory of 660	4056	msedge.exe	85
PID 4056 wrote to memory of 660	4056	msedge.exe	85
PID 4056 wrote to memory of 660	4056	msedge.exe	85
PID 4056 wrote to memory of 660	4056	msedge.exe	85
PID 4056 wrote to memory of 660	4056	msedge.exe	85
PID 4056 wrote to memory of 660	4056	msedge.exe	85
PID 4056 wrote to memory of 660	4056	msedge.exe	85
PID 4056 wrote to memory of 660	4056	msedge.exe	85

C:\Users\Admin\AppData\Local\Temp\Setup_v1.2.1.exe
"C:\Users\Admin\AppData\Local\Temp\Setup_v1.2.1.exe"
1⤵
PID:3720

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb97403cb8,0x7ffb97403cc8,0x7ffb97403cd8
  2⤵
  PID:988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,754821246595242142,992963880047451671,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1872 /prefetch:2
  2⤵
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1840,754821246595242142,992963880047451671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1840,754821246595242142,992963880047451671,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,754821246595242142,992963880047451671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,754821246595242142,992963880047451671,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,754821246595242142,992963880047451671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,754821246595242142,992963880047451671,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1
  2⤵
  PID:3524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0d84d1490aa9f725b68407eab8f0030e

SHA1
83964574467b7422e160af34ef024d1821d6d1c3

SHA256
40c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e

SHA512
f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0c705388d79c00418e5c1751159353e3

SHA1
aaeafebce5483626ef82813d286511c1f353f861

SHA256
697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d

SHA512
c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
aa4fb012929212ac73b038a469bfb427

SHA1
39b827d020f35138905c7122ffdd622aba0a5473

SHA256
eebcbe6e12a56f7e3287fcc1f59e1a3e2fcf90ce203f51eba127b73235a974ce

SHA512
321100a4d00e382542a2807e41d2e247185cb78d9d629d18d7a6a17595273fe0ff63f309c34186e30db56e3aa3c3c3ddc4c9385ec9eaafa3cb6049058f65220d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e2672812c911044c433cd2df63a4a415

SHA1
e70d12b444bb812fc0b66fe2a62f45281000e128

SHA256
f2ef1d6c901be1ad54b810cf7c55ff36d1366e1d1bf6c6f2fbe4071c19f6e8b2

SHA512
bef3c88897ae07962c5d751146c7d0c1c125eefb17c4700a485a6a8b248d99b7046ae1b0fce86a2cdadfd26c851098ab773a931c2ef7bc4e7287229fac82be9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
76e626ccb7215e47713a398641ead75f

SHA1
7e25b61444f1a765d2841b3b8128480e0186e1c0

SHA256
3c8763bd4f7cca3144447c386c55837e6a9ada6f0194ccdbad43fc3db053b77a

SHA512
2571a631aea7c0dc3405c4b877c38547af781d7a207f466205447169b050600c4e7ec626b325309c6631323c727ae9918dbbf78e80f8701924429be8291e1874

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
memory/3720-0-0x00007FF6D0B50000-0x00007FF6D379F000-memory.dmp

Filesize
44.3MB

Download
memory/3720-23-0x00007FF6D0B50000-0x00007FF6D379F000-memory.dmp

Filesize
44.3MB

Download
memory/3720-96-0x00007FF6D0B50000-0x00007FF6D379F000-memory.dmp

Filesize
44.3MB

Download