9c8bd1c417cbad1dde590a2eda1a120c225999ff2d1c7dd53749016b8167e881

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

imskirby-dog-video-skirby-dog-video-exposed.html
Size

235KB
MD5

284d08622bb86a160baba842204af506
SHA1

a714e8b8402bdf4d7d697eeacb975a9edb195341
SHA256

9c8bd1c417cbad1dde590a2eda1a120c225999ff2d1c7dd53749016b8167e881
SHA512

c9a30da8b8e7c78fba997823a9677bd25454b85b40f1a5fcb33dc569628392420e6eebd2454e1c9e73bbaa6cb66ba5beb0efb53e51091a68c8d598a1ddd7a2c7
SSDEEP

3072:T7lpjnRdmd9+l8CxlIdoW+oxVPIUYB6/J1f4BOMg:Xlpjnrmd9+KCxlIyW+oxdeg

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2308	msedge.exe
2308	msedge.exe
2724	msedge.exe
2724	msedge.exe
3484	identity_helper.exe
3484	identity_helper.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 1548	2724	msedge.exe	81
PID 2724 wrote to memory of 1548	2724	msedge.exe	81
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 1496	2724	msedge.exe	82
PID 2724 wrote to memory of 2308	2724	msedge.exe	83
PID 2724 wrote to memory of 2308	2724	msedge.exe	83
PID 2724 wrote to memory of 1364	2724	msedge.exe	84
PID 2724 wrote to memory of 1364	2724	msedge.exe	84
PID 2724 wrote to memory of 1364	2724	msedge.exe	84
PID 2724 wrote to memory of 1364	2724	msedge.exe	84
PID 2724 wrote to memory of 1364	2724	msedge.exe	84
PID 2724 wrote to memory of 1364	2724	msedge.exe	84
PID 2724 wrote to memory of 1364	2724	msedge.exe	84
PID 2724 wrote to memory of 1364	2724	msedge.exe	84
PID 2724 wrote to memory of 1364	2724	msedge.exe	84
PID 2724 wrote to memory of 1364	2724	msedge.exe	84
PID 2724 wrote to memory of 1364	2724	msedge.exe	84
PID 2724 wrote to memory of 1364	2724	msedge.exe	84
PID 2724 wrote to memory of 1364	2724	msedge.exe	84
PID 2724 wrote to memory of 1364	2724	msedge.exe	84
PID 2724 wrote to memory of 1364	2724	msedge.exe	84
PID 2724 wrote to memory of 1364	2724	msedge.exe	84
PID 2724 wrote to memory of 1364	2724	msedge.exe	84
PID 2724 wrote to memory of 1364	2724	msedge.exe	84
PID 2724 wrote to memory of 1364	2724	msedge.exe	84
PID 2724 wrote to memory of 1364	2724	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\imskirby-dog-video-skirby-dog-video-exposed.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffaab146f8,0x7fffaab14708,0x7fffaab14718
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,16805924961254325668,13862522343650481943,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,16805924961254325668,13862522343650481943,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,16805924961254325668,13862522343650481943,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16805924961254325668,13862522343650481943,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16805924961254325668,13862522343650481943,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16805924961254325668,13862522343650481943,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,16805924961254325668,13862522343650481943,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,16805924961254325668,13862522343650481943,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16805924961254325668,13862522343650481943,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16805924961254325668,13862522343650481943,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16805924961254325668,13862522343650481943,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16805924961254325668,13862522343650481943,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,16805924961254325668,13862522343650481943,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dabfafd78687947a9de64dd5b776d25f

SHA1
16084c74980dbad713f9d332091985808b436dea

SHA256
c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201

SHA512
dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c39b3aa574c0c938c80eb263bb450311

SHA1
f4d11275b63f4f906be7a55ec6ca050c62c18c88

SHA256
66f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c

SHA512
eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
957e6a75bbb4887d80eaee2e2d15c133

SHA1
5477fc17c4d455a94962485727e7a1bc96f69baf

SHA256
47e40b965df3deea1ff9c7e903e6918475548cab0d333dfa3e7af26246886e5f

SHA512
48dff60d16df0f31a3ad263d51f8b004d673cb5afc414d3354b944570e1a2e3b2c945c0ccf6b21f87912bd57ac50d3bdc69e70c410f8a3533e89c347eeeca3b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
16ef309076a3b833e1edfec22f7ff1c7

SHA1
0288e84e3086823582efba2dd009f256d3c5931a

SHA256
3322e6e1797ea1d000868722062fe4cdfb2619cda5068512ed2838c36547cf0d

SHA512
847130df08ebb758c90f20afb8f49874618660978b0b1b25cea78d9b6fb9bb6978679d8377494a8569b4debcf02af8f4aff5d4e5c24a361e1a17073d94b7aa84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
71d869d61ac5e1bf4aeee42367412ee6

SHA1
2432ccb70dbd8772b8f0300c40864441cb4a9d1f

SHA256
1fb8877a598d403908bf247f151117340bc83c18c8682b3ffe917d992ed0119d

SHA512
a56e839ca5253a1968b09ea92cc13e074eb1ba23435121d0cf3bacfade3889af5d21c63c726deebf70c1ddf06cf19740d1d7e6be60531d04fe72242e2cc6e64f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5ab766e6d85ab94e2f2e21a36398e001

SHA1
9daea9d2d64b8fd24c78842a64005fe5353b3e7c

SHA256
ec5e5d826848145353531eba3c08e5fd74f6c1e1837efe4eb9261de78476fa9f

SHA512
31d4794c4a560cec50ff9c428c1bc417edaa43f1d78a06a651c16eed6eec89b4cd49b4d98995479d2d9c65f510697a2b29cbc6802454834fd86b1984a712db37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
51332930487c6a696db79db9af9aafa3

SHA1
79ae8b0e6359c0d31a76876dfee9e9ede4ec18a4

SHA256
f27339beee7ca3b9e8f34d01062db27e2b921dfc43293ee1885328dc39c3ce42

SHA512
71a393c62b58b6344af912e2bba67d3f15144921734c61eb47e1830661b92e40d17ce6ad42e3747db7877e08a7e64e7c524a25066aa2bef0e43762638f0877a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7bf00ce10c06ef1546d823d89bf53258

SHA1
512053e9e0114e45fae1c539be51fc55e8d21b50

SHA256
63747387f8deebcb4cdeaf6de4c8c3e779115392453120522d2c4e25d168eebb

SHA512
a102ceec870ccb8bd7dacff3dd8c9459a219ea9ada634942d2d69ee4b145dcb66f7bdc83ad5913f8ebc29db7caf4249905d946e5f84150988311cce2b8bb359c

Download Submit