b860f598a2550bb42b2aa77aed81e106cd36c50975a71b8288871ae61482e7a0

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$FAVORITES/°Ù¶ÈËÑË÷.url
Size

216B
MD5

ea47d4327c78dd3003c5a68d2584ab95
SHA1

33b81f6611537bcf0ecae9472a14ec9a3c0ef584
SHA256

9fc516a75a7c24580bdebe99fa106b37173ecd25f5ff8060db9fe03cdba64f53
SHA512

f77fd30a2c8529ab6ffbf037a3f7a9a4c5e6c6bf9c161fb532786108bd34a8ff85b22b277036a05ac97b4d6dde3d23cee0eebaa457980442a469c25d06e06542

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2372	msedge.exe
2372	msedge.exe
2728	msedge.exe
2728	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2728	msedge.exe
2728	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2728	2856	rundll32.exe	83
PID 2856 wrote to memory of 2728	2856	rundll32.exe	83
PID 2728 wrote to memory of 1364	2728	msedge.exe	85
PID 2728 wrote to memory of 1364	2728	msedge.exe	85
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 644	2728	msedge.exe	86
PID 2728 wrote to memory of 2372	2728	msedge.exe	87
PID 2728 wrote to memory of 2372	2728	msedge.exe	87
PID 2728 wrote to memory of 2572	2728	msedge.exe	88
PID 2728 wrote to memory of 2572	2728	msedge.exe	88
PID 2728 wrote to memory of 2572	2728	msedge.exe	88
PID 2728 wrote to memory of 2572	2728	msedge.exe	88
PID 2728 wrote to memory of 2572	2728	msedge.exe	88
PID 2728 wrote to memory of 2572	2728	msedge.exe	88
PID 2728 wrote to memory of 2572	2728	msedge.exe	88
PID 2728 wrote to memory of 2572	2728	msedge.exe	88
PID 2728 wrote to memory of 2572	2728	msedge.exe	88
PID 2728 wrote to memory of 2572	2728	msedge.exe	88
PID 2728 wrote to memory of 2572	2728	msedge.exe	88
PID 2728 wrote to memory of 2572	2728	msedge.exe	88
PID 2728 wrote to memory of 2572	2728	msedge.exe	88
PID 2728 wrote to memory of 2572	2728	msedge.exe	88
PID 2728 wrote to memory of 2572	2728	msedge.exe	88
PID 2728 wrote to memory of 2572	2728	msedge.exe	88
PID 2728 wrote to memory of 2572	2728	msedge.exe	88
PID 2728 wrote to memory of 2572	2728	msedge.exe	88

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\$FAVORITES\°Ù¶ÈËÑË÷.url
1⤵
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.baidu.com/index.php?tn=dh234_pg
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8330046f8,0x7ff833004708,0x7ff833004718
    3⤵
    PID:1364
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,5086884617407637337,535078857407204510,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
    3⤵
    PID:644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,5086884617407637337,535078857407204510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,5086884617407637337,535078857407204510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8
    3⤵
    PID:2572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5086884617407637337,535078857407204510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
    3⤵
    PID:1616
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5086884617407637337,535078857407204510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
    3⤵
    PID:2352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,5086884617407637337,535078857407204510,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4984 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\4a5b2d59-63eb-4486-bbf2-ba2adf11f235.tmp

Filesize
11KB

MD5
bfb7efc953834640246eeaa7b8d6a27a

SHA1
01891c0e39262a6f2579bb798c67135eb265704b

SHA256
49489f4c29c1e0b43ac89d9c91e11390fc25f7eb42655e16337f7b82f241a53e

SHA512
3aec7bc200b2a26ab11cfd07a449f4a34e297ec50bb9702625e353731130efea43ddf89c6d7b164c185c6a6d1fc321432f6ab74c33069383a455a48ad2d24440

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c5abc082d9d9307e797b7e89a2f755f4

SHA1
54c442690a8727f1d3453b6452198d3ec4ec13df

SHA256
a055d69c6aba59e97e632d118b7960a5fdfbe35cfdfaa0de14f194fc6f874716

SHA512
ad765cddbf89472988de5356db5e0ee254ca3475491c6034fba1897c373702ab7cfa4bd21662ab862eebb48a757c3eb86b1f8ed58629751f71863822a59cd26c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b4a74bc775caf3de7fc9cde3c30ce482

SHA1
c6ed3161390e5493f71182a6cb98d51c9063775d

SHA256
dfad4e020a946f85523604816a0a9781091ee4669c870db2cabab027f8b6f280

SHA512
55578e254444a645f455ea38480c9e02599ebf9522c32aca50ff37aad33976db30e663d35ebe31ff0ecafb4007362261716f756b3a0d67ac3937ca62ff10e25f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
ef19a9a81c14285da8b7960e93a956d7

SHA1
9f1925de2abd853886c02568063012420670043e

SHA256
0b940d8915a022992c23a14d91347b49d7fc9cda48b153bfb154cf0174c1f815

SHA512
3a89e612fe6bcab8677837e62dd7b2546920393bbb5ecd1e224556e6a8c7d8af6a97137caf0bd3e42d2b70b8d1157da6b124ea70982dd069f34f5265c1522b69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
184B

MD5
e07c35e0086b77ec93f2266861152c7d

SHA1
97bf1f4bb085ae1dbca944da62895381bcef8835

SHA256
4da5337dcfdd9a385475af0bf9c4841fcb75add192013d61e8b6677322cb0c73

SHA512
5c788928f59801e39653dc11bbc5f068ad7485c519cc92c490c01d3133c45d494ee327710cd4833e6c11c5795dc77a1689e8936f990a913602c5bf8f6153ce8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ff676d2257e968e889da4c2997d0895b

SHA1
4a14cd290b279f986088cbedae6b0ba6a12eb853

SHA256
b81b26edc68c06f59a3c5eec74b431b84af2c68982202137d745777e4989bd68

SHA512
c118ed375e95c39b9cf92a4ce88982dc0048869786b067a9a665d6654132899b254db129a0c37e9654b6e4a19bf364732bc80e0409dc20c154a80c9413218cce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3ee5168917e19bff2719ffc164d4e208

SHA1
1b8008a70069c4c740202742e55ca906eb5abf54

SHA256
dea28a2af1af5538441c6963e2112ae960c49ad3eb94ed36c76e8b166791d4a7

SHA512
27895c560f5aadaabcfd7d60224d58b460ab6195dc9d324da46bd9a1e2a23c115c4a307504953d6269e80d385dd715a10f77ef289a6b0e304146a39cb25492e6

Download Submit