967ec8e1d3686291bba20935f756c246af134ca2d93422757f44ebae0dccfc6c

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Invoice SI-0001874.htm
Size

12KB
MD5

096305c50c5b77b5e6f276d7901baa45
SHA1

bb2ca59bd1de191c2677a465cb34d0d1f252867a
SHA256

192fef547e7361112a1edacd188c0a3275d56cb0e69d0e13e21d29294c0d333b
SHA512

824deab50079a4b1084a76f1330fd6f4a9b882c12a70090c04b872338eb14b06071930dc9d78fb21899617c4c0a52766bbbef486860d7963094d1f8b31607b12
SSDEEP

192:f2FI5a1JNnYTrD2G4RzwvOTVUY/t4IYwaPgAtY:GKwRcvjyt4xwF

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2004	msedge.exe
2004	msedge.exe
2388	msedge.exe
2388	msedge.exe
2212	identity_helper.exe
2212	identity_helper.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 4780	2388	msedge.exe	83
PID 2388 wrote to memory of 4780	2388	msedge.exe	83
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 1784	2388	msedge.exe	84
PID 2388 wrote to memory of 2004	2388	msedge.exe	85
PID 2388 wrote to memory of 2004	2388	msedge.exe	85
PID 2388 wrote to memory of 5108	2388	msedge.exe	86
PID 2388 wrote to memory of 5108	2388	msedge.exe	86
PID 2388 wrote to memory of 5108	2388	msedge.exe	86
PID 2388 wrote to memory of 5108	2388	msedge.exe	86
PID 2388 wrote to memory of 5108	2388	msedge.exe	86
PID 2388 wrote to memory of 5108	2388	msedge.exe	86
PID 2388 wrote to memory of 5108	2388	msedge.exe	86
PID 2388 wrote to memory of 5108	2388	msedge.exe	86
PID 2388 wrote to memory of 5108	2388	msedge.exe	86
PID 2388 wrote to memory of 5108	2388	msedge.exe	86
PID 2388 wrote to memory of 5108	2388	msedge.exe	86
PID 2388 wrote to memory of 5108	2388	msedge.exe	86
PID 2388 wrote to memory of 5108	2388	msedge.exe	86
PID 2388 wrote to memory of 5108	2388	msedge.exe	86
PID 2388 wrote to memory of 5108	2388	msedge.exe	86
PID 2388 wrote to memory of 5108	2388	msedge.exe	86
PID 2388 wrote to memory of 5108	2388	msedge.exe	86
PID 2388 wrote to memory of 5108	2388	msedge.exe	86
PID 2388 wrote to memory of 5108	2388	msedge.exe	86
PID 2388 wrote to memory of 5108	2388	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Invoice SI-0001874.htm
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabe2646f8,0x7ffabe264708,0x7ffabe264718
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,14412485952971068628,17986336708514922189,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,14412485952971068628,17986336708514922189,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,14412485952971068628,17986336708514922189,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,14412485952971068628,17986336708514922189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,14412485952971068628,17986336708514922189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,14412485952971068628,17986336708514922189,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,14412485952971068628,17986336708514922189,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,14412485952971068628,17986336708514922189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
  2⤵
  PID:824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,14412485952971068628,17986336708514922189,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:2608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,14412485952971068628,17986336708514922189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,14412485952971068628,17986336708514922189,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,14412485952971068628,17986336708514922189,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5860 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dabfafd78687947a9de64dd5b776d25f

SHA1
16084c74980dbad713f9d332091985808b436dea

SHA256
c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201

SHA512
dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c39b3aa574c0c938c80eb263bb450311

SHA1
f4d11275b63f4f906be7a55ec6ca050c62c18c88

SHA256
66f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c

SHA512
eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
974B

MD5
98495ac8b36d254708197ee84fa950cf

SHA1
9f9edbf598d3bdb65bc360afdf315a04db6acb08

SHA256
b38187cbb8ea00a6cfc255326ec19f306d53fe4c9a64ca15fc6927bbc253ffa7

SHA512
08731284670d6c3cc6fb670beebeb1af6f4452c473cdcf8c4e08dbfa0f2c0d52fbb6b2a0618cda7a16d1ef0e88a82933651909564eedb84157b3f3bcc9f7a6fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
12eb5280e91c6a80a8745bcc58399fad

SHA1
b4d3e2cc57e6a85c94075c82b33031fc53f1d13e

SHA256
86cedff408c8778d6c9209d5408f571288832203a141ad97c98b992560504639

SHA512
060884f61cf0edef368d8e69ab83dae2eff18be31128414f20f398f3e04c95c318f902028802bfcfcdc8a399927484b2d3045daa49b55aea76194ee0fe4a5f68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eddec81bbacd821059e49d2877b07aee

SHA1
9ecf83fd287ff6984dc41e08414a0ec38d9592e1

SHA256
82bd6de12dbea0a356e2f454d3e135a673cf8bf5deab34fddcc5880fa147c69c

SHA512
c5e21a1affff0eede335aafbee31a8b631907ac82d398ea4d6cea6e58b83604ab7abf9a2f99b19b24e2d12f420c79b128b44202a044d82dadf83197470a45182

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
675f3fd4dd6554455e0ea0c30408eac0

SHA1
b8592c30af6737f309bcfadfe6d080eef391e443

SHA256
46e0317be92e0943cfc576adf8265c49001ebb6b402ca07c2eef609c3ab40ac9

SHA512
e9626be144c1d9584fd0bcbceb1fd3fd28b58bb9858977c39a9d73282d2b22e84cbb2a8dc0f248c92d5aa38c1953e41193eabf1e276f2128c824e9b60f1d67eb

Download Submit