hxxps://amalaj7[.]medium[.]com/tflite-pose-estimation-using-movenet-thunder-8d1192424b29

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://amalaj7.medium.com/tflite-pose-estimation-using-movenet-thunder-8d1192424b29

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2592	msedge.exe
2592	msedge.exe
1168	msedge.exe
1168	msedge.exe
3924	identity_helper.exe
3924	identity_helper.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 3236	1168	msedge.exe	82
PID 1168 wrote to memory of 3236	1168	msedge.exe	82
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2492	1168	msedge.exe	83
PID 1168 wrote to memory of 2592	1168	msedge.exe	84
PID 1168 wrote to memory of 2592	1168	msedge.exe	84
PID 1168 wrote to memory of 1488	1168	msedge.exe	85
PID 1168 wrote to memory of 1488	1168	msedge.exe	85
PID 1168 wrote to memory of 1488	1168	msedge.exe	85
PID 1168 wrote to memory of 1488	1168	msedge.exe	85
PID 1168 wrote to memory of 1488	1168	msedge.exe	85
PID 1168 wrote to memory of 1488	1168	msedge.exe	85
PID 1168 wrote to memory of 1488	1168	msedge.exe	85
PID 1168 wrote to memory of 1488	1168	msedge.exe	85
PID 1168 wrote to memory of 1488	1168	msedge.exe	85
PID 1168 wrote to memory of 1488	1168	msedge.exe	85
PID 1168 wrote to memory of 1488	1168	msedge.exe	85
PID 1168 wrote to memory of 1488	1168	msedge.exe	85
PID 1168 wrote to memory of 1488	1168	msedge.exe	85
PID 1168 wrote to memory of 1488	1168	msedge.exe	85
PID 1168 wrote to memory of 1488	1168	msedge.exe	85
PID 1168 wrote to memory of 1488	1168	msedge.exe	85
PID 1168 wrote to memory of 1488	1168	msedge.exe	85
PID 1168 wrote to memory of 1488	1168	msedge.exe	85
PID 1168 wrote to memory of 1488	1168	msedge.exe	85
PID 1168 wrote to memory of 1488	1168	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://amalaj7.medium.com/tflite-pose-estimation-using-movenet-thunder-8d1192424b29
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffeecf46f8,0x7fffeecf4708,0x7fffeecf4718
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,14564763675586199566,13994185585873652468,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,14564763675586199566,13994185585873652468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,14564763675586199566,13994185585873652468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14564763675586199566,13994185585873652468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14564763675586199566,13994185585873652468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14564763675586199566,13994185585873652468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,14564763675586199566,13994185585873652468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,14564763675586199566,13994185585873652468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14564763675586199566,13994185585873652468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14564763675586199566,13994185585873652468,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14564763675586199566,13994185585873652468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14564763675586199566,13994185585873652468,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,14564763675586199566,13994185585873652468,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5436 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
477462b6ad8eaaf8d38f5e3a4daf17b0

SHA1
86174e670c44767c08a39cc2a53c09c318326201

SHA256
e6bbd4933b9baa1df4bb633319174de07db176ec215e71c8568d27c5c577184d

SHA512
a0acc2ef7fd0fcf413572eeb94d1e38aa6a682195cc03d6eaaaa0bc9e5f4b2c0033da0b835f4617aebc52069d0a10b52fc31ed53c2fe7943a480b55b7481dd4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b704c9ca0493bd4548ac9c69dc4a4f27

SHA1
a3e5e54e630dabe55ca18a798d9f5681e0620ba7

SHA256
2ebd5229b9dc642afba36a27c7ac12d90196b1c50985c37e94f4c17474e15411

SHA512
69c8116fb542b344a8c55e2658078bd3e0d3564b1e4c889b072dbc99d2b070dacbc4394dedbc22a4968a8cf9448e71f69ec71ded018c1bacc0e195b3b3072d32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6ed6d41e9f08eed1655856ed575ca40c

SHA1
31959036bbee08c776c333d2d6ac222f9eb969db

SHA256
d9e0fd8d1d573867f4aeccded03f1bf0736d2d080ccf834c427b2bbf4d7f36cb

SHA512
e5dbfe8c0469ab9e908bfad060fd3e16fbc89d56351604a67eee1ad40329c0823b67b8f50fa2ebddb77233a7bc9977d6cfdf05c4642892afd6b8aa4ab548b5b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
565af6fbb0a719b8a7ba14042a4ac725

SHA1
77a2599ca90d193c072dff1a871208d7f29316c1

SHA256
19a38bb5b26f587c060360beb1ac2de1212662efaf7ca55ed4df62efdae93b9a

SHA512
261a47272e49740a427e1b7387fcafae3d41bd8c472c34cc74cbce7dc08d50a792365e788006c6a0725cb71289de23ef85ceb165a1042bbc24884bb617269dd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9c7aaee1ba44d1335ba3d174b7f80726

SHA1
eaca36baaf85fdfc3683b2bdd5abae02c5370823

SHA256
1dfb032ce746a1ca2304f9473f0e6b5c2a182da23e5aba6b18a84e0845231684

SHA512
add9a022fa68c878f92ca75d6311a7fb9fe35eac7bb4b52b774d0eda12848391583b1f7558e4515bc5292b815af24759a6fa4921bf22562fcdc9a4440cefd179

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
19b3ba25923766f5bee7428c1c0db178

SHA1
3e62ee76d423ac2132e1352f25612eefed9f5921

SHA256
4a82bf6588cab767f60ab5688217691beaf7a54639e586ff0bb1771ecc1143b0

SHA512
023f8dcce501b32a8c291d3306eef0de24fa5f2de47b88b50865cca4fc6ae98f36b2b0e9bd444f655d3c0262be8e440839c661481af8a6e1eadb3614249c37fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f2fb2937321bbfb8894df5c37003fe52

SHA1
5ad54204ddaedddba1f413f09d94493c9e40f5a8

SHA256
e0cb6c88889fb3e569f3a40ff241358876be959b6159dfa0b4f95f297e8219b1

SHA512
6f4116e4a0209feb20c020501c649956a20d7ec8d5928d66aeebfb0ed52f477a01fea3cd5ca6f5f2586d29231eea80646ff0a4ec3eafc2b3bae442727e271b2a

Download Submit