be816ae17acef7fac10cf60bcee4f421f02849cc2101cbf7c63a08445fc3ffdd

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

question/editor/plugins/media.html
Size

1KB
MD5

a031b9efa8e1517f1eb98d57ff8777b5
SHA1

a908bd9dbfc3981419edbdb658f53edf2fd68513
SHA256

44312e60aff6269379a0c0cd754bcffeb50dce2a644b4dd225e02b5f2b82b55b
SHA512

5d23fa74ce8be4e06f521234bbd6d69cdeaf89887e592be1a2c3fae9bfcc3fc7dc3c7a970b2dea7a87318d88e894d0d97da2ee6da03f38b3137555a340ca6392

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4920	msedge.exe
4920	msedge.exe
2136	msedge.exe
2136	msedge.exe
1356	identity_helper.exe
1356	identity_helper.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 4424	2136	msedge.exe	81
PID 2136 wrote to memory of 4424	2136	msedge.exe	81
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 3760	2136	msedge.exe	82
PID 2136 wrote to memory of 4920	2136	msedge.exe	83
PID 2136 wrote to memory of 4920	2136	msedge.exe	83
PID 2136 wrote to memory of 932	2136	msedge.exe	84
PID 2136 wrote to memory of 932	2136	msedge.exe	84
PID 2136 wrote to memory of 932	2136	msedge.exe	84
PID 2136 wrote to memory of 932	2136	msedge.exe	84
PID 2136 wrote to memory of 932	2136	msedge.exe	84
PID 2136 wrote to memory of 932	2136	msedge.exe	84
PID 2136 wrote to memory of 932	2136	msedge.exe	84
PID 2136 wrote to memory of 932	2136	msedge.exe	84
PID 2136 wrote to memory of 932	2136	msedge.exe	84
PID 2136 wrote to memory of 932	2136	msedge.exe	84
PID 2136 wrote to memory of 932	2136	msedge.exe	84
PID 2136 wrote to memory of 932	2136	msedge.exe	84
PID 2136 wrote to memory of 932	2136	msedge.exe	84
PID 2136 wrote to memory of 932	2136	msedge.exe	84
PID 2136 wrote to memory of 932	2136	msedge.exe	84
PID 2136 wrote to memory of 932	2136	msedge.exe	84
PID 2136 wrote to memory of 932	2136	msedge.exe	84
PID 2136 wrote to memory of 932	2136	msedge.exe	84
PID 2136 wrote to memory of 932	2136	msedge.exe	84
PID 2136 wrote to memory of 932	2136	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\question\editor\plugins\media.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffea6ed46f8,0x7ffea6ed4708,0x7ffea6ed4718
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,15416183774406648216,99722441638585757,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,15416183774406648216,99722441638585757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,15416183774406648216,99722441638585757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15416183774406648216,99722441638585757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15416183774406648216,99722441638585757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,15416183774406648216,99722441638585757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  PID:1804
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,15416183774406648216,99722441638585757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15416183774406648216,99722441638585757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15416183774406648216,99722441638585757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15416183774406648216,99722441638585757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15416183774406648216,99722441638585757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,15416183774406648216,99722441638585757,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5504 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4a7278bef222b73324af40c30eaaa564

SHA1
5076eb93a592ff34ab5d941e379d389ca1044b56

SHA256
1edfe3b422b89f29a5347537b5fe4a2608c980581049fccaa835e4239a4849a9

SHA512
55b48b13cb4287fec44d88544ab758bc3071560b031d7697a870e656c65684422cf18ee19476374a63ec9aaf50cf16fafc8a059a400fb6dbbfdbf87996ee5aec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6b508a2987ea37bb923c059cf215a513

SHA1
277a20e9fc2760424966b44a3b5ea0ecf84f2e19

SHA256
1fbe3bdd026ade62dd4e50bc9457bf60623c602f8842cb58a9cb6ef1035b0ebd

SHA512
082463e218e75d02ed1dd64cf514b3add8867008632395ca41a489980f3bd36c7f9dfea45d0ee4da1efeeb5110659138f9a49900f5a0f53f6ecc1484151da952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
658adb6dc0da4ba4a34f19e27ec8e5de

SHA1
5fac45253ca9a1dcf63888b89841990655805d71

SHA256
9f7f4d1ca1a14f84bf7354afcd1a0ccd2104b4c003c20e507550604357108cbf

SHA512
7445801265963897b06a16bd3c273f24290124515ac9137df833912307c3eb54f004caecce98cf233da9c34417fbd0e23d42b374d47425d293ce9a1d3e1a72c0

Download Submit