hxxps://fabischau1[.]github[.]io/FAAntivira/FADownloadProtection[.]exe

Analysis

max time kernel
13s
max time network
17s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
04-07-2024 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://fabischau1.github.io/FAAntivira/FADownloadProtection.exe

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2108	msedge.exe
2108	msedge.exe
244	msedge.exe
244	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
244	msedge.exe
244	msedge.exe
244	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 244 wrote to memory of 2092	244	msedge.exe	77
PID 244 wrote to memory of 2092	244	msedge.exe	77
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 1920	244	msedge.exe	78
PID 244 wrote to memory of 2108	244	msedge.exe	79
PID 244 wrote to memory of 2108	244	msedge.exe	79
PID 244 wrote to memory of 856	244	msedge.exe	80
PID 244 wrote to memory of 856	244	msedge.exe	80
PID 244 wrote to memory of 856	244	msedge.exe	80
PID 244 wrote to memory of 856	244	msedge.exe	80
PID 244 wrote to memory of 856	244	msedge.exe	80
PID 244 wrote to memory of 856	244	msedge.exe	80
PID 244 wrote to memory of 856	244	msedge.exe	80
PID 244 wrote to memory of 856	244	msedge.exe	80
PID 244 wrote to memory of 856	244	msedge.exe	80
PID 244 wrote to memory of 856	244	msedge.exe	80
PID 244 wrote to memory of 856	244	msedge.exe	80
PID 244 wrote to memory of 856	244	msedge.exe	80
PID 244 wrote to memory of 856	244	msedge.exe	80
PID 244 wrote to memory of 856	244	msedge.exe	80
PID 244 wrote to memory of 856	244	msedge.exe	80
PID 244 wrote to memory of 856	244	msedge.exe	80
PID 244 wrote to memory of 856	244	msedge.exe	80
PID 244 wrote to memory of 856	244	msedge.exe	80
PID 244 wrote to memory of 856	244	msedge.exe	80
PID 244 wrote to memory of 856	244	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://fabischau1.github.io/FAAntivira/FADownloadProtection.exe
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9a35f3cb8,0x7ff9a35f3cc8,0x7ff9a35f3cd8
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,1957035759512111177,13021051890048632070,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,1957035759512111177,13021051890048632070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,1957035759512111177,13021051890048632070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,1957035759512111177,13021051890048632070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,1957035759512111177,13021051890048632070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,1957035759512111177,13021051890048632070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:4388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d56e8f308a28ac4183257a7950ab5c89

SHA1
044969c58cef041a073c2d132fa66ccc1ee553fe

SHA256
0bc24451c65457abc1e4e340be2f8faceae6b6ec7768a21d44bcd14636543bae

SHA512
fd5798559f4025ec3408f5550b8671d394b1ec83b85fdac8c005b0cc3e183272bdd07db15a156a572c9c5e5798badf235dc10aae62a052efa8dd9dfdbdca8189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f2eb94e31cadfb6eb07e6bbe61ef7ae

SHA1
3f42b0d5a90408689e7f7941f8db72a67d5a2eab

SHA256
d222c8e3b19cda2657629a486faf32962e016fc66561ce0d17010afdb283c9de

SHA512
9f7f84149885b851e0bf7173c540e466a2b2eb9907d8b608f60360933328cc75d9d1b63640ea4ecc1e64ecc5dd7ee74d82903f96a8b4418ca56296641a8c0703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c4b21214a7a0f665e7f07bbc90bb8df7

SHA1
0df8ccdfcf72df84dc1645e55659f642319a5ad1

SHA256
1aa795f9cae950267a87516916a0316d28821442919864c6a150429dd18f524c

SHA512
d5f30325ed774a4035581c38a04381bac0a7eff80336441634383baf1d2bb109ba24cff07dbc91f90f9eda9d727f334f4bc7d1d2f5a9ccbe95111c62e17ee8a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
246ca261544405a833e24136634f28a8

SHA1
ad2b7ec7b8fdeac86fe45962dbcc50de4b236b12

SHA256
7c0fe15cdb5064aa09e135c62e091c3681f4ed5975b3a6309ba27673b922f947

SHA512
40a23fb767d10c4fe2891266b1c0fada0d79b8c6c416df780bdd143ca7bdc63bcbe46d5570e31eb658c8d42fe8b2a35633272828dc6869fb615ca0ce758a728b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
57b630e125245954084677e8c8949c95

SHA1
8e11317032c542fb6b64bbe274733cc0050da07b

SHA256
0196b7fab33601b8b68837e3a0b1736214bff3381ca95694d0660f2dfdd561a1

SHA512
fcb684694963b5ba86571949b291543b2669df4bc9ad910950299f362de866f846f0648c087558423cf86916efcd230f17bf0a4f08395391d41e5f18906d9aad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit