e3697831bcd29abfaf0a2b7d74b5b42d0ebaef5625f45b617170bfeeade8af70

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$SMPROGRAMS/ַ/155ɫվ.lnk
Size

350B
MD5

2eefc9c46f6597c7b8e425f8c2130e64
SHA1

4dbcb7c15a8624c9054debd1261963a35ccf8d74
SHA256

7756423e3de11499438968c53aeb575285995045b33832d601612512dc9e2424
SHA512

2226a924ccebfa75d3e6927d64c58917e27b57ae2af3fc658126902f511c3ea3c4f362306a7eeb6073445d3de48b125453756121d1ed3e694b5e44a5fdc23efc

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1328	msedge.exe
1328	msedge.exe
3480	msedge.exe
3480	msedge.exe
4528	identity_helper.exe
4528	identity_helper.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 3480	4024	cmd.exe	86
PID 4024 wrote to memory of 3480	4024	cmd.exe	86
PID 3480 wrote to memory of 944	3480	msedge.exe	88
PID 3480 wrote to memory of 944	3480	msedge.exe	88
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 2364	3480	msedge.exe	89
PID 3480 wrote to memory of 1328	3480	msedge.exe	90
PID 3480 wrote to memory of 1328	3480	msedge.exe	90
PID 3480 wrote to memory of 3648	3480	msedge.exe	91
PID 3480 wrote to memory of 3648	3480	msedge.exe	91
PID 3480 wrote to memory of 3648	3480	msedge.exe	91
PID 3480 wrote to memory of 3648	3480	msedge.exe	91
PID 3480 wrote to memory of 3648	3480	msedge.exe	91
PID 3480 wrote to memory of 3648	3480	msedge.exe	91
PID 3480 wrote to memory of 3648	3480	msedge.exe	91
PID 3480 wrote to memory of 3648	3480	msedge.exe	91
PID 3480 wrote to memory of 3648	3480	msedge.exe	91
PID 3480 wrote to memory of 3648	3480	msedge.exe	91
PID 3480 wrote to memory of 3648	3480	msedge.exe	91
PID 3480 wrote to memory of 3648	3480	msedge.exe	91
PID 3480 wrote to memory of 3648	3480	msedge.exe	91
PID 3480 wrote to memory of 3648	3480	msedge.exe	91
PID 3480 wrote to memory of 3648	3480	msedge.exe	91
PID 3480 wrote to memory of 3648	3480	msedge.exe	91
PID 3480 wrote to memory of 3648	3480	msedge.exe	91
PID 3480 wrote to memory of 3648	3480	msedge.exe	91

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$SMPROGRAMS\ַ\155ɫվ.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.soft155.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd156546f8,0x7ffd15654708,0x7ffd15654718
    3⤵
    PID:944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,13894656052491202198,1573575840488588370,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
    3⤵
    PID:2364
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,13894656052491202198,1573575840488588370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,13894656052491202198,1573575840488588370,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
    3⤵
    PID:3648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13894656052491202198,1573575840488588370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
    3⤵
    PID:3236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13894656052491202198,1573575840488588370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
    3⤵
    PID:3680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13894656052491202198,1573575840488588370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2168 /prefetch:1
    3⤵
    PID:3368
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,13894656052491202198,1573575840488588370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
    3⤵
    PID:2264
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,13894656052491202198,1573575840488588370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13894656052491202198,1573575840488588370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
    3⤵
    PID:744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13894656052491202198,1573575840488588370,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
    3⤵
    PID:1772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13894656052491202198,1573575840488588370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
    3⤵
    PID:3628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13894656052491202198,1573575840488588370,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
    3⤵
    PID:3232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,13894656052491202198,1573575840488588370,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5016 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bafce9e4c53a0cb85310891b6b21791b

SHA1
5d70027cc137a7cbb38f5801b15fd97b05e89ee2

SHA256
71fb546b5d2210a56e90b448ee10120cd92c518c8f79fb960f01b918f89f2b00

SHA512
c0e4d3eccc0135ac92051539a18f64b8b8628cfe74e5b019d4f8e1dcbb51a9b49c486a1523885fe6be53da7118c013852e753c26a5490538c1e721fd0188836c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a499254d6b5d91f97eb7a86e5f8ca573

SHA1
03dbfebfec8c94a9c06f9b0cd81ebe0a2b8be3d1

SHA256
fb87b758c2b98989df851380293ff6786cb9a5cf2b3a384cec70d9f3eb064499

SHA512
d7adcc76d0470bcd68d7644de3c8d2b6d61df8485979a4752ceea3df4d85bd1c290f72b3d8d5c8d639d5a10afa48d80e457f76b44dd8107ac97eb80fd98c7b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
4c4217789fab7eb9f0a6a0916b1d8596

SHA1
1209b3ef5784ae4ccba870fca4541b1286614861

SHA256
210616e0dd119ee52d5796930ba52967a0d9ad899ca67c3c644add978e0f7828

SHA512
c57eab83925994bce7ff59873d02f0bf210c0751f39bd99f9d95a57b13ee8235e06babf6b230dfb9298dacde8bff718efdbae9152bddc4d28e1bed1241e05a58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
250B

MD5
b2e0750ceb4d0b6276de759f1c8d6c07

SHA1
f9c7eac47a6870c8b13ef493731c27fa6cc43a0e

SHA256
f0700da49f577aa4928fe0b7d3f7e4d82809ecd75af282889c44286835d24b1e

SHA512
360113c41b4425e9ffd31b822eac2fd02c577cc99afff545241d28beb4c0e4c07235b8a19b822a2994acf531116f5aa6b782f5dff8c2dbf9632382112db1de23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
08076776a0ddee03ad32efb149248c21

SHA1
a964385fee739fcd0ab41713f449c6dcb6dd5c75

SHA256
5e87c92956c7e8f28b2e823c233d07cf8446d1d4a72347b3da7443bc06bf2959

SHA512
6d11c4a29f3672233e13fd1a0fe83b2badfb0baad133b3f1b097d3dcc43331aef7b6719473627b061791dcc01950a13caf1c60da44d06718b473b11962bbc2d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f3426bf306b5f63a9a2a880c17c703cc

SHA1
f560de1eb861ab34e1e1248c0765e76a199e286d

SHA256
54dfd4029c7e4be04082b81426030dfa30102f5b0df04c57a3feb84e8453195c

SHA512
e93825d37aa5a9b95147f0b51eefa55a419bf92331d0212d8eae14f177b391053eb74109511944e37f27aa9e4141dc13173be2b790419af014c66256c44e4b09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8f58adc86154726340530b26b4b5c273

SHA1
b5d165a860542760229c90022814e88d697cb973

SHA256
8d8f017b9a376f186952b2b8332f64a990e47e70f5167d33efa454280cd95406

SHA512
bbf89976be349a004b8087f5c26454ec2eac192e8dfcca312d89731654f110998e9eafab5e3069e5e60dc4b607ab72dddf1c75f49fe47917d4857f4c3a5bf71f

Download Submit