hxxps://docs[.]google[.]com/document/d/1ktY2L4_bRrsgUV8EglWCd_LR9d3n1nPsN4le8NI8eTk/edit?usp=drive_web

Analysis

max time kernel
48s
max time network
50s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
10/07/2024, 15:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://docs.google.com/document/d/1ktY2L4_bRrsgUV8EglWCd_LR9d3n1nPsN4le8NI8eTk/edit?usp=drive_web

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4288	msedge.exe
4288	msedge.exe
3112	msedge.exe
3112	msedge.exe
3356	msedge.exe
3356	msedge.exe
5008	identity_helper.exe
5008	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
756	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3112 wrote to memory of 2432	3112	msedge.exe	80
PID 3112 wrote to memory of 2432	3112	msedge.exe	80
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 1268	3112	msedge.exe	81
PID 3112 wrote to memory of 4288	3112	msedge.exe	82
PID 3112 wrote to memory of 4288	3112	msedge.exe	82
PID 3112 wrote to memory of 2232	3112	msedge.exe	83
PID 3112 wrote to memory of 2232	3112	msedge.exe	83
PID 3112 wrote to memory of 2232	3112	msedge.exe	83
PID 3112 wrote to memory of 2232	3112	msedge.exe	83
PID 3112 wrote to memory of 2232	3112	msedge.exe	83
PID 3112 wrote to memory of 2232	3112	msedge.exe	83
PID 3112 wrote to memory of 2232	3112	msedge.exe	83
PID 3112 wrote to memory of 2232	3112	msedge.exe	83
PID 3112 wrote to memory of 2232	3112	msedge.exe	83
PID 3112 wrote to memory of 2232	3112	msedge.exe	83
PID 3112 wrote to memory of 2232	3112	msedge.exe	83
PID 3112 wrote to memory of 2232	3112	msedge.exe	83
PID 3112 wrote to memory of 2232	3112	msedge.exe	83
PID 3112 wrote to memory of 2232	3112	msedge.exe	83
PID 3112 wrote to memory of 2232	3112	msedge.exe	83
PID 3112 wrote to memory of 2232	3112	msedge.exe	83
PID 3112 wrote to memory of 2232	3112	msedge.exe	83
PID 3112 wrote to memory of 2232	3112	msedge.exe	83
PID 3112 wrote to memory of 2232	3112	msedge.exe	83
PID 3112 wrote to memory of 2232	3112	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://docs.google.com/document/d/1ktY2L4_bRrsgUV8EglWCd_LR9d3n1nPsN4le8NI8eTk/edit?usp=drive_web
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff82fa93cb8,0x7ff82fa93cc8,0x7ff82fa93cd8
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,16922445163535855211,3395688734903773719,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1980 /prefetch:2
  2⤵
  PID:1268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,16922445163535855211,3395688734903773719,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,16922445163535855211,3395688734903773719,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,16922445163535855211,3395688734903773719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,16922445163535855211,3395688734903773719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1956,16922445163535855211,3395688734903773719,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4304 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,16922445163535855211,3395688734903773719,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,16922445163535855211,3395688734903773719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,16922445163535855211,3395688734903773719,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,16922445163535855211,3395688734903773719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,16922445163535855211,3395688734903773719,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:1524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1784

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1998107017edc46fed4599ad24cfe53

SHA1
47e92f0646f0de9241c59f88e0c10561a2236b5e

SHA256
cc6838475e4b8d425548ceb54a16d41fb91d528273396a8f0b216889d79e0caa

SHA512
ef7228c3da52bf2a88332b9d902832ed18176dfff7c295abfbaab4e82399dc21600b125c8dad615eb1580fab2f4192251a7f7c557842c9cac0209033a3113816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
21cf39beee4d807318a05a10dc3f1bf3

SHA1
01ef7fc09919eb33292a76934d3f2b5ba248f79c

SHA256
b766823dabbf6f78e2ee7c36d231d6708800126dc347ce3e83f4bf27bc6e2939

SHA512
0baf8b0964d390b9eb7fafd217037709ac4ab31abcdf63598244026c31284cd838f12d628dcffe35d5661ba15a5e4f3b82c7c2d9226ac88856a07b5b7b415291

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
caef228c19d24979ac9b222833a4c77a

SHA1
e98713da2396491157ee9b4f1d20d50a010de1ac

SHA256
cefa9fd68c998e4b5490c4c33f55b99d3e76b41252b4f282009ce5cc853ee6cb

SHA512
008f565facc5c309fc4456cf1ba0e8b97e155033f637fccc72566115113683f143a2b2af211f3e1f5be1b05b8f22229afb769b3719fa363e4eb692540b212e0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4a8558c79597200b14ae79bc1ec2c609

SHA1
69e93ced8eef66f6215bfe57fa548f64edd6cb51

SHA256
bca0b51c7055d26ec49059218ff6252a19fbd57ad4cf0cc9af3eafa4a0888645

SHA512
749bce781a8187875b6c4cc4036a3280e79b9587cda8207fd266d958dcca8c33030b77c656b8a1544ae6099d14343e651b072ff3f5b269813456ecaf8919b0ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ae574698-e4a0-451b-b0e1-6db64f25adab.tmp

Filesize
5KB

MD5
c33aede6d7f069fe595642bb320a1962

SHA1
e244ca1247956c5aff4cff10619d4152a2132abc

SHA256
2f55eecee8e0e2be435721ec88ac7fb77bca0efdf1d098f50058ecff627d2715

SHA512
4dc2a4edcda87ef0244cb2577af3e5fe43c584ab5b6641b827525caf6d4041c8672615eecb0308e4ed4a29324273a0b6d40b2044251a0d8c5403e04d6e5fd962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1b2d28d073045118e98eaf8726916e24

SHA1
b33323ebcbb6359ed77e685cc94196b6779fa1a9

SHA256
f39bfad985e0cf64ecfb695a29a9f70909d3377aa1c9fd20401450a72157cded

SHA512
a6112546de7f9407c9d0d11959677af9582620938f0da6fbe5373f225fe621f6d96f37089da1b1b3e5456be916ef87806a5dc131cd689ddad1746b93a0cf3725

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e496fbe32b0a7d10288c8c6d39c33718

SHA1
3bcae81a5675660cfdee70ee3206be1794092678

SHA256
fbe5e84caf0b04db1385f57fcd5e11b93a01c1ed90854311dc28e6cdf9ba6513

SHA512
853ed8678a6d512a6748d4fd0b1fc00e5de566ae209b52b76c13e9c2be891147dba5b83d79f668b23793bd3d42500fb85ba7c3871269b3394808e4c44874df7e

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
bd46e85d4c415d6399980d58ee534ae3

SHA1
42ad1e0bc18975fdffd62cf4fcbc6aeecd6e97c1

SHA256
73430968c3ea5381b927aad54fad64eff4e8bdab6a2ff24ded2a74294ae0d889

SHA512
5468c689739c3e18b694e991c1c50a83392652f2506cc63c67eb4981ec3331f6202c7880df15306745ca1ed7861373121e4e94584bf0432c05b20e503ea15eda

Download Submit