Overview
overview
1Static
static
1agents.html
windows7-x64
1agents.html
windows7-x64
1agents.html
windows10-2004-x64
1agents.html
windows11-21h2-x64
1agents.html
android-10-x64
1agents.html
android-11-x64
1agents.html
android-13-x64
1agents.html
macos-10.15-amd64
1agents.html
ubuntu-24.04-amd64
agents.html
debian-9-mips
agents.html
debian-9-mipsel
agents.html
ubuntu-18.04-amd64
agents.html
ubuntu-20.04-amd64
agents.html
ubuntu-22.04-amd64
agents.html
ubuntu-24.04-amd64
Analysis
-
max time kernel
145s -
max time network
138s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
13/07/2024, 15:08
Static task
static1
Behavioral task
behavioral1
Sample
agents.html
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
agents.html
Resource
win7-20240704-en
Behavioral task
behavioral3
Sample
agents.html
Resource
win10v2004-20240709-en
Behavioral task
behavioral4
Sample
agents.html
Resource
win11-20240709-en
Behavioral task
behavioral5
Sample
agents.html
Resource
android-x64-20240624-en
Behavioral task
behavioral6
Sample
agents.html
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral7
Sample
agents.html
Resource
android-33-x64-arm64-20240624-en
Behavioral task
behavioral8
Sample
agents.html
Resource
macos-20240711.1-en
Behavioral task
behavioral9
Sample
agents.html
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral10
Sample
agents.html
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral11
Sample
agents.html
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral12
Sample
agents.html
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral13
Sample
agents.html
Resource
ubuntu2004-amd64-20240508-en
Behavioral task
behavioral14
Sample
agents.html
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral15
Sample
agents.html
Resource
ubuntu2404-amd64-20240523-en
General
-
Target
agents.html
-
Size
60KB
-
MD5
bb73520b75685225a3945bacd88714db
-
SHA1
1ed6f430714ab78138a47c2c4158a7cd8e1b0bd7
-
SHA256
1476f2175bdc85f3eda21165549079f35586940a363b3e662ddc9012614705dc
-
SHA512
466c56cb013e2cc5ed0c17c94eccaec1bafc2b7edbae851560377a4ddc99d7b9913e4a53a3f3666493183681f79542ee0bb679ded4e76cbe80e675f8ebbfe3b9
-
SSDEEP
768:pkoRbiegm9tucLkLD+i/eNGNjQfAWYaKV28X4qPZB5aJw+j1U:pRgeYqqejfAWYaK864qPZ2Jw+j1U
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 5072 msedge.exe 5072 msedge.exe 3840 msedge.exe 3840 msedge.exe 1420 msedge.exe 1420 msedge.exe 4668 identity_helper.exe 4668 identity_helper.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3840 wrote to memory of 2984 3840 msedge.exe 82 PID 3840 wrote to memory of 2984 3840 msedge.exe 82 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 4832 3840 msedge.exe 83 PID 3840 wrote to memory of 5072 3840 msedge.exe 84 PID 3840 wrote to memory of 5072 3840 msedge.exe 84 PID 3840 wrote to memory of 4204 3840 msedge.exe 85 PID 3840 wrote to memory of 4204 3840 msedge.exe 85 PID 3840 wrote to memory of 4204 3840 msedge.exe 85 PID 3840 wrote to memory of 4204 3840 msedge.exe 85 PID 3840 wrote to memory of 4204 3840 msedge.exe 85 PID 3840 wrote to memory of 4204 3840 msedge.exe 85 PID 3840 wrote to memory of 4204 3840 msedge.exe 85 PID 3840 wrote to memory of 4204 3840 msedge.exe 85 PID 3840 wrote to memory of 4204 3840 msedge.exe 85 PID 3840 wrote to memory of 4204 3840 msedge.exe 85 PID 3840 wrote to memory of 4204 3840 msedge.exe 85 PID 3840 wrote to memory of 4204 3840 msedge.exe 85 PID 3840 wrote to memory of 4204 3840 msedge.exe 85 PID 3840 wrote to memory of 4204 3840 msedge.exe 85 PID 3840 wrote to memory of 4204 3840 msedge.exe 85 PID 3840 wrote to memory of 4204 3840 msedge.exe 85 PID 3840 wrote to memory of 4204 3840 msedge.exe 85 PID 3840 wrote to memory of 4204 3840 msedge.exe 85 PID 3840 wrote to memory of 4204 3840 msedge.exe 85 PID 3840 wrote to memory of 4204 3840 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\agents.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc85783cb8,0x7ffc85783cc8,0x7ffc85783cd82⤵PID:2984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,12770546782842869111,17839405972139215971,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:22⤵PID:4832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,12770546782842869111,17839405972139215971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,12770546782842869111,17839405972139215971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:82⤵PID:4204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,12770546782842869111,17839405972139215971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵PID:3688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,12770546782842869111,17839405972139215971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵PID:4084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,12770546782842869111,17839405972139215971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:12⤵PID:4064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1944,12770546782842869111,17839405972139215971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,12770546782842869111,17839405972139215971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,12770546782842869111,17839405972139215971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:12⤵PID:4180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,12770546782842869111,17839405972139215971,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:12⤵PID:4292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,12770546782842869111,17839405972139215971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:12⤵PID:3928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,12770546782842869111,17839405972139215971,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:12⤵PID:4652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,12770546782842869111,17839405972139215971,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4172 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2132
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1676
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD54656c526f71d2c1122865ef7c6af3ff5
SHA161684265064c225f323d304931ff7764f5700ac2
SHA2567172417b8464d5c2f52edfc867f4d83e475b58fd316b1916cdde30ed5bdde80e
SHA512c3e4fc0baa216ef561a448e42378af01a50e0ebd9b5fe554c9af0ea3362b9ca2f4a1b99cfab66c18df085250dd7a5ca1b01ab256e28156d657c579f5518aa56a
-
Filesize
152B
MD5bc5eae38782879246edf98418132e890
SHA146aa7cc473f743c270ed2dc21841ddc6fc468c30
SHA256b9dd7185c7678a25210a40f5a8cac3d048f7774042d93380bbbd1abb94d810d7
SHA51273680b22df232f30faa64f485a4c2f340ba236b5918915866f84053f06532b0a722c4ee8038af3689ac04db41277c7852f7a11a0a15833ef66bcc046ee28afb7
-
Filesize
758B
MD57c97ea810fdddf9a3b9554d4dba12d24
SHA13faae702edd0a079cda02b54006ded21e8431cae
SHA256b5349e616332153f8a069187d8e675e0c83a664f64cbf5902144851d22514178
SHA51285f02ab7b8b9cbfa78692a5373233db246d14e472a8819366c2d4fe890367a4d5dda7ca4df215c4ec9e1c0745cfcce467efaa67716213dcd8b545cb943404229
-
Filesize
5KB
MD5ee9cde9c843f40b5245be1efeb078608
SHA1e318db09e04ea322d6be4a1bb46f720891ba1e8b
SHA25685f2b7b644ec52112d76c24945671d74ed93f62aea248f30083f06f699c5b85e
SHA512136330a3923b806d68e18b1074a553b23f26235a60bca7763a4abbae01050d43b0b07944b5377c9ef079d52a5329aa850e47fcf1f02095fc63fe840679e434f5
-
Filesize
6KB
MD54c41cf938a6f2e326188d1e259cd71a7
SHA12dd299f9cf08425dc39ddaeb632db67f5c15460e
SHA2567a36ae76cd795c02b0fa020ff77ef71961bde1541798ce167d9c36f10b2ee95c
SHA5126e3f3734d2277970b7bfe64f695ef5045c9aed94c3fb98d7cab180d1a960e1a5a19802c5944ed863a92563fcb8c5e747f09bb5730e01fbfeb786bdc84cc450f3
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD5e3614d2240b132394f1db1bf9da9f03e
SHA180e3f0e914b56cf9664aa043d98538934434fb01
SHA25699ab101e0df8341c3e2671adf93fb5bd3de98b1e2b8ab84b7a11209534dcae1a
SHA512b156a2596c39543d5aaf4e6d9a2fa4fc45ffacb6ccdde64bb64107aff41ae4b37231d31aeff1aeea2d7e8bda9b9d5157b7d15e2e7f17d3032458cce54d1d0dc9
-
Filesize
11KB
MD5ec2df6ddeb2ec29471a97d65c6e4792c
SHA1622904b34d1d7fbb6488010b869b80d8cda83b2a
SHA25600961ff05c46cebacbe9441294fc4a9d3904321e3b3e834a22a08081c7ff86cb
SHA512a8b92687aa8008ae6edd6774cad5df0704a94b2fd00289a3fa228998fbbbbdb30e054c984731d88e1d32edef038f37b31289902713e3c5c4a514f29d782659da