30091faafd62ea7ba9868db2ee575dab98fd126a78d39590f57ea7b38b20d966

Resubmissions

17-07-2024 11:56

240717-n32f5azaqj 10

17-07-2024 11:51

240717-n1gzpsyhqq 10

Analysis

max time kernel
147s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
17-07-2024 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LICENSES.chromium.html
Size

8.7MB
MD5

bd0ced1bc275f592b03bafac4b301a93
SHA1

68776b7d9139588c71fbc51fe15243c9835acb67
SHA256

ad35e72893910d6f6ed20f4916457417af05b94ab5204c435c35f66a058d156b
SHA512

5052ae32dae0705cc29ea170bcc5210b48e4af91d4ecec380cb4a57ce1c56bc1d834fc2d96e2a0f5f640fcac8cafe4a4fdd0542f26ca430d76aa8b9212ba77aa
SSDEEP

24576:KPQQ/6MP6P5d1n+wRcXe1Lmfpm6k626D6b6+eGnkywBIpv:Cy8OeG8k

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3472	msedge.exe
3472	msedge.exe
5044	msedge.exe
5044	msedge.exe
2848	msedge.exe
2848	msedge.exe
4224	identity_helper.exe
4224	identity_helper.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 2052	5044	msedge.exe	78
PID 5044 wrote to memory of 2052	5044	msedge.exe	78
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 2788	5044	msedge.exe	79
PID 5044 wrote to memory of 3472	5044	msedge.exe	80
PID 5044 wrote to memory of 3472	5044	msedge.exe	80
PID 5044 wrote to memory of 1204	5044	msedge.exe	81
PID 5044 wrote to memory of 1204	5044	msedge.exe	81
PID 5044 wrote to memory of 1204	5044	msedge.exe	81
PID 5044 wrote to memory of 1204	5044	msedge.exe	81
PID 5044 wrote to memory of 1204	5044	msedge.exe	81
PID 5044 wrote to memory of 1204	5044	msedge.exe	81
PID 5044 wrote to memory of 1204	5044	msedge.exe	81
PID 5044 wrote to memory of 1204	5044	msedge.exe	81
PID 5044 wrote to memory of 1204	5044	msedge.exe	81
PID 5044 wrote to memory of 1204	5044	msedge.exe	81
PID 5044 wrote to memory of 1204	5044	msedge.exe	81
PID 5044 wrote to memory of 1204	5044	msedge.exe	81
PID 5044 wrote to memory of 1204	5044	msedge.exe	81
PID 5044 wrote to memory of 1204	5044	msedge.exe	81
PID 5044 wrote to memory of 1204	5044	msedge.exe	81
PID 5044 wrote to memory of 1204	5044	msedge.exe	81
PID 5044 wrote to memory of 1204	5044	msedge.exe	81
PID 5044 wrote to memory of 1204	5044	msedge.exe	81
PID 5044 wrote to memory of 1204	5044	msedge.exe	81
PID 5044 wrote to memory of 1204	5044	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8875e3cb8,0x7ff8875e3cc8,0x7ff8875e3cd8
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1732,18018699314776573123,16699389677204757171,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1964 /prefetch:2
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1732,18018699314776573123,16699389677204757171,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1732,18018699314776573123,16699389677204757171,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:8
  2⤵
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,18018699314776573123,16699389677204757171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,18018699314776573123,16699389677204757171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1732,18018699314776573123,16699389677204757171,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,18018699314776573123,16699389677204757171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,18018699314776573123,16699389677204757171,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,18018699314776573123,16699389677204757171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,18018699314776573123,16699389677204757171,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1732,18018699314776573123,16699389677204757171,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1732,18018699314776573123,16699389677204757171,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2972 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1d33f465a73554cd1c183cbcd0a28a2

SHA1
f5c16fc4edff600cb307f762d950500aa29a1e8b

SHA256
22d8c228cdcfd3e05431d7377748014035a3488ad3a0d4aecc334e724245a1f9

SHA512
7cc94f77f3943143ee86eabbfddcb110ce52c6ff0975842e3a3d06072f51f2c48914ee61f24484a539888ad19a7e6a1becfb029485cd5984bc736434a63cee95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
575466f58c7d9d3224035d23f102d140

SHA1
2fce4082fa83534b3ddc91e42fb242baee4afa1c

SHA256
9da0e657652daa1ef86af7c3db62b0af9cce372a5f765c98c68479922ccf1923

SHA512
06503e718fe967076dd8a061b57debdc663b9616b005f8567099a84fc7184880633079335d622c243918efc3356b40e683708fb0583084abeed7db6168a212ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9a734416332298fe280678ab30768675

SHA1
7f04ab9609a01ff1c51a5a9d2332dc3eca87f816

SHA256
309f8a46feb12173151be5133a09116c744641141a9342d2312bbc47e816ceb1

SHA512
8e01b900224957bde8cd83442d3e9a3fb9f52ed855ffe1da60272ae72932573d0a9c0548bb03e603d151d231e5ec4dedd92ff381f75647de6394961070796edc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9608817997c4e45e0e23473260e2f5a2

SHA1
34bb8d4f9b3d36dc5540253e7039dd1a64c8ebe2

SHA256
2b9c5aa20c58bdc0a6f36fdcecd599d9f10947c6842c0a066cb8e04005df9563

SHA512
212ca59e2d52ebacf1e180e90f62793492d793df8e10c83919e2a121f931f0f0c0e954e7c9ab5830e672f016a0c08db230ea8ba30f121881e1b94df1964ac62b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9c90eed7e403cb77a7d47e48272a2648

SHA1
38cc643fe00e41998e0716d43a66928007b1fd84

SHA256
2d5b525ba52076ca28b9dc5087017b0328580b9669b48c99045db919a0f3478d

SHA512
9af26b53a8abebcc6de22e2f332d94980fcaa269f4f1d121ba8b22db3297e89cec3d8050b34ca80328526dd93f57f7caff163169f2e67fda0761c40c26c4b082

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dcbfdfc1b2dc2fdf1283563be1853bbd

SHA1
958c330e5d1ea6c03db0836d2534e5cede19aaeb

SHA256
7ddb501b54a5195dacc20ed73dd643609d589b2cb93c73967dedd957c2287778

SHA512
ae422d9c90b376fa201d76f3a4fbf5f551775af8d56f9cc0077f52a94a0749c334c76aca7ff6b3df480ea51462599ebf658963c46b4c8c73f0b929f87ea27d47

Download Submit