c894729f6186bcac39c9c627a2634a7a3896e55a626db17a086daded78f6fa77

Analysis

max time kernel
145s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
21/07/2024, 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LICENSES.chromium.html
Size

6.5MB
MD5

180f8acc70405077badc751453d13625
SHA1

35dc54acad60a98aeec47c7ade3e6a8c81f06883
SHA256

0bfa9a636e722107b6192ff35c365d963a54e1de8a09c8157680e8d0fbbfba1c
SHA512

40d3358b35eb0445127c70deb0cb87ec1313eca285307cda168605a4fd3d558b4be9eb24a59568eca9ee1f761e578c39b2def63ad48e40d31958db82f128e0ec
SSDEEP

24576:d7rs5kjWSnB3lWNeUmf0f6W6M6q6A6r/HXpErpem:rovj

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1324	msedge.exe
1324	msedge.exe
2296	msedge.exe
2296	msedge.exe
5008	identity_helper.exe
5008	identity_helper.exe
780	msedge.exe
780	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 228	2296	msedge.exe	78
PID 2296 wrote to memory of 228	2296	msedge.exe	78
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 4716	2296	msedge.exe	79
PID 2296 wrote to memory of 1324	2296	msedge.exe	80
PID 2296 wrote to memory of 1324	2296	msedge.exe	80
PID 2296 wrote to memory of 3984	2296	msedge.exe	81
PID 2296 wrote to memory of 3984	2296	msedge.exe	81
PID 2296 wrote to memory of 3984	2296	msedge.exe	81
PID 2296 wrote to memory of 3984	2296	msedge.exe	81
PID 2296 wrote to memory of 3984	2296	msedge.exe	81
PID 2296 wrote to memory of 3984	2296	msedge.exe	81
PID 2296 wrote to memory of 3984	2296	msedge.exe	81
PID 2296 wrote to memory of 3984	2296	msedge.exe	81
PID 2296 wrote to memory of 3984	2296	msedge.exe	81
PID 2296 wrote to memory of 3984	2296	msedge.exe	81
PID 2296 wrote to memory of 3984	2296	msedge.exe	81
PID 2296 wrote to memory of 3984	2296	msedge.exe	81
PID 2296 wrote to memory of 3984	2296	msedge.exe	81
PID 2296 wrote to memory of 3984	2296	msedge.exe	81
PID 2296 wrote to memory of 3984	2296	msedge.exe	81
PID 2296 wrote to memory of 3984	2296	msedge.exe	81
PID 2296 wrote to memory of 3984	2296	msedge.exe	81
PID 2296 wrote to memory of 3984	2296	msedge.exe	81
PID 2296 wrote to memory of 3984	2296	msedge.exe	81
PID 2296 wrote to memory of 3984	2296	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe38d53cb8,0x7ffe38d53cc8,0x7ffe38d53cd8
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,6765719494289715287,4594979748536951738,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1720 /prefetch:2
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,6765719494289715287,4594979748536951738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,6765719494289715287,4594979748536951738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6765719494289715287,4594979748536951738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6765719494289715287,4594979748536951738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,6765719494289715287,4594979748536951738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6765719494289715287,4594979748536951738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6765719494289715287,4594979748536951738,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6765719494289715287,4594979748536951738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6765719494289715287,4594979748536951738,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,6765719494289715287,4594979748536951738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,6765719494289715287,4594979748536951738,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4964 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
caaeb604a99d78c4a41140a3082ca660

SHA1
6d9cd8a52c0f2cd9b48b00f612ec33cd7ca0aa97

SHA256
75e15f595387aec18f164aa0d6573c1564aaa49074547a2d48a9908d22a3b5d6

SHA512
1091aa1e8bf74ed74ad8eb8fa25c4e24b6cfd0496482e526ef915c5a7d431f05360b87d07c11b93eb9296fe386d71e99d214afce163c2d01505349c52f2d5d66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1fe10b6cb6b345a095320391bda78b22

SHA1
46c36ab1994b86094f34a0fbae3a3921d6690862

SHA256
85a627e9b109e179c49cf52420ad533db38e75bc131714a25c1ae92dd1d05239

SHA512
9f9d689662da014dfae3565806903de291c93b74d11b47a94e7e3846537e029e1b61ad2fad538b10344641003da4d7409c3dd834fed3a014c56328ae76983a2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5dd8863d9f643a690e9a03aff16ab70d

SHA1
23de2553ae8c41796b7d519a94566e1f931eae73

SHA256
2c8b48ab9da17f80ca457f7e9b0c8a7509c45c64478ec72c0e9bb3cdaeb814e2

SHA512
174836ec9ea5ee1768136aabad4c349ed319bbcfe8bde110f1517cf132580995b256b7a997d3734227e25c866aa5aded7f5393d1729ebd3fd2a5720645af8b1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c808aefcc212d06b6651829f05b24333

SHA1
6cb42cba11f2c4d6653dbf70fbc8786f18b8389d

SHA256
6fa59c08918f35f110865a51be1d45b30bdba6de8e3fe3c00985a47c165b24e2

SHA512
7dbd44eb33b451f8f4cf1cbfe5744c41e58dfac11918d3a6c8d164354f6c70e8756339f14c0e1ff5e235f47f845848c13a480198e33aa20861c62a7a949684a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
220a77b5d0dac63c07d710a5637b02d7

SHA1
9e409fdf39c8ace3f2388cec4b097b1ab10d6e3b

SHA256
bb027e5cbf04fbda3a61cd808510bd989ff77f435c330f6cb9feddcca5c5d51c

SHA512
ea6cd691876bcbcb92bc8940693a1eaa7ed289be9ff5fc2dfff73813d08bee3435d2cf3c3a7688e85cb514bb89cba811fd7ad5495456d6f025c8e7063125af2b

Download Submit