6469b323b7ed7a5ece51180150c3b9bb9a1d70eb9b20f8a74f6ed3caf494afa0

Analysis

max time kernel
240s
max time network
298s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
22-07-2024 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solara.Dir/Monaco/index.html
Size

20KB
MD5

7ed00e10ff463cc9afd05d41fc77ac06
SHA1

66e162bdbf6df1e1d5b994b8db39fa67ab080783
SHA256

808f2c68960e6e521975c8c8efaa90a4053cfb207c4042687ea7afdd091543ee
SHA512

4b598cc17654a866c758c33982e776e522f0177f3c987908a18f62385b393338582efbca149817df7cea66eb8cfaa11d566ebfcb59c88d22156f0f1f4d224285
SSDEEP

384:FihTARA5LmClk2P5VvW4NGthbVBJjEBh+BILnoamLR7:FihTnlf+lthbVBJegyboamLR7

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
27	raw.githubusercontent.com
28	raw.githubusercontent.com
31	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4116	msedge.exe
4116	msedge.exe
2052	msedge.exe
2052	msedge.exe
1376	identity_helper.exe
1376	identity_helper.exe
2944	msedge.exe
2944	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2612	2052	msedge.exe	82
PID 2052 wrote to memory of 2612	2052	msedge.exe	82
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 2368	2052	msedge.exe	83
PID 2052 wrote to memory of 4116	2052	msedge.exe	84
PID 2052 wrote to memory of 4116	2052	msedge.exe	84
PID 2052 wrote to memory of 2156	2052	msedge.exe	85
PID 2052 wrote to memory of 2156	2052	msedge.exe	85
PID 2052 wrote to memory of 2156	2052	msedge.exe	85
PID 2052 wrote to memory of 2156	2052	msedge.exe	85
PID 2052 wrote to memory of 2156	2052	msedge.exe	85
PID 2052 wrote to memory of 2156	2052	msedge.exe	85
PID 2052 wrote to memory of 2156	2052	msedge.exe	85
PID 2052 wrote to memory of 2156	2052	msedge.exe	85
PID 2052 wrote to memory of 2156	2052	msedge.exe	85
PID 2052 wrote to memory of 2156	2052	msedge.exe	85
PID 2052 wrote to memory of 2156	2052	msedge.exe	85
PID 2052 wrote to memory of 2156	2052	msedge.exe	85
PID 2052 wrote to memory of 2156	2052	msedge.exe	85
PID 2052 wrote to memory of 2156	2052	msedge.exe	85
PID 2052 wrote to memory of 2156	2052	msedge.exe	85
PID 2052 wrote to memory of 2156	2052	msedge.exe	85
PID 2052 wrote to memory of 2156	2052	msedge.exe	85
PID 2052 wrote to memory of 2156	2052	msedge.exe	85
PID 2052 wrote to memory of 2156	2052	msedge.exe	85
PID 2052 wrote to memory of 2156	2052	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\index.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff9ae03cb8,0x7fff9ae03cc8,0x7fff9ae03cd8
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,6635237296223626005,14793312092411285459,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,6635237296223626005,14793312092411285459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,6635237296223626005,14793312092411285459,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6635237296223626005,14793312092411285459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6635237296223626005,14793312092411285459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,6635237296223626005,14793312092411285459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6635237296223626005,14793312092411285459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6635237296223626005,14793312092411285459,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,6635237296223626005,14793312092411285459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3464 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6635237296223626005,14793312092411285459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6635237296223626005,14793312092411285459,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,6635237296223626005,14793312092411285459,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1020 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:124

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
1d69ce9071db9ebd6c7f03540ed576f0

SHA1
4b3fa313a6e15e7f34c1c35aa30dd997f859d900

SHA256
703e1820bb3b7d7688fd44c9c5b2a1a81fb70e116ba338a1db000b8ba6477bd1

SHA512
4e2c9b4e6eb9824858cade64b48187af9f1c057fb1eae5d23c85d2bc8bc35120a299f7510a25c00150429a1dec593b49ddaa48183e66e39315052b01ef55314a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fc52695a78aa4e8734d73b7446ba59d1

SHA1
15dfb5759ff566206ebd6b8a864e9e43182d7f44

SHA256
fc18d4b0cbcbb89e7f9cbe630c18c94ddecf8b59e74718cc5ad1f66fe638cf9e

SHA512
dbddeb1e9678141910933db917260164cfd07d5f2fcf3c7e82fc2c6db486be7dc47fb193a676e7a23d4ad6936c946ede8def1c555332e41a829d94c207cbfd51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce971e4ab1f7a51b5b9def5887018d15

SHA1
2f280b61a4c3297a3129d59b84ae971e90fdf9d9

SHA256
12e7606eaa7e67b697c8b098266fcb8cb066cd9f8f60ce43ba8405102a63af1b

SHA512
5358fb373e7ef29ac278c33161fbd06b4ac59b24be16e4c34f37ae88383655a182e30fa71cb7881cffc3af5ab055aad25d57f53f3114e6d79b946dbfaa228594

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4e1b62b024aea299e090bbe27f5bed33

SHA1
4b60b990f9cb11f88352a593e0cf5f2609e30b72

SHA256
283ae0c7482aa82794b649b135d3ed08cd61dbcd1cac506e305f345bb071b05d

SHA512
c99269317cb13e97e291c653196784f7c0db00272546a4404dd6af28c6e31abc56fd100a73a665cc9f73c5e8f548d90231c002120aca02c649addb91581f7116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a25434a8-eba3-4cf6-a57b-ecfee6bf1a15.tmp

Filesize
5KB

MD5
d41a3d28b88e32615c31058b6486b841

SHA1
810d2511be94da56b9de7ecbe75e9c6c07e9e089

SHA256
88984fa49152851e965c4f22d52de01f3fda7212a9ddcd4eafdea3134eea57a7

SHA512
1ec4ef3ba87439e13bf947626149a3160bedaa7e663d67fafdb1869f511cacf271bd486422231989ef7c6e84564f7e523941f02ab1b7ff634d1f5bf6d85dfe0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f4e8d775-2e15-4c0e-a784-1be8ff6546e9.tmp

Filesize
746B

MD5
bea79c48c11fa6c23dc767bf1d362d7c

SHA1
f98d190fcea1a06da9e33e6227bccd736b0cfda8

SHA256
c2fe4b994aee5acdc6b22049ba52e52f1ff8ecb4362c81a69c75dcebc2a615ee

SHA512
0d9d8c2e2e16bc18338b2e965491b6362035bd101dcb0c41658f32fea14bdbe84c2b000de8592cdd512d584bea91567d6f11085a1efc428ee407c5a30fe1daa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
432a96ef3221a95e42b7003970071564

SHA1
c1a996d0ab939a0382b396b1c84c6aaf35707173

SHA256
7bf7edf35a946ee4a8582cc96f2db2c7e49a6888ec5c538dcdc51ac2618dd5bc

SHA512
c9168d8e9fa2d1411e5e49f7a44c273a663a71084efc55f20e96e3b84d7c22ff7fb9917ae2cab99478857194e8f0736330f04306aed62baf3e69ad4f3f0fe1f2

Download Submit