d4c8845ab6a2415b48bf5539f0d912f4d4f61e898e4e1c839c56784aae3631d2

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 14:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Domain/bin/assets/ui.html
Size

4KB
MD5

6f8f041c68e7bc0067d7e6e4c3e9b824
SHA1

550b684e7e03154f5424271e97a33c1ada49d5db
SHA256

fbe5a564a1d50db2341cfd339f7feed965024c18ffb916fa77aae4651fa0e5ea
SHA512

88ae8526d6874f7480224672ae4a7e2557699f0423ef6f32dbcc68f0207a2ec0fca70af60e1bc8ba19c100f46d0f93d19b203b63a03543ee3289857a1e9dca3c
SSDEEP

96:HMA5Xrg16dLUWUU1MmUtJ9zYz50yZ5am7ZCpvMAEHIVzaGOc:HMA57g2LU9UamU/hkVZ5EpvMAEoVuGOc

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
3156	msedge.exe
3156	msedge.exe
1936	msedge.exe
1936	msedge.exe
552	identity_helper.exe
552	identity_helper.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

1936 msedge.exe
1936 msedge.exe
1936 msedge.exe
1936 msedge.exe
1936 msedge.exe
1936 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1936 wrote to memory of 3468	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 3468	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 4144	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 3156	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 3156	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 2952	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 2952	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 2952	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 2952	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 2952	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 2952	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 2952	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 2952	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 2952	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 2952	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 2952	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 2952	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 2952	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 2952	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 2952	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 2952	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 2952	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 2952	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 2952	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 2952	1936	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Domain\bin\assets\ui.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc3e6046f8,0x7ffc3e604708,0x7ffc3e604718
2⤵
PID:3468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,14581561611103357703,13438281213885147939,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
2⤵
PID:4144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,14581561611103357703,13438281213885147939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,14581561611103357703,13438281213885147939,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
2⤵
PID:2952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14581561611103357703,13438281213885147939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
2⤵
PID:216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14581561611103357703,13438281213885147939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
2⤵
PID:2088

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,14581561611103357703,13438281213885147939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
2⤵
PID:1560

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,14581561611103357703,13438281213885147939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14581561611103357703,13438281213885147939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
2⤵
PID:1848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14581561611103357703,13438281213885147939,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
2⤵
PID:4904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14581561611103357703,13438281213885147939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
2⤵
PID:2272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14581561611103357703,13438281213885147939,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
2⤵
PID:3488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,14581561611103357703,13438281213885147939,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4904 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
584971c8ba88c824fd51a05dddb45a98

SHA1
b7c9489b4427652a9cdd754d1c1b6ac4034be421

SHA256
e2d8de6c2323bbb3863ec50843d9b58a22e911fd626d31430658b9ea942cd307

SHA512
5dbf1a4631a04d1149d8fab2b8e0e43ccd97b7212de43b961b9128a8bf03329164fdeb480154a8ffea5835f28417a7d2b115b8bf8d578d00b13c3682aa5ca726

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
b28ef7d9f6d74f055cc49876767c886c

SHA1
d6b3267f36c340979f8fc3e012fdd02c468740bf

SHA256
fa6804456884789f4bdf9c3f5a4a8f29e0ededde149c4384072f3d8cc85bcc37

SHA512
491f893c8f765e5d629bce8dd5067cef4e2ebc558d43bfb05e358bca43e1a66ee1285519bc266fd0ff5b5e09769a56077b62ac55fa8797c1edf6205843356e75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
673B

MD5
b0840c069f27438c9fb9175c793b5088

SHA1
97624f9f49b6112f0b53939d90a6a52bcd4c95ac

SHA256
a414782d6a8b55476458788b53549033ba33070032aa42d5061111d62496faca

SHA512
fc85a11066fdb5c7575c2529045096fe92548d7114b5d2bb69dec5f9196a937d97e799f9ade3bb5545f4cd008f4f06660789f87b0e9c27f5a34856f35d7bc106

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
28d4a893562ee5a89931670b275cd2b7

SHA1
cf124594a39f2049b1238c3a26316143de1535f1

SHA256
9567ab67091fdbd767708ab46fb35bbb849cbbf8c46c75c1cab2d9b8bcde4ae4

SHA512
64ed13ab89fd8c58c6c2cd3efadbc01628b0e5a6c94bd53df82e1ae4cef4b5d1b2b3792ddb7e4ef18654eaa764f046beef75f01d691099b7a491397025afd658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
220d4b70aacd9c8c5a39e5b54f807405

SHA1
194adcbcdedab32d56d9d2e1d8e566d8271d5555

SHA256
fefe49f7cb4ecd2f928e6d48d9e4958b9495eecf050038a08807b0797ac0db8b

SHA512
0129c053a0a057dd5d75b32e18e04e35b41e6572d5b872c09999d2cf9a7f596759d5c7a2fdd9f248239712c67924cbcbb737ea8adbda32cf7f86913f037f24c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
0fd72b16073e9a7879abd41fa14af5c0

SHA1
5abefb57f721582d1b92981a501e921c41553761

SHA256
d87ff7ef12e45165c736561bfa059b90134d2d14ae6ea8d7172a921f8787d3ba

SHA512
f0ea1975e13492065b503a7d8bf0453afc8bd41f9756e89acfe176be74738ee54950ad47c50c4c434f6c18300bc2f5ee03fc09b7a671876574f627aed0c50486

Download Submit
\??\pipe\LOCAL\crashpad_1936_QLHDRKOFIQYMEVGP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit