hxxps://duckduckgo[.]com/

Analysis

max time kernel
15s
max time network
19s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
23/07/2024, 18:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://duckduckgo.com/

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1448	msedge.exe
1448	msedge.exe
4384	msedge.exe
4384	msedge.exe
4620	msedge.exe
4620	msedge.exe
3644	identity_helper.exe
3644	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 3992	4384	msedge.exe	80
PID 4384 wrote to memory of 3992	4384	msedge.exe	80
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 4000	4384	msedge.exe	81
PID 4384 wrote to memory of 1448	4384	msedge.exe	82
PID 4384 wrote to memory of 1448	4384	msedge.exe	82
PID 4384 wrote to memory of 572	4384	msedge.exe	83
PID 4384 wrote to memory of 572	4384	msedge.exe	83
PID 4384 wrote to memory of 572	4384	msedge.exe	83
PID 4384 wrote to memory of 572	4384	msedge.exe	83
PID 4384 wrote to memory of 572	4384	msedge.exe	83
PID 4384 wrote to memory of 572	4384	msedge.exe	83
PID 4384 wrote to memory of 572	4384	msedge.exe	83
PID 4384 wrote to memory of 572	4384	msedge.exe	83
PID 4384 wrote to memory of 572	4384	msedge.exe	83
PID 4384 wrote to memory of 572	4384	msedge.exe	83
PID 4384 wrote to memory of 572	4384	msedge.exe	83
PID 4384 wrote to memory of 572	4384	msedge.exe	83
PID 4384 wrote to memory of 572	4384	msedge.exe	83
PID 4384 wrote to memory of 572	4384	msedge.exe	83
PID 4384 wrote to memory of 572	4384	msedge.exe	83
PID 4384 wrote to memory of 572	4384	msedge.exe	83
PID 4384 wrote to memory of 572	4384	msedge.exe	83
PID 4384 wrote to memory of 572	4384	msedge.exe	83
PID 4384 wrote to memory of 572	4384	msedge.exe	83
PID 4384 wrote to memory of 572	4384	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://duckduckgo.com/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff88ebb3cb8,0x7ff88ebb3cc8,0x7ff88ebb3cd8
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,9417082601883129372,9249378899634391799,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,9417082601883129372,9249378899634391799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,9417082601883129372,9249378899634391799,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
  2⤵
  PID:572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9417082601883129372,9249378899634391799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9417082601883129372,9249378899634391799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,9417082601883129372,9249378899634391799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3912 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9417082601883129372,9249378899634391799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9417082601883129372,9249378899634391799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1876,9417082601883129372,9249378899634391799,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,9417082601883129372,9249378899634391799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9417082601883129372,9249378899634391799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1
  2⤵
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9417082601883129372,9249378899634391799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:2028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0f062e1807aca2379b4e5a1e7ffbda8

SHA1
076c2f58dfb70eefb6800df6398b7bf34771c82d

SHA256
f80debea5c7924a92b923901cd2f2355086fe0ce4be21e575d3d130cd05957ca

SHA512
24ae4ec0c734ef1e1227a25b8d8c4262b583de1101f2c9b336ac67d0ce9b3de08f2b5d44b0b2da5396860034ff02d401ad739261200ae032daa4f5085c6d669e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6f3725d32588dca62fb31e116345b5eb

SHA1
0229732ae5923f45de70e234bae88023521a9611

SHA256
b81d7e414b2b2d039d3901709a7b8d2f2f27133833ecf80488ba16991ce81140

SHA512
31bacf4f376c5bad364889a16f8ac61e5881c8e45b610cc0c21aa88453644524525fd4ccf85a87f73c0565c072af857e33acffbbca952df92fedddd21f169325

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
09d363d2be36e54689657462dfc2ef34

SHA1
3792d4544e171b3d7078b3e8506b18f8562b2ca5

SHA256
1f84f859b06a701b4249afd24552d9f18ae9e98f3c4fe044105ab85cedf124f8

SHA512
52fbaa96d4066fb485323014ba26872624546791210610ec6b9807e88389ba8b6703117d136d5380424dd0d9055cda0c73edd7610ae602eac39e79545e4691c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
431B

MD5
ba6323f9bf4e9a7e22a1a829629e30f5

SHA1
b5b98f9b58d2b75407dd8ff57cf4ca113e29529a

SHA256
0a928036cac1134a02cb8fed1df2d7e97228f997bded31da3215bdc33bce62b1

SHA512
5f8f0e6c852d1c390b48c0ee5b98538e49f86c253093c909416f729922e25ca3ccfbedfb00aef6441285575ffd3b69b46c6cc0d74aaa1fd81583c5a198dc0b0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2748b3a55e1636823187441dbe028849

SHA1
68abad4137b453a9dc4c51b447ef426286549cd4

SHA256
8bb3c97f44e42d2c8e08f6c1955af205babaec98a91c3b062b93663d57d0aec0

SHA512
d71ea2d3aa10efb8579d7ac74222c322612c5275c0835617062ceed59b336b890de0cba81b367bfd38c9f62a475db2d252c3a5d5741027ccb2869bb9e0c2f983

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ecb3fdf5d61f3f0fd7d30e9123ce1dc4

SHA1
1fc2e93fdb38c5869577a9b8cf26e22c78cde047

SHA256
b41c7a07a3da20684a4c34bfe94367b4966f0b59cb947dfb5c35742b3e6d0bb7

SHA512
c2d2b02f505cf818684b939d219ad9525a632bdf71c8ca49f56c6cf9617501ed37e5fd2434aea31b5986afa4cd6678055e3419cc5e3fc1541dd0f70b4cb7b5a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4a0de98c4e66e22a7bf30e8a1fa8f463

SHA1
c200a9b170398703322ed341bd9d7a13a4f9295a

SHA256
79594794b1e74416a058e442bb99e56d1b63b57ec086442faf3b70cac9c326b5

SHA512
5894c8ccfae727a04edb6c3e32316c7f9d3e12bbed0573dce666c4f281040f14ca59689e009aedc13af04ab6142b9372c5cb30b2693ef51cf5b4e1b2742e0094

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
700B

MD5
d4fbd4413080e5f58d36867b6b9455ec

SHA1
c586efcae80b25ce9e0b04392c98462ad68a6021

SHA256
e0cf461cbaef52b1c0630512bb285fbb705a44a6bcfcf806851652322c0cc79a

SHA512
6a39c6e5b9acdaf15b22c4ac6e50e3b7821c3703218d679d4716f029ac3feafea9ad2e72c0a0db097bd9018b8187cf672eb2c7f019b6e46cc148c0cccdc390f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57be10.TMP

Filesize
700B

MD5
f3831c0bb290a087628e50a75e6045d5

SHA1
a58ea47798c14b980bd0e69493dded89e4b48bf2

SHA256
8d02d5f89ef216785074c59eeda3543c5db6a543bb558833e0b3a7cd420d1038

SHA512
908fc059468735ace7690b8bd93dc5aaa729c74b6a1bc513c5ddaa378cf4a0c6112e709845ec59b119ad9777724976448b40cf7056f600287e41027d9f7d94af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2f324d748c17f1693c4d96f57cc9b8f0

SHA1
f44b3c12662242e71fd620ec1e3d585c83b1b015

SHA256
6b0094d07159a119881531525fe19ca41785f515da9fb8dd96297e15b9063735

SHA512
5bd07f5f22be2a03c9db4e81cd72d7a0e72874ef7ff3f1aae4438bfa756db374e62cd22272e688ac978ab43c8487f2eef687626ea69bef943fb51e8d363204e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ca0af10c7b4c67f92a85235b57641340

SHA1
54c1ba291bc2cd4bda887aa750a4a3547b594c56

SHA256
f3a797d6c1ddf51d53c4abcbb4071c59dc4afb8c9241188a70a2b067d0e45092

SHA512
ba97a0553e23000a4f0f57e8e9d63fa09d2677e8647345b9a0653fa7a87aee069cc3311c5b555707d7eded352f9593a984f80789fb90971c0e30cb2e05d7d5e7

Download Submit