Analysis

  • max time kernel
    146s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2024 01:19

General

  • Target

    614402c2936d3c6e8159d14cd7b7632659eb134ec664b5a90f4cf2b274d9eb62.exe

  • Size

    39.2MB

  • MD5

    7972b103ed493f4002bd02a82d08368e

  • SHA1

    a4297f94887a16de9776868996f8525ded4f7421

  • SHA256

    614402c2936d3c6e8159d14cd7b7632659eb134ec664b5a90f4cf2b274d9eb62

  • SHA512

    95b0b1aceefbf2b7a259efe2f34c6d51e9ce7c2422b2745b57b8f718c36229acf747da03919c809ebcdb7df3238d130e8ee1aa7922df8e30d8d9c64bdd0b7d72

  • SSDEEP

    786432:Il6iTfRwFOU8ofAl2jpyY2JcDxvVPyaPZF:uf2V89l2YXJcD1jF

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Time Discovery 1 TTPs 1 IoCs

    Adversary may gather the system time and/or time zone settings from a local or remote system.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of FindShellTrayWindow 40 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\614402c2936d3c6e8159d14cd7b7632659eb134ec664b5a90f4cf2b274d9eb62.exe
    "C:\Users\Admin\AppData\Local\Temp\614402c2936d3c6e8159d14cd7b7632659eb134ec664b5a90f4cf2b274d9eb62.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x86&rid=win10-x86&apphost_version=7.0.10&gui=true
      2⤵
      • System Time Discovery
      • Enumerates system info in registry
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3272
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb1ad946f8,0x7ffb1ad94708,0x7ffb1ad94718
        3⤵
          PID:2900
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,9711556482774249440,190942843820215947,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
          3⤵
            PID:4564
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,9711556482774249440,190942843820215947,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2140
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,9711556482774249440,190942843820215947,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
            3⤵
              PID:1420
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9711556482774249440,190942843820215947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
              3⤵
                PID:2604
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9711556482774249440,190942843820215947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
                3⤵
                  PID:1384
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9711556482774249440,190942843820215947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1
                  3⤵
                    PID:1104
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,9711556482774249440,190942843820215947,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5148 /prefetch:8
                    3⤵
                      PID:4336
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9711556482774249440,190942843820215947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
                      3⤵
                        PID:1696
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2096,9711556482774249440,190942843820215947,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5220 /prefetch:8
                        3⤵
                          PID:2844
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9711556482774249440,190942843820215947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
                          3⤵
                            PID:4912
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9711556482774249440,190942843820215947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
                            3⤵
                              PID:2684
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9711556482774249440,190942843820215947,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
                              3⤵
                                PID:744
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,9711556482774249440,190942843820215947,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6588 /prefetch:8
                                3⤵
                                  PID:536
                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,9711556482774249440,190942843820215947,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6588 /prefetch:8
                                  3⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:1560
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9711556482774249440,190942843820215947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
                                  3⤵
                                    PID:1592
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9711556482774249440,190942843820215947,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
                                    3⤵
                                      PID:1408
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,9711556482774249440,190942843820215947,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5208 /prefetch:2
                                      3⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:1916
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:3564
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:3456

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      506e03d65052f54028056da258af8ae6

                                      SHA1

                                      c960e67d09834d528e12e062302a97c26e317d0e

                                      SHA256

                                      b26d2695dfe8aed4d0d67d11b46d4542c3c9c8964533404dfe32ce7a3e6cfb98

                                      SHA512

                                      15da55267433c41febebbe48983023293c6d436f89a56138cef1cea7deb5cdd7d4bcf58af12835e1152a8ec59e08cfc965e521eb54eed47fe44e1f4c2d1557a4

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      a15dea0d79ea8ba114ad8141d7d10563

                                      SHA1

                                      9b730b2d809d4adef7e8b68660a05ac95b5b8478

                                      SHA256

                                      0c4dd77399040b8c38d41b77137861002ef209c79b486f7bbdb57b5834cd8dbf

                                      SHA512

                                      810fc1fb12bceae4ca3fad2a277682c2c56f0af91a329048adbeb433715b1f707927274e3e4a4479222f578e8218663533440c71b22c49735a290f907cc0af1f

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                      Filesize

                                      408B

                                      MD5

                                      642100f64dc719da47e70fe6cc7042dc

                                      SHA1

                                      b816bc16ae8b0f018ec2004f0a2f96bd8424a5e8

                                      SHA256

                                      278a6f1f2c0db5a1f17a8fbf47c71a732e96daa4dfd0cb8ee5742b1772287f86

                                      SHA512

                                      20a5021f12164dfbdeaaaf19232afd89326eddc690f1923d2a08d558d583cd8233e1e0bcb4e5c38af71b0d98eb503f25935884475a0278b59e482f6d5a966bb5

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                      Filesize

                                      1002B

                                      MD5

                                      ec63813c280f8a58939d33c6a5ecbe59

                                      SHA1

                                      a5bc5d88d51d3034563239cde98ceddba4dbd566

                                      SHA256

                                      cf013dd337810579a2cdf8355b432e761413aad1fe00370dc1a0343f79e45734

                                      SHA512

                                      f4f0c6589fd5885a54b692294ad64a9f30150f4599432416c44dbab72d569462fac049e2f6a4f0005a7a1b170ae6593425fad64a14498ec690fb90946344d2d8

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                      Filesize

                                      902B

                                      MD5

                                      5211e96da56798fe254472d03bb301f0

                                      SHA1

                                      bb8346863d21d3c9a8408f7bbf4dedae61e061de

                                      SHA256

                                      ea6fccb381c196ff2084deb01e12808e33987d54e5be268374c9673a15809e34

                                      SHA512

                                      af56d09e1c66a517ff0756bd8c451d4bb79c5504ba9ace39d748eabc5f32de5e3fe62874687cd9c4f1376fd7b3e2fe56d13a9c1ff7e16722d3746e92a57716ba

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      6KB

                                      MD5

                                      d43781c436be8730935726c8eedd94ec

                                      SHA1

                                      ff0f02e530e1b12e2f33f97b762a6d318cfb5d3e

                                      SHA256

                                      0c298633ef45b4570d25818f89cd023d950d80ce930d4bbd47b510980b54b4d1

                                      SHA512

                                      b6c5722d5754a75f50493df88527e23398bbccbbf91dd7428a6ab65a464a8480e781de0ad80b694bef6a9bbfd70c7c566d1f8161c92efc8f94c5b2605d61dc94

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      6KB

                                      MD5

                                      1978919f3d8f0a2b1f951e2405b85201

                                      SHA1

                                      8879d1eca59c6bb5f47c4f6433b0629fc14adae2

                                      SHA256

                                      1c0c7f10949530ca15d1d5029f31e208307f4d0cc0b298218618a29cbf2191d1

                                      SHA512

                                      0ec4f1dc63461b87159fe808fda0757a28b280f4e2708866956219fd43f568bc9583efd06aed656850e3c4608b15074c547f738c444802940372f25c62c79ae3

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                      Filesize

                                      703B

                                      MD5

                                      30f6f2c65e6b9aa3e5eae6f5fb98f5b8

                                      SHA1

                                      d8aefd3074471e7cf55d82af29462e633f2be06a

                                      SHA256

                                      7d9754cb750e6df93d71a7196e15129abc178467e7765679710c506d77683a96

                                      SHA512

                                      d82256f7bc62367bb759a16a96a96e974fb54065f260890fe93341aaee150b8dd95f9244c9b550801cfe3ab1636f76fbe082493d4cb65a74b462e5eb61e5af0b

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                      Filesize

                                      703B

                                      MD5

                                      f6f84399cd7638f79feef1dd695851c6

                                      SHA1

                                      f2ac0575e887c1576931105c1e2f82f9485b6c6a

                                      SHA256

                                      8db0b57c3c2df946b67bbda1e7db74fff411063f023599793ceb14deaf8f6e23

                                      SHA512

                                      52aa47c429315aabc116be0dc7944f1758ab20d86bfc96399f89c0c3290d6122d00bbc149918f7dec9b2df067526ee39d66be9188ecdbd54d5a52812c7705194

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c1a5.TMP

                                      Filesize

                                      535B

                                      MD5

                                      6ecb591f7a665278d9707da042c2ec95

                                      SHA1

                                      ca4490c33be478c8bb26c8ac308efeb21ce80097

                                      SHA256

                                      084ef82de4f1f783467d6879860cff976de6e69e59c81027d8564580af7deecd

                                      SHA512

                                      1867dffbf80ed436f97de140d27d58b99dd310d80f9845bb17fd837b414175e89507336b36a82088a6ae4aa23aa45ffdbfc46e40df04147a40f39718baabcce8

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                      Filesize

                                      16B

                                      MD5

                                      6752a1d65b201c13b62ea44016eb221f

                                      SHA1

                                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                      SHA256

                                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                      SHA512

                                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                      Filesize

                                      11KB

                                      MD5

                                      7e719c1f8814989047e7b38e45d53096

                                      SHA1

                                      ac2e9049727296b41f9634bed6b34bff8ae10657

                                      SHA256

                                      e4490f8ce49a600a55a1e6026497a3d5d13fb8b7cabd48c12e88460f7c1926d4

                                      SHA512

                                      1b0369ca9f9120f74a595952e10957331e3ba7d44ddf283e090a03c4dd283e7bcb2c4ebfd43687e2400923e38df4fee283db04dca9347353c299455060620913