8a98959bd08625a79795b643f3085a26efcb3a0741ca7ec271176592fa8680d8

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
31-07-2024 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UCenter_Home_1.5RC1_SC_utf8/upload/admin/tpl/blog.htm
Size

5KB
MD5

e4f16d4121b075977a49cc95dd37bd9a
SHA1

573ffb94b6048e2ff77d7c893e083d7487284de2
SHA256

56e622e13211c71906dd5f24c39ef10c7fa7b0ac0e2dcab75d9fd38ba17ae960
SHA512

5ed2ab93c75328f9bf4e9db707efb37116f65dadf3ef5bf38d33028c155de48427c3ad73471c7e6de499c9f3e753ea5af71a8e6a0f246b1940607aaa523a1342
SSDEEP

48:L2233ZyY6fPZPoKX1Lyg24KjuqPongQZBd8xY5ugrorHRgWDERgxsYnTLPoI1bIO:q28jPZPvXRy7uuOGY5borsUDHwxw

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
4580	msedge.exe
4580	msedge.exe
3704	msedge.exe
3704	msedge.exe
2840	identity_helper.exe
2840	identity_helper.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3704 msedge.exe
3704 msedge.exe
3704 msedge.exe
3704 msedge.exe
3704 msedge.exe
3704 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3704 wrote to memory of 3916	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 3916	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2060	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 4580	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 4580	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 4688	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 4688	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 4688	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 4688	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 4688	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 4688	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 4688	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 4688	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 4688	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 4688	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 4688	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 4688	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 4688	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 4688	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 4688	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 4688	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 4688	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 4688	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 4688	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 4688	3704	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\UCenter_Home_1.5RC1_SC_utf8\upload\admin\tpl\blog.htm
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9f8a46f8,0x7ffc9f8a4708,0x7ffc9f8a4718
2⤵
PID:3916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,8324093207270290202,805055076082157641,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
2⤵
PID:2060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,8324093207270290202,805055076082157641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,8324093207270290202,805055076082157641,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
2⤵
PID:4688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8324093207270290202,805055076082157641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
2⤵
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8324093207270290202,805055076082157641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
2⤵
PID:2548

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,8324093207270290202,805055076082157641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:8
2⤵
PID:4120

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,8324093207270290202,805055076082157641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8324093207270290202,805055076082157641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
2⤵
PID:5012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8324093207270290202,805055076082157641,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
2⤵
PID:1744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8324093207270290202,805055076082157641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
2⤵
PID:1732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8324093207270290202,805055076082157641,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
2⤵
PID:2044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,8324093207270290202,805055076082157641,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4640 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
23b6e2531d39ba76e0604a4685249f2d

SHA1
5f396f68bd58b4141a3a0927d0a93d5ef2c8172f

SHA256
4a486d7be440ddf2909be2c2b41e55f0666b02670bbf077ac435e3cddc55a15e

SHA512
a1a7fef086526e65184f60b61d483848183ef7c98cf09f05ac9e5b11504696406120ab01da8ed7f35e3145aa5fc54307c9397770681e4d10feea64113e7a57cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6ffd468ded3255ce35ba13e5d87c985a

SHA1
09f11746553fd82f0a0ddef4994dc3605f39ccec

SHA256
33103b1e4da1933459575d2e0441b8693ba1ede4695a3d924e2d74e72becabd8

SHA512
5d5530c57faa4711f51e4baef0d1f556937a5db1e2a54ee376c3556c01db0ddf628856f346057d3849baa5db35603b96a0a9894f3c65a80c947085eb640348ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8cd223534abe517ec081c0af2f8db474

SHA1
9aefe3bf344c7a72cf820b002663c2d36fa22026

SHA256
d6b98c658fd553319604b6f9e2a99abadf2006657439ad285486d77ddc03f5d9

SHA512
420150ca095b458f02263ad761906e7f06023711b26806ad7296a88f3e30d34960d23031bc1e9f991ef57c810ed8c220b368fa77f3b82e4e70741229813b2489

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1e044b4f888758006002c853fc02bc89

SHA1
4979ce3fe46c7880f79ea49d60868d8e76e2c749

SHA256
7154f98f0a9081e336a4e711d33113e7551b814a062dd8471a127b49c58544d4

SHA512
3d5d9a8b7c3b766d8bb8f7c28fbf1b1cb0b93495dfeddeedb77e8fae97afb176caf7dae4cebfe0b5a95b89d02d04d9784630b60779df05773d578a797e64387d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3cc65b81d3d096367060680f5a1e9252

SHA1
8779e00b71275e2b1e0ed9c622c1bdd4da80d75b

SHA256
fb31673a04c79a25de735f9891c33d6adcb8145f8eb910e68f5e4b9df66b986e

SHA512
b5130b44899be1c13367b44a4294c6da6129f86262632c542f057f6efe4fa38b5f22259f9b2dafac7ec9566ec99b8ebd70d1878609141d0f7fe6296aa9823723

Download Submit
\??\pipe\LOCAL\crashpad_3704_LDIRFDWJHHLOHUAT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit