5a029c8866637cdd037ce33b507bd8477da4f80a7d3ccdd2261548a049b49b33

Analysis

max time kernel
145s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2024 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

upload/fckeditor/editor/dialog/fck_colorselector.html
Size

5KB
MD5

bf9b03f5294b4e5b308da75379c81b64
SHA1

1481348f47a1d3a1aeb70338e1eaed8da055be76
SHA256

a28cc32211d7c3fc05c048463b89f6d3c1f0ba8a068e4b78d2b2e0c27dca1fb1
SHA512

abd28e6713ce0e2f38d16a3b7210f3305a5a3058ddc472e2f79c8b0c72100a8993738fe5bda89eb18da65ad6876179be655f6605eda1fea07a72884cc602ff00
SSDEEP

96:9QxgqzqhoIqqPVTkGKLZjJZg984DsWy5vltrLVCfCfNEvy91VxrUVLJ0I1SDgpYX:OGhBeLZjJZl4Ds7R8fCfNj91voPTDpYX

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
4500	msedge.exe
4500	msedge.exe
2136	msedge.exe
2136	msedge.exe
3484	identity_helper.exe
3484	identity_helper.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

2136 msedge.exe
2136 msedge.exe
2136 msedge.exe
2136 msedge.exe
2136 msedge.exe
2136 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2136 wrote to memory of 3016	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3016	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3828	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 4500	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 4500	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3700	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3700	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3700	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3700	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3700	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3700	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3700	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3700	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3700	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3700	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3700	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3700	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3700	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3700	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3700	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3700	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3700	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3700	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3700	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 3700	2136	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\upload\fckeditor\editor\dialog\fck_colorselector.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffaa9e46f8,0x7fffaa9e4708,0x7fffaa9e4718
2⤵
PID:3016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2352,17073482390197326418,10070417517956646061,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2360 /prefetch:2
2⤵
PID:3828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2352,17073482390197326418,10070417517956646061,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2352,17073482390197326418,10070417517956646061,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
2⤵
PID:3700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2352,17073482390197326418,10070417517956646061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
2⤵
PID:1288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2352,17073482390197326418,10070417517956646061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
2⤵
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2352,17073482390197326418,10070417517956646061,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
2⤵
PID:1696

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2352,17073482390197326418,10070417517956646061,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2352,17073482390197326418,10070417517956646061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
2⤵
PID:1740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2352,17073482390197326418,10070417517956646061,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
2⤵
PID:4000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2352,17073482390197326418,10070417517956646061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
2⤵
PID:948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2352,17073482390197326418,10070417517956646061,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
2⤵
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2352,17073482390197326418,10070417517956646061,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=180 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1440

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
23b6e2531d39ba76e0604a4685249f2d

SHA1
5f396f68bd58b4141a3a0927d0a93d5ef2c8172f

SHA256
4a486d7be440ddf2909be2c2b41e55f0666b02670bbf077ac435e3cddc55a15e

SHA512
a1a7fef086526e65184f60b61d483848183ef7c98cf09f05ac9e5b11504696406120ab01da8ed7f35e3145aa5fc54307c9397770681e4d10feea64113e7a57cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6ffd468ded3255ce35ba13e5d87c985a

SHA1
09f11746553fd82f0a0ddef4994dc3605f39ccec

SHA256
33103b1e4da1933459575d2e0441b8693ba1ede4695a3d924e2d74e72becabd8

SHA512
5d5530c57faa4711f51e4baef0d1f556937a5db1e2a54ee376c3556c01db0ddf628856f346057d3849baa5db35603b96a0a9894f3c65a80c947085eb640348ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
cd0d2416a06cb536af1bc5fcf112e5a5

SHA1
4fe0832fab2f3652110374216ee9c7fa258aabfc

SHA256
1f6c59c76fb8849b9c9ad68be9c51f895707803297cbd9c4a022ba1419643ec4

SHA512
a00da8596546c3e44a01ef4db8141d88e00f74e3d41b1809d5d2c22a5a834292f0d8de24471d60d342e71edec1cea328dfa699c9da1375113b27d37ddaa3e8e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
cd3b6fec6263a3b33a6d5f42756d2268

SHA1
51df7870ca59a401f8d6aa61cef6b14cd075c7d5

SHA256
cf32a3f9e2e9f0037a46839060cd61f6aeff5b8ea2842718fec13daa3d0659df

SHA512
d9a0d7dff529f4abf4fa722b0d6282c42ae44e51769ffd6cf8c678b84c05e6c3c8de7f4059ac4b8e0521eb8f646c0a7b1af3870159e92e91d34d930c7d5ec20e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
b9463fa4d3a1b0bc6b431cec342e8619

SHA1
1664626f5a8a4a43f4c26a255958cd04c5183bbc

SHA256
1ed2e30082c3e4d88bff9b13770565b576e608162d73f8f1458e0a776e88388b

SHA512
aa4244cb8167794b535d352fdb6bc3ec03e17334a702515e5c9ddf2f301867e699bc59fffb2db796e17aebda6b03259ce13b1f5ede65c540dcbef86bf3d0bb48

Download Submit
\??\pipe\LOCAL\crashpad_2136_ZUVZBLUBDGUGIPVP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit