026b73a4ed8b05ee06fea08030ad986be2ccd7b95c3ed8d01571d9d83043cb57

Analysis

max time kernel
146s
max time network
138s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
02/08/2024, 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LICENSES.chromium.html
Size

7.9MB
MD5

8303b3a19888f41062a614cd95b2e2d2
SHA1

a112ee5559c27b01e3114cf10050531cab3d98a6
SHA256

9c088caac76cf5be69e0397d76fe9397017585cffdba327692ff1b3a6c00d68f
SHA512

281b2ecc99502a050ee69e31256dec135e8cb877d1a6ba9f1c975fcfb11c062980ee6061d2368b62f91e392953ae6235dd726a9d98e6efc1302f7ed713099179
SSDEEP

24576:dbTq6T06T5kJWSIRWnBIl70mfT76y6E65606F/HXpErpem:t4scj

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4192	msedge.exe
4192	msedge.exe
1624	msedge.exe
1624	msedge.exe
2712	identity_helper.exe
2712	identity_helper.exe
3044	msedge.exe
3044	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 4212	1624	msedge.exe	80
PID 1624 wrote to memory of 4212	1624	msedge.exe	80
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 2912	1624	msedge.exe	81
PID 1624 wrote to memory of 4192	1624	msedge.exe	82
PID 1624 wrote to memory of 4192	1624	msedge.exe	82
PID 1624 wrote to memory of 4784	1624	msedge.exe	83
PID 1624 wrote to memory of 4784	1624	msedge.exe	83
PID 1624 wrote to memory of 4784	1624	msedge.exe	83
PID 1624 wrote to memory of 4784	1624	msedge.exe	83
PID 1624 wrote to memory of 4784	1624	msedge.exe	83
PID 1624 wrote to memory of 4784	1624	msedge.exe	83
PID 1624 wrote to memory of 4784	1624	msedge.exe	83
PID 1624 wrote to memory of 4784	1624	msedge.exe	83
PID 1624 wrote to memory of 4784	1624	msedge.exe	83
PID 1624 wrote to memory of 4784	1624	msedge.exe	83
PID 1624 wrote to memory of 4784	1624	msedge.exe	83
PID 1624 wrote to memory of 4784	1624	msedge.exe	83
PID 1624 wrote to memory of 4784	1624	msedge.exe	83
PID 1624 wrote to memory of 4784	1624	msedge.exe	83
PID 1624 wrote to memory of 4784	1624	msedge.exe	83
PID 1624 wrote to memory of 4784	1624	msedge.exe	83
PID 1624 wrote to memory of 4784	1624	msedge.exe	83
PID 1624 wrote to memory of 4784	1624	msedge.exe	83
PID 1624 wrote to memory of 4784	1624	msedge.exe	83
PID 1624 wrote to memory of 4784	1624	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdfde83cb8,0x7ffdfde83cc8,0x7ffdfde83cd8
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,11891486826147293639,11533850373588742679,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,11891486826147293639,11533850373588742679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,11891486826147293639,11533850373588742679,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,11891486826147293639,11533850373588742679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,11891486826147293639,11533850373588742679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,11891486826147293639,11533850373588742679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,11891486826147293639,11533850373588742679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,11891486826147293639,11533850373588742679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,11891486826147293639,11533850373588742679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,11891486826147293639,11533850373588742679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,11891486826147293639,11533850373588742679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4328 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,11891486826147293639,11533850373588742679,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2648 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2f96ca20-7ac3-4e5d-bf3d-be2f367b5678.tmp

Filesize
8KB

MD5
31ba3f2b3473c02eabf9782ac0b8aec2

SHA1
07f17e2906e0dd61a49639dd0d8df8fd58c084eb

SHA256
67646c14cc64e2996fd58fa04ac6a4ce7dab3ff8f77c49074cea912b5c716708

SHA512
305383c6e270ee5793ee61a4c0471b7d6aee67a2342c100b5ada31a81f77d16cdf7db02ca380a31ff883ae1f980242217fabefc7ca42ae5d2f65997ec91963ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
302c3de891ef3a75b81a269db4e1cf22

SHA1
5401eb5166da78256771e8e0281ca2d1f471c76f

SHA256
1d1640e5755779c90676290853d2e3ca948f57cf5fb1df4b786e277a97757f58

SHA512
da18e7d40376fd13255f3f67a004c3a7f408466bd7ce92e36a4d0c20441279fe4b1b6e0874ab74c494663fb97bd7992b5e7c264b3fc434c1e981326595263d33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c9efc5ba989271670c86d3d3dd581b39

SHA1
3ad714bcf6bac85e368b8ba379540698d038084f

SHA256
c2e16990b0f6f23efdcecd99044993a4c2b8ba87bd542dd8f6256d69e24b93b3

SHA512
c1bc0dc70ab827b54feb64ad069d21e1c3c28d57d126b08314a9670437881d77dba02b5cca57ef0f2aa7f8e7d4d163fbd2c6f246ea2d51ce201d61a89015e8b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e7c6c1a6de79e25dfd9129b0c946b20a

SHA1
4933c48a03bfc086352950f01c97d5262bc5bda7

SHA256
b7491836b0c691eeb87b922b4c3b4821c84e87318971c81a51155ac39ac3bcda

SHA512
1f3b61f2c3af3cd5ca63d31561d489c54c42fc74f0738b7bc78a0dea11fa050d62b99db048bff6b763ac86b9334d0309ea82113115cbcad62df678f6a6c8664f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ed90ddf9d40e685ec8399ee9f0775293

SHA1
abae925ceb6c4ae975a10743a27cf0e14a380cba

SHA256
1051e7497fab5509f5113db3c9981afb0a6c58b4fbc118e48ca4c2f836272b63

SHA512
50b75e3c07947a5be5bc57b0f055a1267be169ef262b86d83e5ac0adc04e62c93a0969e213d6e19e2f3d187a0e4bc880735fd432ea030d596eabdcc227bb0961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
1e39e851ad4dc87f56292718eaea52de

SHA1
bb20c9a0fd1d9d14715ee7a24a0dfc1aa984c954

SHA256
680752ad3fb15891a27a4318481a96de7e8a49705f913a5ddd039764dc269a4f

SHA512
93e1af64c9384c990cd776428f2fabfdac867629e928bd5eb3fab912fa9d6ca61871b747dd407e093556ceb47f6ae2e138a1ca3833b4191cc958d46f1d2bf695

Download Submit