d88fd0eb47dc0dbeae83debc504d19ef6ccc17ef4e35c567a376b00ca753a6f1

Analysis

max time kernel
148s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
07-08-2024 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fatacs2.exe
Size

1.7MB
MD5

ff3b802e386ae4b65924a57c1ff166ec
SHA1

17a9b4dbb7fbee10a7efa09616799af7b5ea0e46
SHA256

d88fd0eb47dc0dbeae83debc504d19ef6ccc17ef4e35c567a376b00ca753a6f1
SHA512

da934a33d94032ba28e4063b3f33d42e34dbc707c9964681673b9f295406c9bbe81ea10b5c036e691aea842f49a0ba5842dd3af6b4b281dfdfbf7c07b6a7c5ff
SSDEEP

49152:7f9RWb2ny+KmcFRVy0dd917yrr7rbQJy4kPFM8:7fGb2BKmcEjzk

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3508	msedge.exe
3508	msedge.exe
1608	msedge.exe
1608	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1608	msedge.exe
1608	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 5216	1608	msedge.exe	93
PID 1608 wrote to memory of 5216	1608	msedge.exe	93
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 2480	1608	msedge.exe	94
PID 1608 wrote to memory of 3508	1608	msedge.exe	95
PID 1608 wrote to memory of 3508	1608	msedge.exe	95
PID 1608 wrote to memory of 6140	1608	msedge.exe	96
PID 1608 wrote to memory of 6140	1608	msedge.exe	96
PID 1608 wrote to memory of 6140	1608	msedge.exe	96
PID 1608 wrote to memory of 6140	1608	msedge.exe	96
PID 1608 wrote to memory of 6140	1608	msedge.exe	96
PID 1608 wrote to memory of 6140	1608	msedge.exe	96
PID 1608 wrote to memory of 6140	1608	msedge.exe	96
PID 1608 wrote to memory of 6140	1608	msedge.exe	96
PID 1608 wrote to memory of 6140	1608	msedge.exe	96
PID 1608 wrote to memory of 6140	1608	msedge.exe	96
PID 1608 wrote to memory of 6140	1608	msedge.exe	96
PID 1608 wrote to memory of 6140	1608	msedge.exe	96
PID 1608 wrote to memory of 6140	1608	msedge.exe	96
PID 1608 wrote to memory of 6140	1608	msedge.exe	96
PID 1608 wrote to memory of 6140	1608	msedge.exe	96
PID 1608 wrote to memory of 6140	1608	msedge.exe	96
PID 1608 wrote to memory of 6140	1608	msedge.exe	96
PID 1608 wrote to memory of 6140	1608	msedge.exe	96
PID 1608 wrote to memory of 6140	1608	msedge.exe	96
PID 1608 wrote to memory of 6140	1608	msedge.exe	96

C:\Users\Admin\AppData\Local\Temp\fatacs2.exe
"C:\Users\Admin\AppData\Local\Temp\fatacs2.exe"
1⤵
PID:1200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\vcredist2010_x86.log.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa034c3cb8,0x7ffa034c3cc8,0x7ffa034c3cd8
  2⤵
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,15452627393237705212,11715239773265259853,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,15452627393237705212,11715239773265259853,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,15452627393237705212,11715239773265259853,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2412 /prefetch:8
  2⤵
  PID:6140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15452627393237705212,11715239773265259853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15452627393237705212,11715239773265259853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:4664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\fatacs2.exe
"C:\Users\Admin\AppData\Local\Temp\fatacs2.exe"
1⤵
PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9828ffacf3deee7f4c1300366ec22fab

SHA1
9aff54b57502b0fc2be1b0b4b3380256fb785602

SHA256
a3d21f0fb6563a5c9d0f7a6e9c125ec3faaa86ff43f37cb85a8778abc87950f7

SHA512
2e73ea4d2fcd7c8d52487816110f5f4a808ed636ae87dd119702d1cd1ae315cbb25c8094a9dddf18f07472b4deaed3e7e26c9b499334b26bdb70d4fa7f84168d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6fdbe80e9fe20761b59e8f32398f4b14

SHA1
049b1f0c6fc4e93a4ba6b3c992f1d6cecf3ada1f

SHA256
b7f0d9ece2307bdc4f05a2d814c947451b007067ff8af977f77f06c3d5706942

SHA512
cf25c7fd0d6eccc46e7b58949c16d17ebeefb7edd6c76aa62f7ab5da52d1c6fc88bde620be40396d336789bd0d62b2162209a947d7ab69389e8c03682e880234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
50fc8acd0c204f73adeb71b602fff498

SHA1
7dd8e2be9de84ebef883901559f1b64df426b2cf

SHA256
58f2638dcc61b0521e0f0de0f54bc72b6c1dfda8b845489562f228801c582122

SHA512
df15221cb7c5931ef73bd48ae005cb6b3ae550d4ba673be4bd86fc7e0c4634a2909e16159ae9a2e9b0652a8583fbb97bbb9d8302a8783ce08033e8237c9b95c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
111e6e6227914ad22079aa8b4e6441d7

SHA1
3179ac7e00a95f72297d417ef97773766c123c81

SHA256
fa7c0a6e040f82f292bee59995db85a17a03593bfa88ce1646567aee9227ec14

SHA512
40dd36dca91a3bb5bff31f640f6ab9b7538843bbb4c852ae9aebfeb75e9c2c729dc051e58a36093d20ee9b31e6d0eeb927ef9e7f87fb4007a8997d77bcb3c498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9bca73af364c7ab6cc312c0a078aa7c5

SHA1
dde8a8d8efa1e8dbc9c86eab2e1634a4c4ce95b4

SHA256
6c67f88992fa79c967f5fb33e21448170f87aea090df5cba6441a124ab67e802

SHA512
d64e1a1d2c2dc208027dca4e2811dda37cf88a16dc0866ae1eaf9a9781eba6e35bba776e92cb3ee6367455b2cc40638ffa6b3cf045d13f45379a19367850cd76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit