1b9407b61eeb685867c5e8be9472c5130f54f55ea0fe1db2e2e18d60c74f7a58

Analysis

max time kernel
78s
max time network
142s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
10/08/2024, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.js
Size

23KB
MD5

43f55cd52b12e5a1b97c8b42c5a2ed06
SHA1

9bb20316345f6e92f3ac39072c594c3764532e1b
SHA256

1b9407b61eeb685867c5e8be9472c5130f54f55ea0fe1db2e2e18d60c74f7a58
SHA512

ce3f66993659d4d0a7a1e767f9afc8efbbd66efa98fd2989ad16519f0e084fd6df1f78f6aab0870a8696caa77ada6beb4af3df5615d4c8aa3d7e3faf4c014de2
SSDEEP

384:f0DcDlsN6NQ+7frXdzmGpB+yP5EEDzEDi/ihN:f6kQ+7jXdzmGqyP5EEDzEm6hN

Score

3^/10

discovery execution

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3184	msedge.exe
3184	msedge.exe
5868	msedge.exe
5868	msedge.exe
1488	msedge.exe
1488	msedge.exe
5620	identity_helper.exe
5620	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5868 wrote to memory of 5320	5868	msedge.exe	85
PID 5868 wrote to memory of 5320	5868	msedge.exe	85
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 4128	5868	msedge.exe	86
PID 5868 wrote to memory of 3184	5868	msedge.exe	87
PID 5868 wrote to memory of 3184	5868	msedge.exe	87
PID 5868 wrote to memory of 2868	5868	msedge.exe	88
PID 5868 wrote to memory of 2868	5868	msedge.exe	88
PID 5868 wrote to memory of 2868	5868	msedge.exe	88
PID 5868 wrote to memory of 2868	5868	msedge.exe	88
PID 5868 wrote to memory of 2868	5868	msedge.exe	88
PID 5868 wrote to memory of 2868	5868	msedge.exe	88
PID 5868 wrote to memory of 2868	5868	msedge.exe	88
PID 5868 wrote to memory of 2868	5868	msedge.exe	88
PID 5868 wrote to memory of 2868	5868	msedge.exe	88
PID 5868 wrote to memory of 2868	5868	msedge.exe	88
PID 5868 wrote to memory of 2868	5868	msedge.exe	88
PID 5868 wrote to memory of 2868	5868	msedge.exe	88
PID 5868 wrote to memory of 2868	5868	msedge.exe	88
PID 5868 wrote to memory of 2868	5868	msedge.exe	88
PID 5868 wrote to memory of 2868	5868	msedge.exe	88
PID 5868 wrote to memory of 2868	5868	msedge.exe	88
PID 5868 wrote to memory of 2868	5868	msedge.exe	88
PID 5868 wrote to memory of 2868	5868	msedge.exe	88
PID 5868 wrote to memory of 2868	5868	msedge.exe	88
PID 5868 wrote to memory of 2868	5868	msedge.exe	88

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\sample.js
1⤵
PID:1832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffda0693cb8,0x7ffda0693cc8,0x7ffda0693cd8
  2⤵
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,1199175139016064182,12582350596800265528,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,1199175139016064182,12582350596800265528,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,1199175139016064182,12582350596800265528,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2500 /prefetch:8
  2⤵
  PID:2868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,1199175139016064182,12582350596800265528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,1199175139016064182,12582350596800265528,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,1199175139016064182,12582350596800265528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,1199175139016064182,12582350596800265528,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,1199175139016064182,12582350596800265528,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3372 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,1199175139016064182,12582350596800265528,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,1199175139016064182,12582350596800265528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,1199175139016064182,12582350596800265528,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,1199175139016064182,12582350596800265528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:1508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d30a5618854b9da7bcfc03aeb0a594c4

SHA1
7f37105d7e5b1ecb270726915956c2271116eab7

SHA256
3494c446aa3cb038f1d920b26910b7fe1f4286db78cb3f203ad02cb93889c1a8

SHA512
efd488fcd1729017a596ddd2950bff07d5a11140cba56ff8e0c62ef62827b35c22857bc4f5f5ea11ccc2e1394c0b3ee8651df62a25e66710f320e7a2cf4d1a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
03a56f81ee69dd9727832df26709a1c9

SHA1
ab6754cc9ebd922ef3c37b7e84ff20e250cfde3b

SHA256
65d97e83b315d9140f3922b278d08352809f955e2a714fedfaea6283a5300e53

SHA512
e9915f11e74c1bcf7f80d1bcdc8175df820af30f223a17c0fe11b6808e5a400550dcbe59b64346b7741c7c77735abefaf2c988753e11d086000522a05a0f7781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4213848e3865d33c252a42482d9548b7

SHA1
1a6b5ad0703fdcf1fa20e77fd86d4c24a2440ed3

SHA256
649c3030e4e77f08d61a78ff26e0aa38a0986b738a0c7e0d607f3340315d4698

SHA512
c2be562a65a0ac1d0d4a10b2bd6e83b682d770e3c5cc572f0aa8fe744cde2d232bb468a492c15124f4697dd1d04a9376940de0208a5b1aa1c67ffb5c1097c35f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4735ea45a8030a128d8abb6644164a27

SHA1
a3baf8c6670670a6923fc6d8aba646840cefba8d

SHA256
7d7f05e13cd5a506eb81af8de894c9a9a169b9e2c0e45e1928a9b7619fb3ce33

SHA512
4fdd90ead527719f88dd74ac9f905ffb39ea0b79b65c9c9a59a70e035573c97ef4f839ebfd63aa0f3671e157316ab30f9ecfa210eefa49d11f1cc0f6a4edf4ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fdb788ba320a49413f7e7093f6b3b8ba

SHA1
376be0ddffc36210a01c30555878d8450b81dd8e

SHA256
5f7561f348c188867bd07f830af293fb8f7835348f7af049289826581bb7bf75

SHA512
22e1cefab517373d4867a67000a1cefa79610177718d776f29163d88736e69be549121e402d8dd72b5055a03b4fb1406a707db99ecc6fd894c457cbf74ab34a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2f7d97b273a82631d4eb54e0dcb1efc5

SHA1
a65bfcf353e70f2bffb193669158beca17b855af

SHA256
3ca13b856e8e0007e8ccea86803411697b2729a0f2f1ea7980ee0e52f3a41600

SHA512
dc13fc320a576a446ae9544f89565c3d2450f1e30a083e870fcaa9aa6be81fd91f794a40bb0da31d5ad53b352c507b357c8f3f301107be53600bb3e43a60fdbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9de448cb90885b8d8f045a52c83a96bf

SHA1
cb21d86949bdf8d902e5c12287c19617a26d1e61

SHA256
dc04381db30003e1c2134de996aaba68241a02bc5f7b5bcc33ffdac907d2777a

SHA512
680eea98755b76def0d388bda2094ab7d4ae7282e7f0ab50c12fee8d7e1d4d8c088a67532587a8b2d0ee1b382721e5b2147b4b770b5b6fa42654ddc3fd17f296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit