47961c394d3b03bd1670e702b2ac59071dc54535657c82772e08e0a2d767b7c4

Analysis

max time kernel
1195s
max time network
1161s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
10-08-2024 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mineways/docs/scripting.html
Size

60KB
MD5

2da977bc75547c56911a4cea47199972
SHA1

99071ee6c7b56afdb20c89ef9ebf43b3406bc48a
SHA256

3ff20ddea46c9c16f7dbe093a189f92b2550943f85e6b5ee9c03940e1149944d
SHA512

c9225a6d3e22fb2e5927a3b5ba312811c8ce80fbc9c12d0c782d40c882c8c83c3d766d2da46442258b046025d31be20945c5474f010afe51c57e3c99fa11f13f
SSDEEP

1536:flRYpehiMD9CXhWudadcDezo8lmJEylVsdvi9:nYpMiMD9CXhWuAdcDezoymJpVWvi9

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4884	msedge.exe
4884	msedge.exe
1608	msedge.exe
1608	msedge.exe
4284	msedge.exe
4284	msedge.exe
2904	identity_helper.exe
2904	identity_helper.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 1680	1608	msedge.exe	79
PID 1608 wrote to memory of 1680	1608	msedge.exe	79
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 5000	1608	msedge.exe	80
PID 1608 wrote to memory of 4884	1608	msedge.exe	81
PID 1608 wrote to memory of 4884	1608	msedge.exe	81
PID 1608 wrote to memory of 2092	1608	msedge.exe	82
PID 1608 wrote to memory of 2092	1608	msedge.exe	82
PID 1608 wrote to memory of 2092	1608	msedge.exe	82
PID 1608 wrote to memory of 2092	1608	msedge.exe	82
PID 1608 wrote to memory of 2092	1608	msedge.exe	82
PID 1608 wrote to memory of 2092	1608	msedge.exe	82
PID 1608 wrote to memory of 2092	1608	msedge.exe	82
PID 1608 wrote to memory of 2092	1608	msedge.exe	82
PID 1608 wrote to memory of 2092	1608	msedge.exe	82
PID 1608 wrote to memory of 2092	1608	msedge.exe	82
PID 1608 wrote to memory of 2092	1608	msedge.exe	82
PID 1608 wrote to memory of 2092	1608	msedge.exe	82
PID 1608 wrote to memory of 2092	1608	msedge.exe	82
PID 1608 wrote to memory of 2092	1608	msedge.exe	82
PID 1608 wrote to memory of 2092	1608	msedge.exe	82
PID 1608 wrote to memory of 2092	1608	msedge.exe	82
PID 1608 wrote to memory of 2092	1608	msedge.exe	82
PID 1608 wrote to memory of 2092	1608	msedge.exe	82
PID 1608 wrote to memory of 2092	1608	msedge.exe	82
PID 1608 wrote to memory of 2092	1608	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\mineways\docs\scripting.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffab8fa3cb8,0x7ffab8fa3cc8,0x7ffab8fa3cd8
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,9905889297716361999,17157622699618354790,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,9905889297716361999,17157622699618354790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,9905889297716361999,17157622699618354790,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9905889297716361999,17157622699618354790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9905889297716361999,17157622699618354790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9905889297716361999,17157622699618354790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,9905889297716361999,17157622699618354790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,9905889297716361999,17157622699618354790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9905889297716361999,17157622699618354790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9905889297716361999,17157622699618354790,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9905889297716361999,17157622699618354790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9905889297716361999,17157622699618354790,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,9905889297716361999,17157622699618354790,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4852 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c3889d3f0d2246f800c495aec7c3f7c

SHA1
dd38e6bf74617bfcf9d6cceff2f746a094114220

SHA256
0a4781bca132edf11500537cbf95ff840c2b6fd33cd94809ca9929f00044bea4

SHA512
2d6cb23e2977c0890f69751a96daeb71e0f12089625f32b34b032615435408f21047b90c19de09f83ef99957681440fdc0c985e079bb196371881b5fdca68a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c4a10f6df4922438ca68ada540730100

SHA1
4c7bfbe3e2358a28bf5b024c4be485fa6773629e

SHA256
f286c908fea67163f02532503b5555a939f894c6f2e683d80679b7e5726a7c02

SHA512
b4d407341989e0bbbe0cdd64f7757bea17f0141a89104301dd7ffe45e7511d3ea27c53306381a29c24df68bdb9677eb8c07d4d88874d86aba41bb6f0ce7a942c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
e7d059d7345c5463782a9f197cdb4c3a

SHA1
a8a10731cb23dad1b287752f03b8d90b2702ef81

SHA256
e37aa9dffe8450d3f3c29ca4150ff794b241d8ea144fc3316a3be876af158284

SHA512
495c575c4695b41af00a5b795c5bda9b95a6806a9f5a918485e2f1b6a36fa2138fa8b7a4794254bfeb2aada25dd3a11f15050064e80b5d4fe54f8e8ecc2c4960

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
524B

MD5
b338e866a6df75bb5c589911c0afa913

SHA1
19f9a504a2ca07fade5e85381211a78b28970c03

SHA256
d48808c3825ac9760050cbf077a3b3a974c03f27d4a86168d01b0275f6269b11

SHA512
449eadadab736cf345dcfa23abf3911309130530e97ed8b1680398923320cdee11a0e23d8be4b5fc4a69f298c0cdcee61dcdc494af1de9f6b498d4a1d1a9bad9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5888600e841a9119205ec330fa193107

SHA1
55772db6cf832436c2e0848772239a720fe955a5

SHA256
67238b903715326305fb86a87e8d2d8316880d57d44027096ca3bcad4f0a4bf5

SHA512
711e19f1435ce98985f492f0966350b2b8bd6e871da8f2d34ec5065b527a0723d2db3d1032c2d00703616f76a4bcb0303fdb705eecf8ff2ec26900b0a1161866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9fc7aaca5aea70128e5b9290eafbea50

SHA1
332b5cb150aed0778db0caaf56b748bb718e3246

SHA256
dc16990ccd88b32b19820f261608d9d6e7cc2bbd3a6ee1512eff85b7a3306193

SHA512
ab6591abb94f718291debb61e822ee5aa9ac2d4463ac526e02bd9785ac29102e873cd152e8c051803f74165d73c2d5830c67b2256cba37dcc3d614c3f57757c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ee69216eb031974ed3d9e71e16f4916f

SHA1
c3ea081fbd3657113a1a234bd7d3094d91b72c4b

SHA256
c5f8af92c4b9a07506079a8910af8ceb3e344bc3054206bfe3dc23903ebcc7a7

SHA512
095abc9997b9877eeb6efc9ff4485e56e634ff9abdcfd32e1fa2ca0dff457710b2c695db336bc928bc9750221ea72ab8c857fce30a5bf6331ee4fdc7c223a7e7

Download Submit