4bdfa8e89d95d1ecedd2b2793d8b21c0f71c8183adc10b469bd4032d461fcf75

Analysis

max time kernel
141s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 13:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

wordpress/readme.html
Size

8KB
MD5

eba8f8e7479da1cf64e520cb6156251c
SHA1

0cccea4f73677c5b7b875bdcf297b6ea2d85a993
SHA256

93c069b9ff0515c904ca9447d3c9c344b20c1a1aefb6caec10f128def615c597
SHA512

398fbe6a4c52ddf7023a867551d75924d393f96460d7359179e004c54b44bf9aed03a173294d64fa585f678d9063e2b5c636f2417da6b80fcdf8a556f523bb3b
SSDEEP

192:6QWEAVWrD+hQUFzTg7kbifjuu/YmSXSktwLWRdR:6xEMoOFcJf4g8H

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2080	msedge.exe
2080	msedge.exe
2420	msedge.exe
2420	msedge.exe
3584	identity_helper.exe
3584	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 3948	2420	msedge.exe	85
PID 2420 wrote to memory of 3948	2420	msedge.exe	85
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 1748	2420	msedge.exe	86
PID 2420 wrote to memory of 2080	2420	msedge.exe	87
PID 2420 wrote to memory of 2080	2420	msedge.exe	87
PID 2420 wrote to memory of 2748	2420	msedge.exe	88
PID 2420 wrote to memory of 2748	2420	msedge.exe	88
PID 2420 wrote to memory of 2748	2420	msedge.exe	88
PID 2420 wrote to memory of 2748	2420	msedge.exe	88
PID 2420 wrote to memory of 2748	2420	msedge.exe	88
PID 2420 wrote to memory of 2748	2420	msedge.exe	88
PID 2420 wrote to memory of 2748	2420	msedge.exe	88
PID 2420 wrote to memory of 2748	2420	msedge.exe	88
PID 2420 wrote to memory of 2748	2420	msedge.exe	88
PID 2420 wrote to memory of 2748	2420	msedge.exe	88
PID 2420 wrote to memory of 2748	2420	msedge.exe	88
PID 2420 wrote to memory of 2748	2420	msedge.exe	88
PID 2420 wrote to memory of 2748	2420	msedge.exe	88
PID 2420 wrote to memory of 2748	2420	msedge.exe	88
PID 2420 wrote to memory of 2748	2420	msedge.exe	88
PID 2420 wrote to memory of 2748	2420	msedge.exe	88
PID 2420 wrote to memory of 2748	2420	msedge.exe	88
PID 2420 wrote to memory of 2748	2420	msedge.exe	88
PID 2420 wrote to memory of 2748	2420	msedge.exe	88
PID 2420 wrote to memory of 2748	2420	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\wordpress\readme.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8fa446f8,0x7ffa8fa44708,0x7ffa8fa44718
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,9150198731447307778,2920091258167593384,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:1748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,9150198731447307778,2920091258167593384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,9150198731447307778,2920091258167593384,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9150198731447307778,2920091258167593384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9150198731447307778,2920091258167593384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,9150198731447307778,2920091258167593384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,9150198731447307778,2920091258167593384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9150198731447307778,2920091258167593384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9150198731447307778,2920091258167593384,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9150198731447307778,2920091258167593384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9150198731447307778,2920091258167593384,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9150198731447307778,2920091258167593384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9150198731447307778,2920091258167593384,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:1
  2⤵
  PID:1900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
e378557aa50d7766e0cb6b4a45c88cce

SHA1
5b12d0b58edeae9272125b4e027ff184a025e85e

SHA256
02d7834b115eda5f3544c172ab7e6b2e0c898d59c7dfa23b66cbce9e4a4970f3

SHA512
a77bf3290cead162d0c756936469b8a4983703bae9f7cde48eedb9def241657509cbc041762ec1a2a2c28074b5c5d9e25293abf75c606659386fd490ed5e7488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d21544fa18ab8255d0440880fee3a598

SHA1
2442a2864e1aa336c3cea64bf20ed475c9b45382

SHA256
c5f1c00788a8ad592de8e97d4fefd77ff398e646b624a3faa1f0b1ea6fe23d53

SHA512
6999801460466c90c2fe6871e8bdc1175ddc6bc745b5492a1d92b025d766166ebf44bd2f71d79d8792e1361ebae7ef1d8fbe51ebd39da3cf55e671ae04a63d57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d36fb53d71ef8bf42c6f7620aacf9770

SHA1
73b146bb13a0360e087211f9b2a4ac1d6d5014ed

SHA256
018848b9a387426b211ad15f99533157c69d14f7d4e0f1caee52471fc22e56e2

SHA512
df0f41bfe26e2c538b7d0a84645371da39bc243f48e783b09d9d07bc8bf10f0def8db716353b402561cfea04a42963f8f1e52341b4e3e4bd579a5323376fbc41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
375c0886c6fd6855101bd8a9c2952e13

SHA1
da629e23400e87d732f8ae3278d64540e5de695f

SHA256
d281136e67dbd261765375958fcd5386f1fa6dd511335aa5a2bdb721742a799e

SHA512
15d14d4fd8a1870b753718376df4a450c1f79a88d4e8d06af85db62a9d5ee4dda021709db3918c8549545f4a0b7f785a231d45c2120934038dcecbb0126cb583

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
259c64200c57a9a8fd15a83758d72fb6

SHA1
f9555e00726a15395015260e8242d3a0f2b4c708

SHA256
b136ea8516a48330c6ac5b36baeb41817d4ba2e3f0db9049077dedd86d4f7a87

SHA512
dc9ab6eeb80efa8c0d48b2ca3350b76591dfa4ee933782f7f2a1c4b0128c565e1464005ae6ddab947ee2a0d290186ec76b3bdb8aeaf111aad6eae6c689928a49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1c353436b9592b5102ad8ddef6eee37d

SHA1
48a627f9f7c422463a139ab5f74dbfce3b7b67c9

SHA256
df5078f8dc2c7eb23e2d8f0b2d3820e7600ec72d1dd905dee11adfd650a51ce3

SHA512
fb597f0b4c199cbb265453ba6019f508aa59f357655335d33b990a4f67b32072db42ff96872800f198aa94f090c20180a93c77e9abbcd0289aa54effd737469c

Download Submit