hxxps://github[.]com/electron/electron/issues/36698

Analysis

max time kernel
600s
max time network
623s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/08/2024, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/electron/electron/issues/36698

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2336	msedge.exe
2336	msedge.exe
4376	msedge.exe
4376	msedge.exe
876	identity_helper.exe
876	identity_helper.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 2432	4376	msedge.exe	85
PID 4376 wrote to memory of 2432	4376	msedge.exe	85
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 3204	4376	msedge.exe	86
PID 4376 wrote to memory of 2336	4376	msedge.exe	87
PID 4376 wrote to memory of 2336	4376	msedge.exe	87
PID 4376 wrote to memory of 696	4376	msedge.exe	88
PID 4376 wrote to memory of 696	4376	msedge.exe	88
PID 4376 wrote to memory of 696	4376	msedge.exe	88
PID 4376 wrote to memory of 696	4376	msedge.exe	88
PID 4376 wrote to memory of 696	4376	msedge.exe	88
PID 4376 wrote to memory of 696	4376	msedge.exe	88
PID 4376 wrote to memory of 696	4376	msedge.exe	88
PID 4376 wrote to memory of 696	4376	msedge.exe	88
PID 4376 wrote to memory of 696	4376	msedge.exe	88
PID 4376 wrote to memory of 696	4376	msedge.exe	88
PID 4376 wrote to memory of 696	4376	msedge.exe	88
PID 4376 wrote to memory of 696	4376	msedge.exe	88
PID 4376 wrote to memory of 696	4376	msedge.exe	88
PID 4376 wrote to memory of 696	4376	msedge.exe	88
PID 4376 wrote to memory of 696	4376	msedge.exe	88
PID 4376 wrote to memory of 696	4376	msedge.exe	88
PID 4376 wrote to memory of 696	4376	msedge.exe	88
PID 4376 wrote to memory of 696	4376	msedge.exe	88
PID 4376 wrote to memory of 696	4376	msedge.exe	88
PID 4376 wrote to memory of 696	4376	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/electron/electron/issues/36698
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc66c46f8,0x7ffcc66c4708,0x7ffcc66c4718
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,9081527522141708647,6012711720605286590,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,9081527522141708647,6012711720605286590,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,9081527522141708647,6012711720605286590,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
  2⤵
  PID:696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9081527522141708647,6012711720605286590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9081527522141708647,6012711720605286590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9081527522141708647,6012711720605286590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9081527522141708647,6012711720605286590,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,9081527522141708647,6012711720605286590,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,9081527522141708647,6012711720605286590,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9081527522141708647,6012711720605286590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9081527522141708647,6012711720605286590,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,9081527522141708647,6012711720605286590,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
2f1f5404e72b568f0ed2acba6bf20ae9

SHA1
4e4cec4a2f905b2d739feb9b6984895d34d7527f

SHA256
6d9ea383e7a6eebc252fe2a38a5667f806bedd484ca8326791bc59a17b2ed294

SHA512
47c236ade4663ff39ed47c565b250b2b403d183bdb5abbf6333371238deb71ed3ddd6c22965838b7c579fc73864746e6aed0201f0618f2207ba2a4b10280c2c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
d22266ba3d8db30279b96944f0cec985

SHA1
44e288cdfe75a5e8299ce32e75dd9e0705cdbac9

SHA256
77873629fa695e434160c86ae9116906ff65a97666d7d35a3ed63221b627c0bf

SHA512
d463aecbdac835dace5544b4267c86c2ed7d3165ba95095db6dfc3a25655f2391fa202a81d37b4a76a36f04456ed86df137302ad0e456fd59ecdfee3c69c6c1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8e99a44b0761b8be3f6e047ff9a505ac

SHA1
2e9fd95d5242ff20f3672a5f66f62e3169a977e0

SHA256
14f187a5f4afdb565b5f7e1daee301c47e60c0bda6b3a0cc56c86ed1fea676dd

SHA512
b56a2f94c86f21185128335b0d5381a9fea8ce2ac89f7ce534634efd9d1d5c8d92fe0f00e1b91e789a61d0fc98619da3c4919fba4e65d50107c41b30f967631e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1c614d896871924acaa3d067216ac2e9

SHA1
1d96d39f6176630e2c2088f7e51f7d274e8a3209

SHA256
2aeb0fa2f363cae4a905e99b5ffdb74539af4767912bb4ab64ada8003087480c

SHA512
4bd90546092f492b86f4be568753ba0c6396c0dfe05e6f9bd21c0f60acaa2db2a27f4d5835f1ddc7185abd9e78e959191e93f6b2a8f5fdb32e644fcb27890b49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f60428103aa3a213461f57a5cbc43682

SHA1
f8ca83bd161939d1132cb18d480bc9758a5de80f

SHA256
a5b52fc83cd60c5328ec0dd303f03fade93e7b9c1d633dc1aa126f5cdb68e365

SHA512
8972362ba575f01e455a300df7112fc1a53253c653883a02ff997f8bc373786934c57486a2ad815915d5838b310263bdfafbda4d1451d16284ee9adb7fdc68ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4a6da630799b1a3a353756c48fa7357e

SHA1
bb9df8ea4fb7f3648d3c19741ee580d68ceb45bd

SHA256
cf8c14655077d012db25b67e9d343013850e0236827393b01882962fc2c76ddc

SHA512
b9c675d1bde8b8579ac16843d4b94bfe6f9ad74fb43d7c8d596e45828edda904f31c1d75efea4efbdf28cdecdaaa007433ae12dade2fb1a35e945c643cd4a271

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e4d2.TMP

Filesize
706B

MD5
1df19f14c556207c0d86d2b6aa27bc2b

SHA1
1c2c7c89b1bf8ddd934f5a5c73d724f22052a7df

SHA256
1c17dddaa708b094a002e2aa60ff818c8a98947050d60aed78b50c38707d35c8

SHA512
c3ab9d03eeb26d3e9c86d9984aac6554f2d47896d4e958c0c26a3b8e477fbfa4e302610db9514a2a6ce5e51a308426f0c8fd0a4f6f94be728b021ed7741f8743

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b003a5ecc7946488a3c787ccca791fa5

SHA1
dcc7d44c879ce2f82e0b80d771ef0512798bbb83

SHA256
7955f5e953021f591f602f4cab6f1da57d1734f97b69d8ac71bbe08a19446885

SHA512
96e4f03d15fd0d743ff75b5ff5f99dad281b90774a21167a79094c6f9ecd5f5034e13479812e48639303d1a49cf0ab60185cfa334fee5c3392119a166349878c

Download Submit