Analysis
-
max time kernel
1469s -
max time network
1439s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
16/08/2024, 12:25
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://google.com
Resource
win11-20240802-en
General
-
Target
https://google.com
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3520 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2796 msedge.exe 2796 msedge.exe 4876 msedge.exe 4876 msedge.exe 436 msedge.exe 436 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 3520 EXCEL.EXE 3520 EXCEL.EXE 3520 EXCEL.EXE 3520 EXCEL.EXE 3520 EXCEL.EXE 3520 EXCEL.EXE 3520 EXCEL.EXE 3520 EXCEL.EXE 3520 EXCEL.EXE 3520 EXCEL.EXE 3520 EXCEL.EXE 3520 EXCEL.EXE 3520 EXCEL.EXE 3520 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4876 wrote to memory of 3584 4876 msedge.exe 81 PID 4876 wrote to memory of 3584 4876 msedge.exe 81 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 4444 4876 msedge.exe 82 PID 4876 wrote to memory of 2796 4876 msedge.exe 83 PID 4876 wrote to memory of 2796 4876 msedge.exe 83 PID 4876 wrote to memory of 1028 4876 msedge.exe 84 PID 4876 wrote to memory of 1028 4876 msedge.exe 84 PID 4876 wrote to memory of 1028 4876 msedge.exe 84 PID 4876 wrote to memory of 1028 4876 msedge.exe 84 PID 4876 wrote to memory of 1028 4876 msedge.exe 84 PID 4876 wrote to memory of 1028 4876 msedge.exe 84 PID 4876 wrote to memory of 1028 4876 msedge.exe 84 PID 4876 wrote to memory of 1028 4876 msedge.exe 84 PID 4876 wrote to memory of 1028 4876 msedge.exe 84 PID 4876 wrote to memory of 1028 4876 msedge.exe 84 PID 4876 wrote to memory of 1028 4876 msedge.exe 84 PID 4876 wrote to memory of 1028 4876 msedge.exe 84 PID 4876 wrote to memory of 1028 4876 msedge.exe 84 PID 4876 wrote to memory of 1028 4876 msedge.exe 84 PID 4876 wrote to memory of 1028 4876 msedge.exe 84 PID 4876 wrote to memory of 1028 4876 msedge.exe 84 PID 4876 wrote to memory of 1028 4876 msedge.exe 84 PID 4876 wrote to memory of 1028 4876 msedge.exe 84 PID 4876 wrote to memory of 1028 4876 msedge.exe 84 PID 4876 wrote to memory of 1028 4876 msedge.exe 84
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.com1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb500b3cb8,0x7ffb500b3cc8,0x7ffb500b3cd82⤵PID:3584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,8164083974627362997,18093588579682990420,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:22⤵PID:4444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,8164083974627362997,18093588579682990420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2612 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,8164083974627362997,18093588579682990420,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:82⤵PID:1028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8164083974627362997,18093588579682990420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:12⤵PID:3728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8164083974627362997,18093588579682990420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵PID:4624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8164083974627362997,18093588579682990420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:12⤵PID:2180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,8164083974627362997,18093588579682990420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8164083974627362997,18093588579682990420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:12⤵PID:4192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8164083974627362997,18093588579682990420,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:12⤵PID:4832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8164083974627362997,18093588579682990420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:12⤵PID:3384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8164083974627362997,18093588579682990420,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:12⤵PID:2688
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:664
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2196
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\ResetExport.xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3520
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5026e0c65239e15ba609a874aeac2dc33
SHA1a75e1622bc647ab73ab3bb2809872c2730dcf2df
SHA256593f20dfb73d2b81a17bfcc1f246848080dfc96898a1a62c5ddca62105ed1292
SHA5129fb7644c87bdd3430700f42137154069badbf2b7a67e5ac6c364382bca8cba95136d460f49279b346703d4b4fd81087e884822a01a2a38901568a3c3e3387569
-
Filesize
152B
MD5228fefc98d7fb5b4e27c6abab1de7207
SHA1ada493791316e154a906ec2c83c412adf3a7061a
SHA256448d09169319374935a249b1fc76bcf2430b4e1436611f3c2f3331b6eafe55a2
SHA512fa74f1cc5da8db978a7a5b8c9ebff3cd433660db7e91ce03c44a1d543dd667a51659ba79270d3d783d52b9e45d76d0f9467458df1482ded72ea79c873b2a5e56
-
Filesize
209KB
MD53e552d017d45f8fd93b94cfc86f842f2
SHA1dbeebe83854328e2575ff67259e3fb6704b17a47
SHA25627d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6
SHA512e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize120B
MD5e18f16dd4b9dd7d16057a17d67b213c4
SHA12e0247b2f3d2447dd9cf25c9e389fb2c05db23d5
SHA2569b443493ad0123521b39fe3f3e84d9a6ae0fa8c4d9146b3c1d318c0b5b83f9cd
SHA512ebae5a9084f24ba73e640d2c7aa2b3d0c16e91308cde3b42821e85f927758d919b3af693e2d8eea5ef600c92329d79d47c2c5f7bb0cab12cf9d8dde857a7f00b
-
Filesize
1004B
MD5fd24365d3bbbebcc022c5707ea2060ff
SHA14592fb98ef11eb6addd4405328c94bf151a33b75
SHA256032b35e864f690aa3d930af2e24c0a1c8d9621af3c17639d25a4b5dd97b1c306
SHA51254b1cdbd3a9355f8b7ce76d38b8719937d7aced93dddacc59250ff23d4fa83ca7ccd1f879780dcef902466bab36f921a400096599633e63530406174c42e38ed
-
Filesize
5KB
MD5435e11398133880824149ea04bf3e692
SHA13f4dacd5a71abcfab2be0fc9408b53d9228032fc
SHA256564bea65dee4969080730017b856eda4e3a7c31de9db8e02f3d4d384e15e8145
SHA5120b5361887025e9d490dd3df924bc80613f44a1d8468c3d49f794e2b3279f333a4a5ad4ea9c510169737a2699eaaad62ea8d18dcfba54e7665e241072ae175c90
-
Filesize
6KB
MD5bf662addae2cb439e70bf8dd31b44616
SHA14b9078ea6866c11dba89e424b18abf52da344cb6
SHA256dd17ecf63f1b37a489b5870b644ec9d043d41a755029a1bc2c9491d347ff7875
SHA51249534c36cbc3b185135a5a21ffddf5764391f0d7acd78ee494ebbe21f5620f3de14d4c1502163481ff6e2f09a2a26f65423f061fc34f053fb7ca3e9a073e4637
-
Filesize
10KB
MD54bce0ede73a30b1be3709c5dc2256c3d
SHA159141319295e1bdadd7e486b226959c3829c5b2f
SHA2561c8f96717e2686d699f9e75db5311c0829d4d007e09a257430aa18cd7b9d86cd
SHA512bb4598f39f71c751d19922e7ec3f37113b7621367766ea05be2b6e0147e7060c0d2f06991d744f18d4b73ff73b1b778a310be0f8980333bbca383abeb813ec4d
-
Filesize
360B
MD5bcb8c2b41e9ea70c769c1b6f99c6f354
SHA16e5815a52415407b6e6dc9a2f3fa28a4ba986215
SHA256dfd0363afe8decc62c24755389c77aef10bce9540cda0322a3415c6c77baa3b5
SHA512885db73f00348348a423d0cc0de777e31098fac1fe27a9d572e8bdb199e609ce6057d84a0aae76a6ba156cf4c2b4c4978894b02fe08957d33b29d6e35391ba13