7738a81df22a500dc1421acc5f6b3943bbe0d0290ccfca90d06983e9800ab82e

Analysis

max time kernel
145s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

upload/data/rss/index.html
Size

3B
MD5

736007832d2167baaae763fd3a3f3cf1
SHA1

7ee737c83ee689c96ef37d3a029068c390ebc8f8
SHA256

2b64c6d9afd8a34ed0dbf35f7de171a8825a50d9f42f05e98fe2b1addf00ab44
SHA512

6beba489cd62566c108b652b7143cb97e007396a0b16ce250d2d0ac6e51ed999e41e96eb497b29efa99d2a15f276d6d531aa9ead15e2c13d77b3846ee45f64ac

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
364	msedge.exe
364	msedge.exe
3528	msedge.exe
3528	msedge.exe
4636	identity_helper.exe
4636	identity_helper.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3528 msedge.exe
3528 msedge.exe
3528 msedge.exe
3528 msedge.exe
3528 msedge.exe
3528 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3528 wrote to memory of 4944	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 4944	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 3544	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 364	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 364	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 1216	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 1216	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 1216	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 1216	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 1216	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 1216	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 1216	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 1216	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 1216	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 1216	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 1216	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 1216	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 1216	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 1216	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 1216	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 1216	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 1216	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 1216	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 1216	3528	msedge.exe	msedge.exe
PID 3528 wrote to memory of 1216	3528	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\upload\data\rss\index.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff81fac46f8,0x7ff81fac4708,0x7ff81fac4718
2⤵
PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,17057638394805713613,16077838636856455257,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
2⤵
PID:3544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,17057638394805713613,16077838636856455257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,17057638394805713613,16077838636856455257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
2⤵
PID:1216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17057638394805713613,16077838636856455257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
2⤵
PID:2580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17057638394805713613,16077838636856455257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
2⤵
PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,17057638394805713613,16077838636856455257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
2⤵
PID:4508

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,17057638394805713613,16077838636856455257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17057638394805713613,16077838636856455257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
2⤵
PID:1748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17057638394805713613,16077838636856455257,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
2⤵
PID:2448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17057638394805713613,16077838636856455257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
2⤵
PID:5052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17057638394805713613,16077838636856455257,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
2⤵
PID:2276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,17057638394805713613,16077838636856455257,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1896 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4960

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
102e24b39f689a43101c9bef2abe7d84

SHA1
cd298b515030c84a39f6f982595715abef6f7b9a

SHA256
3291411529e7ef63020d91fdce248216daa6a9bf5524c5a512759de7ef6b120e

SHA512
0fd1d006c1228391367f97c3b60a36b45f48d7d35fe8e2f9f63012747ea51b1e1004ae18199f83ebb98bb4db2cdd814b56a53eadd078198e7e5d31140eb2f8db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
a627e86c9bd35b7e2866f9be563c095c

SHA1
98eb3b514307b474087c96dc8f9ba7bc89aed29b

SHA256
df7347b0811001cdeba89cce764d52caff535f69352ab244b47385501cedc73d

SHA512
2b94f3a4c255511f07c347f797e30ba4341db671bacfa5e9ed271bd8b797ef8ab309eb1085d106f5357946f11f690ff28d9f0ad1931cdb14882b4a34616508b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
3876f8f65880ab701d180f6407541eb1

SHA1
c560bc68c189f07bb1089112d180899c6cce2b5d

SHA256
2abe83e68b5ae579465be38b03e6a5b09a25e7fdf82927920fcece5cc65e2225

SHA512
1deb474ea320668810f38ad768d099c8262c1805694fd8b57d6480a5a65102ac1c8117d394788af401983bc9cf8647c34465aaa9f99674036047205475b36246

Download Submit
\??\pipe\LOCAL\crashpad_3528_GPNMFFESWWSPYOVQ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit