1f13b909eaf544aa985020c9ddafeb792a03592991f3ce6eeb5b87e1b55ce684

Analysis

max time kernel
31s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EXTERNAL/KakahMenu.exe
Size

4KB
MD5

9a76702a758abbbd52f278456bf4876d
SHA1

5365c04a4ca2caa23c3139316537c15fb7e5cabc
SHA256

7ddcc7f38a5237150ee575e2e543c2fb3fdfee1b0ec84d911c5de7563d9133c9
SHA512

83e9728eaa605bb54eb0e210e43d53d7f5cc1ad18e125bd3a3dd18123ec7c57bc36a49dfd972f50f051e2a29198960358ee3ed2f7d71cb6794f61670784412a2

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4772	msedge.exe
4772	msedge.exe
3412	msedge.exe
3412	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 2584	3412	msedge.exe	99
PID 3412 wrote to memory of 2584	3412	msedge.exe	99
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 1480	3412	msedge.exe	100
PID 3412 wrote to memory of 4772	3412	msedge.exe	101
PID 3412 wrote to memory of 4772	3412	msedge.exe	101
PID 3412 wrote to memory of 4880	3412	msedge.exe	102
PID 3412 wrote to memory of 4880	3412	msedge.exe	102
PID 3412 wrote to memory of 4880	3412	msedge.exe	102
PID 3412 wrote to memory of 4880	3412	msedge.exe	102
PID 3412 wrote to memory of 4880	3412	msedge.exe	102
PID 3412 wrote to memory of 4880	3412	msedge.exe	102
PID 3412 wrote to memory of 4880	3412	msedge.exe	102
PID 3412 wrote to memory of 4880	3412	msedge.exe	102
PID 3412 wrote to memory of 4880	3412	msedge.exe	102
PID 3412 wrote to memory of 4880	3412	msedge.exe	102
PID 3412 wrote to memory of 4880	3412	msedge.exe	102
PID 3412 wrote to memory of 4880	3412	msedge.exe	102
PID 3412 wrote to memory of 4880	3412	msedge.exe	102
PID 3412 wrote to memory of 4880	3412	msedge.exe	102
PID 3412 wrote to memory of 4880	3412	msedge.exe	102
PID 3412 wrote to memory of 4880	3412	msedge.exe	102
PID 3412 wrote to memory of 4880	3412	msedge.exe	102
PID 3412 wrote to memory of 4880	3412	msedge.exe	102
PID 3412 wrote to memory of 4880	3412	msedge.exe	102
PID 3412 wrote to memory of 4880	3412	msedge.exe	102

C:\Users\Admin\AppData\Local\Temp\EXTERNAL\KakahMenu.exe
"C:\Users\Admin\AppData\Local\Temp\EXTERNAL\KakahMenu.exe"
1⤵
PID:1640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffabb2846f8,0x7ffabb284708,0x7ffabb284718
  2⤵
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,9774798018873597688,4583384515598412231,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,9774798018873597688,4583384515598412231,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,9774798018873597688,4583384515598412231,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9774798018873597688,4583384515598412231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9774798018873597688,4583384515598412231,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9774798018873597688,4583384515598412231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9774798018873597688,4583384515598412231,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
  2⤵
  PID:2848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6feb585bf0a0a21f6053cf0cece81355

SHA1
36ee2ada3df87a3fbb11f09c566dbdc074c85c3b

SHA256
14c63db3ad0f1a7269db09bc3ae130bcf9877057c2e9435bdfa4bf1a3cbe27ad

SHA512
7089a5cf43bca5d62162229e23e7a489c9f6bf0f57a51f7881fcbb2c0d7c154639541946283376ea707937211c81eb1b91482e58d553bdaef444ebb71352dae2

Download Submit