1a1b3d764d921db37f2d3e0af830209ce8006d62b60518523cc199b19210c937

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

readme.url
Size

328B
MD5

63ce37659e34f6542d31a4bc64ec19e5
SHA1

31938110d10a8ebce18ce02d1ebaca0e344a797c
SHA256

36dcd2cc9ef2a279014b4f85915100f62d36bd0c2cf439638d4ce0e9c18cc2ff
SHA512

39dc956c870a2bd80786dd215b503e5f22a1259bb858ff37ae601cb11d425afd5304e6472512c99afcb98569f08990e1d03df5e3d392ec484b1a98dd3f7b86e2

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1028	msedge.exe
1028	msedge.exe
1536	msedge.exe
1536	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1536	msedge.exe
1536	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1536	1940	rundll32.exe	84
PID 1940 wrote to memory of 1536	1940	rundll32.exe	84
PID 1536 wrote to memory of 4228	1536	msedge.exe	86
PID 1536 wrote to memory of 4228	1536	msedge.exe	86
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 380	1536	msedge.exe	87
PID 1536 wrote to memory of 1028	1536	msedge.exe	88
PID 1536 wrote to memory of 1028	1536	msedge.exe	88
PID 1536 wrote to memory of 2064	1536	msedge.exe	89
PID 1536 wrote to memory of 2064	1536	msedge.exe	89
PID 1536 wrote to memory of 2064	1536	msedge.exe	89
PID 1536 wrote to memory of 2064	1536	msedge.exe	89
PID 1536 wrote to memory of 2064	1536	msedge.exe	89
PID 1536 wrote to memory of 2064	1536	msedge.exe	89
PID 1536 wrote to memory of 2064	1536	msedge.exe	89
PID 1536 wrote to memory of 2064	1536	msedge.exe	89
PID 1536 wrote to memory of 2064	1536	msedge.exe	89
PID 1536 wrote to memory of 2064	1536	msedge.exe	89
PID 1536 wrote to memory of 2064	1536	msedge.exe	89
PID 1536 wrote to memory of 2064	1536	msedge.exe	89
PID 1536 wrote to memory of 2064	1536	msedge.exe	89
PID 1536 wrote to memory of 2064	1536	msedge.exe	89
PID 1536 wrote to memory of 2064	1536	msedge.exe	89
PID 1536 wrote to memory of 2064	1536	msedge.exe	89
PID 1536 wrote to memory of 2064	1536	msedge.exe	89
PID 1536 wrote to memory of 2064	1536	msedge.exe	89

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\readme.url
1⤵
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.baidu.com/s?wd=%e4%b8%8b%e8%bd%bd%e7%8e%8b
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff37c146f8,0x7fff37c14708,0x7fff37c14718
    3⤵
    PID:4228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,18415342016882384561,10701023509876709627,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
    3⤵
    PID:380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,18415342016882384561,10701023509876709627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,18415342016882384561,10701023509876709627,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
    3⤵
    PID:2064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18415342016882384561,10701023509876709627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
    3⤵
    PID:3276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18415342016882384561,10701023509876709627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
    3⤵
    PID:2476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,18415342016882384561,10701023509876709627,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1828 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\46d1f9e6-fcbf-42cf-9b30-5f542ca5efa1.tmp

Filesize
10KB

MD5
f15987de058069cf00dd967b75335be6

SHA1
d23a82af87904abb286f2bbd47b7a902510d745c

SHA256
a8b6b3bd3f246b8f643868c7b66f70d2edc706b826570469025ef8807e84bbb9

SHA512
f7cd10b4cf4fd09d718d5e2a360ccfd5c2c8171a0cd882245042e5aab490a09077565ff05ad8b178c287144f9b66182bf1c7b0e45d03d719a7502055c1a05eb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ee3432f0167d95b9b038715fb3f7a729

SHA1
7e3a208e49054ac77f27c2a2deefdcbae99a510b

SHA256
d82a627d0e17dcc42c89c0641c86c297e36b3159ca88b900f6a369c087e5ea54

SHA512
23ea41f1ea0fd16236d43e3ba9976e55bf82e47deb37a6d09ca91458860621dc5ab8ed4d581b6fce4ab0904dd384d58a7090632b04422d8aaabf474505bdb196

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
184B

MD5
be5aeff2a68162f18c376598a46a4421

SHA1
839b63103ff9a7414b37f002077912d30a9f73c4

SHA256
5cb61d21ed14e9a9a029c1d214ef4f958f690f1db4dff27f8090cf54cb22075f

SHA512
a6a5fb02c710d04baa71b2d16466b31802a250e5a48ac5f04539eceb0105a3b21b000d0552d55c571528fe337c1c6b957c66079ce64410b77cf3e5b9384e15a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c08623b9bcaf37f557fe977138508b82

SHA1
675917eb721dedb314e10fb5fb792fd0b61fc870

SHA256
6d7c80bc554f2020d498fb1c915e6d0023080d31abfa23385d5336869a68f608

SHA512
2a70d2176c5c19c513c51208f961f56521aaae4cd750d0f097ba9d7070b16906354df9c6b5b0ce3acf7b04fd8a99d9c26cbf416f391b528ccd5a11be919f4382

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0433178b6624cb46cf1ab8c5fb1d6bcc

SHA1
c6adcb5331d63830ee9a5dc9c3d9c9328234f03a

SHA256
b915b2979d238f4ab55620e460c65cc666205d5c6b85ea70187c9fdca76b9bd0

SHA512
0cfc79848b048dba9c55954c445528f17889cb4bb957594ea2db5e482f052f83bf3e5928baab39da6b420babeffc632040a846144f78abe2729a4afa8d5963b8

Download Submit