hxxp://google[.]com

Analysis

max time kernel
22s
max time network
10s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
03-09-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3284	msedge.exe
3284	msedge.exe
332	msedge.exe
332	msedge.exe
2076	identity_helper.exe
2076	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 332 wrote to memory of 5096	332	msedge.exe	80
PID 332 wrote to memory of 5096	332	msedge.exe	80
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 4564	332	msedge.exe	81
PID 332 wrote to memory of 3284	332	msedge.exe	82
PID 332 wrote to memory of 3284	332	msedge.exe	82
PID 332 wrote to memory of 4400	332	msedge.exe	83
PID 332 wrote to memory of 4400	332	msedge.exe	83
PID 332 wrote to memory of 4400	332	msedge.exe	83
PID 332 wrote to memory of 4400	332	msedge.exe	83
PID 332 wrote to memory of 4400	332	msedge.exe	83
PID 332 wrote to memory of 4400	332	msedge.exe	83
PID 332 wrote to memory of 4400	332	msedge.exe	83
PID 332 wrote to memory of 4400	332	msedge.exe	83
PID 332 wrote to memory of 4400	332	msedge.exe	83
PID 332 wrote to memory of 4400	332	msedge.exe	83
PID 332 wrote to memory of 4400	332	msedge.exe	83
PID 332 wrote to memory of 4400	332	msedge.exe	83
PID 332 wrote to memory of 4400	332	msedge.exe	83
PID 332 wrote to memory of 4400	332	msedge.exe	83
PID 332 wrote to memory of 4400	332	msedge.exe	83
PID 332 wrote to memory of 4400	332	msedge.exe	83
PID 332 wrote to memory of 4400	332	msedge.exe	83
PID 332 wrote to memory of 4400	332	msedge.exe	83
PID 332 wrote to memory of 4400	332	msedge.exe	83
PID 332 wrote to memory of 4400	332	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc8bfd3cb8,0x7ffc8bfd3cc8,0x7ffc8bfd3cd8
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,12110724923111754032,17061255631991916236,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,12110724923111754032,17061255631991916236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,12110724923111754032,17061255631991916236,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12110724923111754032,17061255631991916236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12110724923111754032,17061255631991916236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12110724923111754032,17061255631991916236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,12110724923111754032,17061255631991916236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12110724923111754032,17061255631991916236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2408 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12110724923111754032,17061255631991916236,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12110724923111754032,17061255631991916236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
  2⤵
  PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12110724923111754032,17061255631991916236,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,12110724923111754032,17061255631991916236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  PID:2044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e2612636cf368bc811fdc8db09e037d

SHA1
d69e34379f97e35083f4c4ea1249e6f1a5f51d56

SHA256
2eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9

SHA512
b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8115549491cca16e7bfdfec9db7f89a

SHA1
d1eb5c8263cbe146cd88953bb9886c3aeb262742

SHA256
dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e

SHA512
851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
211KB

MD5
e7226392c938e4e604d2175eb9f43ca1

SHA1
2098293f39aa0bcdd62e718f9212d9062fa283ab

SHA256
d46ec08b6c29c4ca56cecbf73149cc66ebd902197590fe28cd65dad52a08c4e1

SHA512
63a4b99101c790d40a813db9e0d5fde21a64ccaf60a6009ead027920dbbdb52cc262af829e5c4140f3702a559c7ac46efa89622d76d45b4b49a9ce01625ef145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
6edf7eff5594edf0a9b71486851c6ab4

SHA1
0658bd595d7280c1f77ae8a570c2952f5a2ddd10

SHA256
3aa1bc5c4d5207c8ba680e0077bed272cedc97f8e6b93723bdbed7964de8aa8f

SHA512
99fa63aabe496169c8073cceaf6a573e857c0e8a8017914de688ac194bfeadf07c5a93e2545e4d6a4568bf368203fac9538d51805c20de13a91966938e5fee6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a511ed8e123c09981ee48e99129af145

SHA1
3bcd27e825d16af2d5199cc5306c46bc5d71fc1d

SHA256
18b86bd392622e09f4494d00a6b64bf722e25d2721f11d8206bbf8e7035adf8b

SHA512
0c7cf3f2d59262f3e6ab25037602ca8f2c145a5d922d0281bfd26cd30b3b6d6a9f6271555dd7f5dfb3fd928224597839a0eb3cfe2092bdc2805e181904b26e03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
713e3be31a3fd188cc37ca518f11d786

SHA1
a4b491f69894222009af0e78bfc347843dcc6920

SHA256
ad59df5f05537368a0c0aa469e769c65d254edb0ef70a836360f9c99450290ec

SHA512
37be26daad5986a5e54e4657b4c3df4825d34d5efa3d64e9ea43e7ec63e456293f77039f5d339695b527043f6f92f1999cf1d5add130108abb90992bfc2ab45d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
705ecab2934eddaf1e980fcd28ee3384

SHA1
c1a8ca23a95ac5a440ce59c3fa3373b2cae24935

SHA256
befeb82a906b5cd3f1ccb87e1425b3c4a964bcf4415ceed52dd59077ff538ec4

SHA512
57002fb5b5dbe617a19dbe18415eee27d049384ea9a77e7431006f1d348b58992ecd3729e37975f35588efe35e705a6ae8628727e5c1e4296f9e3c60e8b0a4c1

Download Submit