805ab80d0ec69afd7d8de6103fe1271daab0501d8f8f99147f586d0c85036185

Analysis

max time kernel
113s
max time network
102s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06-09-2024 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stellar main/include/httplib/test/www/dir/index.html
Size

104B
MD5

aef30cf746db10a8fd09ab6bf6b701ce
SHA1

208361e1686e97df83bd2a47eddb6339e6c2d0f2
SHA256

c1744dc371ffe1aa631aa917e0e43a7ec53fb6097975778b43dabfe0f2d05bde
SHA512

6dd3469e78d6000e20fc21c158984770fcb134ecb4c47bf0c24b5a54dda138bc8fb54ccec01d16f8eab7d653ab8bc45b7919c8258058e26948c96c2c28712f23

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3008	msedge.exe
3008	msedge.exe
4928	msedge.exe
4928	msedge.exe
3176	msedge.exe
3176	msedge.exe
4820	identity_helper.exe
4820	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 2084	4928	msedge.exe	81
PID 4928 wrote to memory of 2084	4928	msedge.exe	81
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 2372	4928	msedge.exe	82
PID 4928 wrote to memory of 3008	4928	msedge.exe	83
PID 4928 wrote to memory of 3008	4928	msedge.exe	83
PID 4928 wrote to memory of 2916	4928	msedge.exe	84
PID 4928 wrote to memory of 2916	4928	msedge.exe	84
PID 4928 wrote to memory of 2916	4928	msedge.exe	84
PID 4928 wrote to memory of 2916	4928	msedge.exe	84
PID 4928 wrote to memory of 2916	4928	msedge.exe	84
PID 4928 wrote to memory of 2916	4928	msedge.exe	84
PID 4928 wrote to memory of 2916	4928	msedge.exe	84
PID 4928 wrote to memory of 2916	4928	msedge.exe	84
PID 4928 wrote to memory of 2916	4928	msedge.exe	84
PID 4928 wrote to memory of 2916	4928	msedge.exe	84
PID 4928 wrote to memory of 2916	4928	msedge.exe	84
PID 4928 wrote to memory of 2916	4928	msedge.exe	84
PID 4928 wrote to memory of 2916	4928	msedge.exe	84
PID 4928 wrote to memory of 2916	4928	msedge.exe	84
PID 4928 wrote to memory of 2916	4928	msedge.exe	84
PID 4928 wrote to memory of 2916	4928	msedge.exe	84
PID 4928 wrote to memory of 2916	4928	msedge.exe	84
PID 4928 wrote to memory of 2916	4928	msedge.exe	84
PID 4928 wrote to memory of 2916	4928	msedge.exe	84
PID 4928 wrote to memory of 2916	4928	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\stellar main\include\httplib\test\www\dir\index.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe10ab3cb8,0x7ffe10ab3cc8,0x7ffe10ab3cd8
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,5149526097703263386,8039440673964826941,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,5149526097703263386,8039440673964826941,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,5149526097703263386,8039440673964826941,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5149526097703263386,8039440673964826941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5149526097703263386,8039440673964826941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2084,5149526097703263386,8039440673964826941,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3812 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5149526097703263386,8039440673964826941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5149526097703263386,8039440673964826941,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
  2⤵
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,5149526097703263386,8039440673964826941,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5149526097703263386,8039440673964826941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5149526097703263386,8039440673964826941,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:2104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d30a5618854b9da7bcfc03aeb0a594c4

SHA1
7f37105d7e5b1ecb270726915956c2271116eab7

SHA256
3494c446aa3cb038f1d920b26910b7fe1f4286db78cb3f203ad02cb93889c1a8

SHA512
efd488fcd1729017a596ddd2950bff07d5a11140cba56ff8e0c62ef62827b35c22857bc4f5f5ea11ccc2e1394c0b3ee8651df62a25e66710f320e7a2cf4d1a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
03a56f81ee69dd9727832df26709a1c9

SHA1
ab6754cc9ebd922ef3c37b7e84ff20e250cfde3b

SHA256
65d97e83b315d9140f3922b278d08352809f955e2a714fedfaea6283a5300e53

SHA512
e9915f11e74c1bcf7f80d1bcdc8175df820af30f223a17c0fe11b6808e5a400550dcbe59b64346b7741c7c77735abefaf2c988753e11d086000522a05a0f7781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1ed1beacb0cfefc5fbca877088307a24

SHA1
6a43c3e8dd1b1bb6dcad5a406f9fe97f1947da44

SHA256
b278c368d68a362b12fbfbf28530f438b7f6a0c3642d1790838997e69d0267ef

SHA512
def2d9ccc60ee4c86a9099f0c7ceb3d9f2d568f229ee10272ee1bdbd74d56de9e9c8224f27e585298ced1f5f38f074ba71e12f76e62d68083914a8d6f85f263a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f5f2052285ff47b41c320117554d9d5c

SHA1
7c6377f6970f9d2f70d78f7a4b3f15bfd139bf3c

SHA256
3d092532b4d88ae14bb8f842e33744991d6c15f15d50d4f83242b687d24b6f44

SHA512
52dbcf42eaf33e3db77779b9cad154422052133ae8686e66d0bbbceb053c56a6e0918a2d30087fad83e90d3844183e34d4c82de5379f67aa4e4e74df241aecb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
11f804cfe8b93aed12d36e1b5192dc0b

SHA1
6a8ac3fd8ffc0242ede0788acf6da894e6f2b702

SHA256
3a91ececa0cc7551baad5175e97a604c7dfd520aac46a072d3335b55d1893a1c

SHA512
e641d06757e8942d179533a51fbff161bc12bbae032417274db1e76df7c7c5e2e33ddf1bd65d01b128862be1a38646e06556c2e3cddcee504e985ec17f7815ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1c13c79b9e5486210e71b2e2373a6b97

SHA1
4d715a03dd5ac7f901159d298f1477bae7e43dc3

SHA256
3a8b8d870baf4439258b5a7338ab19f4f32aad4c14496bdd3f35342420472d4b

SHA512
25a13f2b0a9a8fc03c62af099d26d435e7e655ce92453a6347ed612efff2adf34b5b7ea4daf5bafb7e7734a940ce87ca0fdfc2e5809ddac12567143ddb54f9af

Download Submit