7554ddb13cc50c4f95a64e655b0aec126a2a6d6073cdea6305efb00a52e4d4d1

Analysis

max time kernel
147s
max time network
157s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06/09/2024, 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LICENSES.chromium.html
Size

6.2MB
MD5

53ef875136b19bef138829d5846208b0
SHA1

edfcf34901b7fc6a3e578d637266686673a30299
SHA256

d3bf6dd8892c6d77555e0b55efe98bfd18f08987ea39668bc5d0c419877aef1f
SHA512

b6f0e50ac1a2a2144d718eca60dd8a26ca48045fff9c05327e4e0e09a4d12ba69952f9feb9481497f9b1b1378a5c1d55845bee551f84e7a47f98f7a222c302ab
SSDEEP

24576:nP9t5W7WSLzrj41T4mfn6y6O6E6Q6yNSHpCohpG:g3e

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2924	msedge.exe
2924	msedge.exe
4884	msedge.exe
4884	msedge.exe
1388	identity_helper.exe
1388	identity_helper.exe
3364	msedge.exe
3364	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 2400	4884	msedge.exe	78
PID 4884 wrote to memory of 2400	4884	msedge.exe	78
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 5004	4884	msedge.exe	79
PID 4884 wrote to memory of 2924	4884	msedge.exe	80
PID 4884 wrote to memory of 2924	4884	msedge.exe	80
PID 4884 wrote to memory of 3680	4884	msedge.exe	81
PID 4884 wrote to memory of 3680	4884	msedge.exe	81
PID 4884 wrote to memory of 3680	4884	msedge.exe	81
PID 4884 wrote to memory of 3680	4884	msedge.exe	81
PID 4884 wrote to memory of 3680	4884	msedge.exe	81
PID 4884 wrote to memory of 3680	4884	msedge.exe	81
PID 4884 wrote to memory of 3680	4884	msedge.exe	81
PID 4884 wrote to memory of 3680	4884	msedge.exe	81
PID 4884 wrote to memory of 3680	4884	msedge.exe	81
PID 4884 wrote to memory of 3680	4884	msedge.exe	81
PID 4884 wrote to memory of 3680	4884	msedge.exe	81
PID 4884 wrote to memory of 3680	4884	msedge.exe	81
PID 4884 wrote to memory of 3680	4884	msedge.exe	81
PID 4884 wrote to memory of 3680	4884	msedge.exe	81
PID 4884 wrote to memory of 3680	4884	msedge.exe	81
PID 4884 wrote to memory of 3680	4884	msedge.exe	81
PID 4884 wrote to memory of 3680	4884	msedge.exe	81
PID 4884 wrote to memory of 3680	4884	msedge.exe	81
PID 4884 wrote to memory of 3680	4884	msedge.exe	81
PID 4884 wrote to memory of 3680	4884	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe9d2c3cb8,0x7ffe9d2c3cc8,0x7ffe9d2c3cd8
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,12822844916843147627,6151185821071824436,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,12822844916843147627,6151185821071824436,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,12822844916843147627,6151185821071824436,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12822844916843147627,6151185821071824436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12822844916843147627,6151185821071824436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,12822844916843147627,6151185821071824436,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12822844916843147627,6151185821071824436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12822844916843147627,6151185821071824436,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,12822844916843147627,6151185821071824436,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3228 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12822844916843147627,6151185821071824436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12822844916843147627,6151185821071824436,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,12822844916843147627,6151185821071824436,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4856 /prefetch:2
  2⤵
  PID:4868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c3889d3f0d2246f800c495aec7c3f7c

SHA1
dd38e6bf74617bfcf9d6cceff2f746a094114220

SHA256
0a4781bca132edf11500537cbf95ff840c2b6fd33cd94809ca9929f00044bea4

SHA512
2d6cb23e2977c0890f69751a96daeb71e0f12089625f32b34b032615435408f21047b90c19de09f83ef99957681440fdc0c985e079bb196371881b5fdca68a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c4a10f6df4922438ca68ada540730100

SHA1
4c7bfbe3e2358a28bf5b024c4be485fa6773629e

SHA256
f286c908fea67163f02532503b5555a939f894c6f2e683d80679b7e5726a7c02

SHA512
b4d407341989e0bbbe0cdd64f7757bea17f0141a89104301dd7ffe45e7511d3ea27c53306381a29c24df68bdb9677eb8c07d4d88874d86aba41bb6f0ce7a942c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e58e0532bf16b2479858bb10bc7e14bf

SHA1
a2ae3fb8278a2faf40a5cca65bab597afac18ad7

SHA256
88b2a456000dc2e2d55f925d263ce805e848d84512d4ba4b9edefbc7a7ae37fc

SHA512
1bf4d3e97ba7d81023777666dc3ce91162a6edd8e3a7d6899d1aecf7fb5384cddd5994c83f3f963b4893a7b3603ae111160c331ca5c4546b13d0538063f228ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
404aa791568e10ad2a02fd056b9cc8a7

SHA1
c901c96e4ea4017ee9d71d00790aa6c1dd3ccbbd

SHA256
d40e17b54e8519e923d46aaa49bce7ea34a5029c0a20a74d5c46af756931a958

SHA512
6a0b59fadbd5de65372040ae46d217426c06dd90e51fb80dd016a51ebb87c545ff57c349469810ad30375fe537c0446fc064a298f0212ffa581693b814ffd397

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
44719685088ac0bc3826280bf23b0739

SHA1
198361593e759f0ce1af00f2919079f311df5659

SHA256
560971653cc3412d93a9507ebcc73e131f9fd5ba220f4bdc8a80bfb27e0f19bf

SHA512
5f5c33984958dddc1005af6d38286de5cc8db3a5e0bec3caa30a1cbafdc77013e7fa7d4816d87647667e89b63abcd3e58b62eba6bf3ffea2d6c432c853b09a4d

Download Submit