9f0340fca876c6d22a4e5d2ce83265321d8ddb6237119b871cc0e03796b542e8

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YUTK1/Admin/LeftFrame.htm
Size

8KB
MD5

e6467415acb3a3960c5d636167234c69
SHA1

db03309699f9d10e0a42dd12f06233c2ded7c754
SHA256

2e31fc59fb0fe16299117b0cfff72da18837dd2566d94f6cee97abe844ab60bf
SHA512

fd3f70e0498ff8030aaf4b5cd80c9350b4ba00a0b10756cf83f29201d85b33446d57d7ad49bc3f2a78c9bb9f41094d3ef40869bd6f05453fae05541288021b52
SSDEEP

192:wTZN+WCTE6cCi83CeilCoVC6g4JleoCxSCi:wX+WCTE6cCi83CeilCoVC6g4JleoCxSR

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4044	msedge.exe
4044	msedge.exe
1004	msedge.exe
1004	msedge.exe
3092	identity_helper.exe
3092	identity_helper.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 3492	1004	msedge.exe	83
PID 1004 wrote to memory of 3492	1004	msedge.exe	83
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 640	1004	msedge.exe	85
PID 1004 wrote to memory of 4044	1004	msedge.exe	86
PID 1004 wrote to memory of 4044	1004	msedge.exe	86
PID 1004 wrote to memory of 4320	1004	msedge.exe	87
PID 1004 wrote to memory of 4320	1004	msedge.exe	87
PID 1004 wrote to memory of 4320	1004	msedge.exe	87
PID 1004 wrote to memory of 4320	1004	msedge.exe	87
PID 1004 wrote to memory of 4320	1004	msedge.exe	87
PID 1004 wrote to memory of 4320	1004	msedge.exe	87
PID 1004 wrote to memory of 4320	1004	msedge.exe	87
PID 1004 wrote to memory of 4320	1004	msedge.exe	87
PID 1004 wrote to memory of 4320	1004	msedge.exe	87
PID 1004 wrote to memory of 4320	1004	msedge.exe	87
PID 1004 wrote to memory of 4320	1004	msedge.exe	87
PID 1004 wrote to memory of 4320	1004	msedge.exe	87
PID 1004 wrote to memory of 4320	1004	msedge.exe	87
PID 1004 wrote to memory of 4320	1004	msedge.exe	87
PID 1004 wrote to memory of 4320	1004	msedge.exe	87
PID 1004 wrote to memory of 4320	1004	msedge.exe	87
PID 1004 wrote to memory of 4320	1004	msedge.exe	87
PID 1004 wrote to memory of 4320	1004	msedge.exe	87
PID 1004 wrote to memory of 4320	1004	msedge.exe	87
PID 1004 wrote to memory of 4320	1004	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\YUTK1\Admin\LeftFrame.htm
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9840346f8,0x7ff984034708,0x7ff984034718
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,18286645514386797691,11454435971904894285,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,18286645514386797691,11454435971904894285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,18286645514386797691,11454435971904894285,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18286645514386797691,11454435971904894285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18286645514386797691,11454435971904894285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,18286645514386797691,11454435971904894285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,18286645514386797691,11454435971904894285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18286645514386797691,11454435971904894285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18286645514386797691,11454435971904894285,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18286645514386797691,11454435971904894285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18286645514386797691,11454435971904894285,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,18286645514386797691,11454435971904894285,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3048 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ccb521eefc37187cb3bf6f30a1ed8f84

SHA1
0f4f1d3806af0d3ba640662b92075572968dbd48

SHA256
4637499c648b194e695ebda135a4ae126517f9a5de1fcd6f27ad0e8acbb2d126

SHA512
a4b1091aa6825084f65faa462824dd29e7f55feedb0dce22ae894791e42de46888aedd96880323f9ec95633e3f3267dcb19990d2577cbcfbc7c95407a8176d55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d78bbd80-0b36-4bdb-b559-99fe36221ed9.tmp

Filesize
5KB

MD5
ab250ede394a1d0c6cd87f5e5eafcdd3

SHA1
39846afc88364af3c9dbd94fe0e7a098cfea073d

SHA256
92d0e7c0edb1a5868bbf7dbdcb5eb57e360b17dd5863be313f63839ec141c744

SHA512
491a73de47535368b5b82db7389ea7628b93d06dd64222311a13a68f8d370cd729e3a98159af9464ed7c3c69d913b8c41272cd8e10e8534f870bdae4ba7036d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6e0ced2b7da9a9f723c737c1c61568b4

SHA1
9e46058c80e3fb7e14dd299ee4ebd95a8e46a084

SHA256
daa74da83d4db9f9a92ab1fa943bd66506bfc1faf4df75377fdaa70e17103fcf

SHA512
818cc50b82958e91ac8cae4777ffbf0ae07c8333f0af0392c757afde2fba8cb2659b68682cf6a0115a78b5c69c6c300ce695f1bd101f072c067669c68f985b1a

Download Submit