Analysis

  • max time kernel
    145s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-09-2024 09:56

General

  • Target

    $PLUGINSDIR/app/progress.html

  • Size

    20KB

  • MD5

    3cf16292a3b2b0a8e8be4d5dec3fe7fe

  • SHA1

    aea7bb7dcd69e29bfd176e4eb13e820ce3a6f008

  • SHA256

    9a074fc3a4e2b98ee4855e9ae491d0c004659bc2db623f90fdacf3f2e4b07761

  • SHA512

    0464aab09429e9c5c09b757a4d588fa1714cc9fe100e41559659a2aea1afeb5a10c292182e1784c40a09557222200a2dc2010007f64678e5de7178616a38086c

  • SSDEEP

    192:ha/cVDYmPkhHmY74deqmtRCtmK8WQI9gHcMlxh8Bi9LJFHab4rmgJnc5t/93j1uv:h+XaMr9n2u53UA5ia6w

Score
3/10

Malware Config

Signatures

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\progress.html
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe5fbc46f8,0x7ffe5fbc4708,0x7ffe5fbc4718
      2⤵
        PID:3048
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,11156480387934635169,12441914908535623637,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
        2⤵
          PID:4836
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,11156480387934635169,12441914908535623637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4920
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,11156480387934635169,12441914908535623637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
          2⤵
            PID:1168
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11156480387934635169,12441914908535623637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
            2⤵
              PID:4820
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11156480387934635169,12441914908535623637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
              2⤵
                PID:4500
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,11156480387934635169,12441914908535623637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
                2⤵
                  PID:5084
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,11156480387934635169,12441914908535623637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4480
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11156480387934635169,12441914908535623637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
                  2⤵
                    PID:2432
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11156480387934635169,12441914908535623637,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
                    2⤵
                      PID:3488
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11156480387934635169,12441914908535623637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
                      2⤵
                        PID:4436
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11156480387934635169,12441914908535623637,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
                        2⤵
                          PID:3704
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,11156480387934635169,12441914908535623637,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3148 /prefetch:2
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1536
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:4384
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:1584

                          Network

                          • flag-us
                            DNS
                            232.168.11.51.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            232.168.11.51.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            25.140.123.92.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            25.140.123.92.in-addr.arpa
                            IN PTR
                            Response
                            25.140.123.92.in-addr.arpa
                            IN PTR
                            a92-123-140-25deploystaticakamaitechnologiescom
                          • flag-us
                            DNS
                            72.32.126.40.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            72.32.126.40.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            217.106.137.52.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            217.106.137.52.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            58.55.71.13.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            58.55.71.13.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            86.23.85.13.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            86.23.85.13.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            198.187.3.20.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            198.187.3.20.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            217.135.221.88.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            217.135.221.88.in-addr.arpa
                            IN PTR
                            Response
                            217.135.221.88.in-addr.arpa
                            IN PTR
                            a88-221-135-217deploystaticakamaitechnologiescom
                          • flag-us
                            DNS
                            11.227.111.52.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            11.227.111.52.in-addr.arpa
                            IN PTR
                            Response
                          No results found
                          • 8.8.8.8:53
                            232.168.11.51.in-addr.arpa
                            dns
                            72 B
                            158 B
                            1
                            1

                            DNS Request

                            232.168.11.51.in-addr.arpa

                          • 8.8.8.8:53
                            25.140.123.92.in-addr.arpa
                            dns
                            72 B
                            137 B
                            1
                            1

                            DNS Request

                            25.140.123.92.in-addr.arpa

                          • 8.8.8.8:53
                            72.32.126.40.in-addr.arpa
                            dns
                            71 B
                            157 B
                            1
                            1

                            DNS Request

                            72.32.126.40.in-addr.arpa

                          • 224.0.0.251:5353
                            454 B
                            7
                          • 8.8.8.8:53
                            217.106.137.52.in-addr.arpa
                            dns
                            73 B
                            147 B
                            1
                            1

                            DNS Request

                            217.106.137.52.in-addr.arpa

                          • 8.8.8.8:53
                            58.55.71.13.in-addr.arpa
                            dns
                            70 B
                            144 B
                            1
                            1

                            DNS Request

                            58.55.71.13.in-addr.arpa

                          • 8.8.8.8:53
                            86.23.85.13.in-addr.arpa
                            dns
                            70 B
                            144 B
                            1
                            1

                            DNS Request

                            86.23.85.13.in-addr.arpa

                          • 8.8.8.8:53
                            198.187.3.20.in-addr.arpa
                            dns
                            71 B
                            157 B
                            1
                            1

                            DNS Request

                            198.187.3.20.in-addr.arpa

                          • 8.8.8.8:53
                            217.135.221.88.in-addr.arpa
                            dns
                            73 B
                            139 B
                            1
                            1

                            DNS Request

                            217.135.221.88.in-addr.arpa

                          • 8.8.8.8:53
                            11.227.111.52.in-addr.arpa
                            dns
                            72 B
                            158 B
                            1
                            1

                            DNS Request

                            11.227.111.52.in-addr.arpa

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            ab8ce148cb7d44f709fb1c460d03e1b0

                            SHA1

                            44d15744015155f3e74580c93317e12d2cc0f859

                            SHA256

                            014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

                            SHA512

                            f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            38f59a47b777f2fc52088e96ffb2baaf

                            SHA1

                            267224482588b41a96d813f6d9e9d924867062db

                            SHA256

                            13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

                            SHA512

                            4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            6KB

                            MD5

                            dded27c055ab52e655e0241f56afa408

                            SHA1

                            24073897daf1cee928dd1e7478c8fde22c6d80c8

                            SHA256

                            6ee098a3ec6267e9b95910573564154ec654faf25f3fce08227aaf4edf820ce2

                            SHA512

                            a81230341a67d669712178981d19dd6f65ffd73d6ef4e739399f8b01bbd260a50626e36de79f79f98e8bca4b83c0edecc0c4a802954e65da2a8d85f287c8144f

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            6KB

                            MD5

                            eafdcf8ed14ecd82de6cff4bbf254624

                            SHA1

                            afde7b995e490d9cad0926c8b6c7737533703b63

                            SHA256

                            6c79e97a50d5d042ef51769b7252b05c28e0c2b93d964b05a3d458818b49e683

                            SHA512

                            e448f23aad8fd458a2fa8390d42430ea946349fa0a6f6034e8debccfd11949af2acc77d26f7aa4223d915ae25dd9642791805a28148581e506343580354c38fe

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                            Filesize

                            16B

                            MD5

                            6752a1d65b201c13b62ea44016eb221f

                            SHA1

                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                            SHA256

                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                            SHA512

                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                            Filesize

                            10KB

                            MD5

                            b6405607f1680198259b880742064c80

                            SHA1

                            58275d6cef463ee1ebbd7ce790b1f9dd00caa1f9

                            SHA256

                            ec5944074fa63092c9008971c7b5527078f67fab045cf0217970d8fd701bc72d

                            SHA512

                            9dabb94e9e8e77aef2016fd7dd9af94c3d344ad6e892034f39ea4f96f3f9d6a06f4c384658e67d1c3859a24fc3f1c15bcdfc4a015aba98d3050c6304f411cd8b

                          We care about your privacy.

                          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.