5e0ef440817d96bb71f7da4674c82fd9bc8d69a3ba939c0cf0f7f2b7b2318fd7

Resubmissions

17/09/2024, 09:31

240917-lg1xcswbqm 10

17/09/2024, 09:29

17/09/2024, 09:29

17/09/2024, 09:29

03/05/2024, 08:53

03/05/2024, 08:52

Analysis

max time kernel
19s
max time network
24s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
17/09/2024, 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a7ae322269fde1d1745b0dd5b7c5a47dec8ca798435cdc65c78bb9ddbaca925.exe
Size

240KB
MD5

c1397ef661ba5945c1dbc46131239389
SHA1

8196513366bc7ee3d95c86b66c47d57a7edfa89a
SHA256

6a7ae322269fde1d1745b0dd5b7c5a47dec8ca798435cdc65c78bb9ddbaca925
SHA512

647741b38c2096ca16c020533e8a41e9a9a9df86887072117bb4a5a4940624e065e56a64fdf1392c0c2e3995b68f5ab3d3982613d6b7965e802bf694f5b3006f
SSDEEP

3072:uc6XydFjCuZm9GY4qzXbUaFLC8dU78aaKOdemqHWosPY5SUgmwhiAbWO2qUugr:E9TvUMPUXL8osPugmwhi4d3U

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3320	660	WerFault.exe	77

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4404	msedge.exe
4404	msedge.exe
2180	msedge.exe
2180	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2840	2180	msedge.exe	85
PID 2180 wrote to memory of 2840	2180	msedge.exe	85
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 1428	2180	msedge.exe	86
PID 2180 wrote to memory of 4404	2180	msedge.exe	87
PID 2180 wrote to memory of 4404	2180	msedge.exe	87
PID 2180 wrote to memory of 1388	2180	msedge.exe	88
PID 2180 wrote to memory of 1388	2180	msedge.exe	88
PID 2180 wrote to memory of 1388	2180	msedge.exe	88
PID 2180 wrote to memory of 1388	2180	msedge.exe	88
PID 2180 wrote to memory of 1388	2180	msedge.exe	88
PID 2180 wrote to memory of 1388	2180	msedge.exe	88
PID 2180 wrote to memory of 1388	2180	msedge.exe	88
PID 2180 wrote to memory of 1388	2180	msedge.exe	88
PID 2180 wrote to memory of 1388	2180	msedge.exe	88
PID 2180 wrote to memory of 1388	2180	msedge.exe	88
PID 2180 wrote to memory of 1388	2180	msedge.exe	88
PID 2180 wrote to memory of 1388	2180	msedge.exe	88
PID 2180 wrote to memory of 1388	2180	msedge.exe	88
PID 2180 wrote to memory of 1388	2180	msedge.exe	88
PID 2180 wrote to memory of 1388	2180	msedge.exe	88
PID 2180 wrote to memory of 1388	2180	msedge.exe	88
PID 2180 wrote to memory of 1388	2180	msedge.exe	88
PID 2180 wrote to memory of 1388	2180	msedge.exe	88
PID 2180 wrote to memory of 1388	2180	msedge.exe	88
PID 2180 wrote to memory of 1388	2180	msedge.exe	88

C:\Users\Admin\AppData\Local\Temp\6a7ae322269fde1d1745b0dd5b7c5a47dec8ca798435cdc65c78bb9ddbaca925.exe
"C:\Users\Admin\AppData\Local\Temp\6a7ae322269fde1d1745b0dd5b7c5a47dec8ca798435cdc65c78bb9ddbaca925.exe"
1⤵
PID:660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 8
  2⤵
  - Program crash
  PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 660 -ip 660
1⤵
PID:4156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe97943cb8,0x7ffe97943cc8,0x7ffe97943cd8
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,14703155099764317090,17844142000978428772,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1856 /prefetch:2
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1844,14703155099764317090,17844142000978428772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1844,14703155099764317090,17844142000978428772,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:8
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,14703155099764317090,17844142000978428772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,14703155099764317090,17844142000978428772,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,14703155099764317090,17844142000978428772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,14703155099764317090,17844142000978428772,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:1824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c3889d3f0d2246f800c495aec7c3f7c

SHA1
dd38e6bf74617bfcf9d6cceff2f746a094114220

SHA256
0a4781bca132edf11500537cbf95ff840c2b6fd33cd94809ca9929f00044bea4

SHA512
2d6cb23e2977c0890f69751a96daeb71e0f12089625f32b34b032615435408f21047b90c19de09f83ef99957681440fdc0c985e079bb196371881b5fdca68a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c4a10f6df4922438ca68ada540730100

SHA1
4c7bfbe3e2358a28bf5b024c4be485fa6773629e

SHA256
f286c908fea67163f02532503b5555a939f894c6f2e683d80679b7e5726a7c02

SHA512
b4d407341989e0bbbe0cdd64f7757bea17f0141a89104301dd7ffe45e7511d3ea27c53306381a29c24df68bdb9677eb8c07d4d88874d86aba41bb6f0ce7a942c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f9551718a891eacd4264161aff68a5bf

SHA1
444aabad23b1276116fa5a149fba239cdd3f79be

SHA256
4cfdf2fefa1c6c5ba12b03003684536ae836f53153fe53c76478d5c2492d92ee

SHA512
f6e22143735cde717a490968ec4f0e81f608590c1e868f3751110731b276ad5d63467f7b23a27bf48200778689136e08394770b4bd97163a3b7136e8d771d13e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fa79a25302b9090dd11ccf38c38ef44c

SHA1
bd99a648dc0276a990b00ccbcdc9aff9f561ccb1

SHA256
1841c8752d5a63b9ba40119c1491c3573aabc2b48c16b4f7cc1d91c557c4ecfd

SHA512
b54fb0ef4a0adddd1dcbcb19f6004a08fe87a62252c16d4d0019bc9ce32f0a04b851bc971b06e14bbc88d759a9e9c1a29c9a62c2654e8147251f8a4fc96123b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
484a5d34f94831ccaeb03497106e851c

SHA1
dad9b1525970e55f7f87199357851c24920e6cfc

SHA256
522fb286791bdeb7ac7be52256720270d5bda4c2af7769615200b7420abc5607

SHA512
086be15de9f0e853e3af2907973a3b2271ae15e4c68456b7dba18b4ff0c14c9a6877f179f2aa7cd322edb31b4f5cd165b7c773ce4c4b0d66bd14fbdbd5815920

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit