Resubmissions

17-09-2024 09:31

240917-lg1xcswbqm 10

17-09-2024 09:29

240917-lgcjrswapc 10

17-09-2024 09:29

240917-lf6ffswand 10

17-09-2024 09:29

240917-lfw7sawbkr 10

03-05-2024 08:53

240503-ktflhsbb5v 10

03-05-2024 08:52

240503-ks6fjsbb4y 10

Analysis

  • max time kernel
    19s
  • max time network
    24s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    17-09-2024 09:29

General

  • Target

    6a7ae322269fde1d1745b0dd5b7c5a47dec8ca798435cdc65c78bb9ddbaca925.exe

  • Size

    240KB

  • MD5

    c1397ef661ba5945c1dbc46131239389

  • SHA1

    8196513366bc7ee3d95c86b66c47d57a7edfa89a

  • SHA256

    6a7ae322269fde1d1745b0dd5b7c5a47dec8ca798435cdc65c78bb9ddbaca925

  • SHA512

    647741b38c2096ca16c020533e8a41e9a9a9df86887072117bb4a5a4940624e065e56a64fdf1392c0c2e3995b68f5ab3d3982613d6b7965e802bf694f5b3006f

  • SSDEEP

    3072:uc6XydFjCuZm9GY4qzXbUaFLC8dU78aaKOdemqHWosPY5SUgmwhiAbWO2qUugr:E9TvUMPUXL8osPugmwhi4d3U

Score
3/10

Malware Config

Signatures

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Program crash 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a7ae322269fde1d1745b0dd5b7c5a47dec8ca798435cdc65c78bb9ddbaca925.exe
    "C:\Users\Admin\AppData\Local\Temp\6a7ae322269fde1d1745b0dd5b7c5a47dec8ca798435cdc65c78bb9ddbaca925.exe"
    1⤵
      PID:660
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 8
        2⤵
        • Program crash
        PID:3320
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 660 -ip 660
      1⤵
        PID:4156
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        1⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2180
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe97943cb8,0x7ffe97943cc8,0x7ffe97943cd8
          2⤵
            PID:2840
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,14703155099764317090,17844142000978428772,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1856 /prefetch:2
            2⤵
              PID:1428
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1844,14703155099764317090,17844142000978428772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:4404
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1844,14703155099764317090,17844142000978428772,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:8
              2⤵
                PID:1388
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,14703155099764317090,17844142000978428772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
                2⤵
                  PID:712
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,14703155099764317090,17844142000978428772,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
                  2⤵
                    PID:1212
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,14703155099764317090,17844142000978428772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
                    2⤵
                      PID:1972
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,14703155099764317090,17844142000978428772,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
                      2⤵
                        PID:1824
                    • C:\Windows\System32\CompPkgSrv.exe
                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                      1⤵
                        PID:4516
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:5012

                        Network

                        • flag-us
                          DNS
                          219.143.101.95.in-addr.arpa
                          Remote address:
                          8.8.8.8:53
                          Request
                          219.143.101.95.in-addr.arpa
                          IN PTR
                          Response
                          219.143.101.95.in-addr.arpa
                          IN PTR
                          a95-101-143-219deploystaticakamaitechnologiescom
                        • flag-us
                          DNS
                          login.live.com
                          Remote address:
                          8.8.8.8:53
                          Request
                          login.live.com
                          IN A
                          Response
                          login.live.com
                          IN CNAME
                          login.msa.msidentity.com
                          login.msa.msidentity.com
                          IN CNAME
                          www.tm.lg.prod.aadmsa.akadns.net
                          www.tm.lg.prod.aadmsa.akadns.net
                          IN CNAME
                          prdv4a.aadg.msidentity.com
                          prdv4a.aadg.msidentity.com
                          IN CNAME
                          www.tm.v4.a.prd.aadg.trafficmanager.net
                          www.tm.v4.a.prd.aadg.trafficmanager.net
                          IN A
                          20.190.160.17
                          www.tm.v4.a.prd.aadg.trafficmanager.net
                          IN A
                          20.190.160.20
                          www.tm.v4.a.prd.aadg.trafficmanager.net
                          IN A
                          40.126.32.68
                          www.tm.v4.a.prd.aadg.trafficmanager.net
                          IN A
                          40.126.32.76
                          www.tm.v4.a.prd.aadg.trafficmanager.net
                          IN A
                          40.126.32.74
                          www.tm.v4.a.prd.aadg.trafficmanager.net
                          IN A
                          20.190.160.22
                          www.tm.v4.a.prd.aadg.trafficmanager.net
                          IN A
                          40.126.32.136
                          www.tm.v4.a.prd.aadg.trafficmanager.net
                          IN A
                          40.126.32.134
                        • flag-us
                          DNS
                          222.197.79.204.in-addr.arpa
                          Remote address:
                          8.8.8.8:53
                          Request
                          222.197.79.204.in-addr.arpa
                          IN PTR
                          Response
                        • flag-us
                          DNS
                          74.239.69.13.in-addr.arpa
                          Remote address:
                          8.8.8.8:53
                          Request
                          74.239.69.13.in-addr.arpa
                          IN PTR
                          Response
                        • flag-us
                          DNS
                          fp.msedge.net
                          Remote address:
                          8.8.8.8:53
                          Request
                          fp.msedge.net
                          IN A
                          Response
                          fp.msedge.net
                          IN CNAME
                          1.perf.msedge.net
                          1.perf.msedge.net
                          IN CNAME
                          a-0019.a-msedge.net
                          a-0019.a-msedge.net
                          IN CNAME
                          a-0019.a.dns.azurefd.net
                          a-0019.a.dns.azurefd.net
                          IN CNAME
                          a-0019.standard.a-msedge.net
                          a-0019.standard.a-msedge.net
                          IN A
                          204.79.197.222
                        • 104.86.110.113:443
                          www.bing.com
                          tls
                          23.6kB
                          154.1kB
                          151
                          133
                        • 104.86.110.113:443
                          www.bing.com
                          tls
                          1.1kB
                          5.2kB
                          13
                          11
                        • 95.101.143.219:443
                          r.bing.com
                          tls
                          66.0kB
                          1.6MB
                          1217
                          1197
                        • 95.101.143.219:443
                          r.bing.com
                          tls
                          1.1kB
                          5.1kB
                          13
                          11
                        • 95.101.143.219:443
                          r.bing.com
                          tls
                          1.1kB
                          5.1kB
                          13
                          11
                        • 95.101.143.219:443
                          r.bing.com
                          tls
                          1.0kB
                          5.1kB
                          12
                          11
                        • 95.101.143.219:443
                          r.bing.com
                          tls
                          1.1kB
                          5.1kB
                          13
                          11
                        • 95.101.143.219:443
                          r.bing.com
                          tls
                          1.1kB
                          5.1kB
                          13
                          11
                        • 13.69.239.74:443
                          browser.pipe.aria.microsoft.com
                          tls
                          3.2kB
                          7.6kB
                          20
                          15
                        • 8.8.8.8:53
                          219.143.101.95.in-addr.arpa
                          dns
                          206 B
                          627 B
                          3
                          3

                          DNS Request

                          219.143.101.95.in-addr.arpa

                          DNS Request

                          login.live.com

                          DNS Response

                          20.190.160.17
                          20.190.160.20
                          40.126.32.68
                          40.126.32.76
                          40.126.32.74
                          20.190.160.22
                          40.126.32.136
                          40.126.32.134

                          DNS Request

                          222.197.79.204.in-addr.arpa

                        • 8.8.8.8:53
                          74.239.69.13.in-addr.arpa
                          dns
                          130 B
                          336 B
                          2
                          2

                          DNS Request

                          74.239.69.13.in-addr.arpa

                          DNS Request

                          fp.msedge.net

                          DNS Response

                          204.79.197.222

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                          Filesize

                          152B

                          MD5

                          4c3889d3f0d2246f800c495aec7c3f7c

                          SHA1

                          dd38e6bf74617bfcf9d6cceff2f746a094114220

                          SHA256

                          0a4781bca132edf11500537cbf95ff840c2b6fd33cd94809ca9929f00044bea4

                          SHA512

                          2d6cb23e2977c0890f69751a96daeb71e0f12089625f32b34b032615435408f21047b90c19de09f83ef99957681440fdc0c985e079bb196371881b5fdca68a37

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                          Filesize

                          152B

                          MD5

                          c4a10f6df4922438ca68ada540730100

                          SHA1

                          4c7bfbe3e2358a28bf5b024c4be485fa6773629e

                          SHA256

                          f286c908fea67163f02532503b5555a939f894c6f2e683d80679b7e5726a7c02

                          SHA512

                          b4d407341989e0bbbe0cdd64f7757bea17f0141a89104301dd7ffe45e7511d3ea27c53306381a29c24df68bdb9677eb8c07d4d88874d86aba41bb6f0ce7a942c

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                          Filesize

                          5KB

                          MD5

                          f9551718a891eacd4264161aff68a5bf

                          SHA1

                          444aabad23b1276116fa5a149fba239cdd3f79be

                          SHA256

                          4cfdf2fefa1c6c5ba12b03003684536ae836f53153fe53c76478d5c2492d92ee

                          SHA512

                          f6e22143735cde717a490968ec4f0e81f608590c1e868f3751110731b276ad5d63467f7b23a27bf48200778689136e08394770b4bd97163a3b7136e8d771d13e

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                          Filesize

                          5KB

                          MD5

                          fa79a25302b9090dd11ccf38c38ef44c

                          SHA1

                          bd99a648dc0276a990b00ccbcdc9aff9f561ccb1

                          SHA256

                          1841c8752d5a63b9ba40119c1491c3573aabc2b48c16b4f7cc1d91c557c4ecfd

                          SHA512

                          b54fb0ef4a0adddd1dcbcb19f6004a08fe87a62252c16d4d0019bc9ce32f0a04b851bc971b06e14bbc88d759a9e9c1a29c9a62c2654e8147251f8a4fc96123b2

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                          Filesize

                          10KB

                          MD5

                          484a5d34f94831ccaeb03497106e851c

                          SHA1

                          dad9b1525970e55f7f87199357851c24920e6cfc

                          SHA256

                          522fb286791bdeb7ac7be52256720270d5bda4c2af7769615200b7420abc5607

                          SHA512

                          086be15de9f0e853e3af2907973a3b2271ae15e4c68456b7dba18b4ff0c14c9a6877f179f2aa7cd322edb31b4f5cd165b7c773ce4c4b0d66bd14fbdbd5815920

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

                          Filesize

                          264KB

                          MD5

                          f50f89a0a91564d0b8a211f8921aa7de

                          SHA1

                          112403a17dd69d5b9018b8cede023cb3b54eab7d

                          SHA256

                          b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                          SHA512

                          bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                        We care about your privacy.

                        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.