Resubmissions
17-09-2024 09:31
240917-lg1xcswbqm 1017-09-2024 09:29
240917-lgcjrswapc 1017-09-2024 09:29
240917-lf6ffswand 1017-09-2024 09:29
240917-lfw7sawbkr 1003-05-2024 08:53
240503-ktflhsbb5v 1003-05-2024 08:52
240503-ks6fjsbb4y 10Analysis
-
max time kernel
19s -
max time network
24s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
17-09-2024 09:29
Behavioral task
behavioral1
Sample
6a7ae322269fde1d1745b0dd5b7c5a47dec8ca798435cdc65c78bb9ddbaca925.exe
Resource
win11-20240802-en
General
-
Target
6a7ae322269fde1d1745b0dd5b7c5a47dec8ca798435cdc65c78bb9ddbaca925.exe
-
Size
240KB
-
MD5
c1397ef661ba5945c1dbc46131239389
-
SHA1
8196513366bc7ee3d95c86b66c47d57a7edfa89a
-
SHA256
6a7ae322269fde1d1745b0dd5b7c5a47dec8ca798435cdc65c78bb9ddbaca925
-
SHA512
647741b38c2096ca16c020533e8a41e9a9a9df86887072117bb4a5a4940624e065e56a64fdf1392c0c2e3995b68f5ab3d3982613d6b7965e802bf694f5b3006f
-
SSDEEP
3072:uc6XydFjCuZm9GY4qzXbUaFLC8dU78aaKOdemqHWosPY5SUgmwhiAbWO2qUugr:E9TvUMPUXL8osPugmwhi4d3U
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 3320 660 WerFault.exe 77 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4404 msedge.exe 4404 msedge.exe 2180 msedge.exe 2180 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2840 2180 msedge.exe 85 PID 2180 wrote to memory of 2840 2180 msedge.exe 85 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 1428 2180 msedge.exe 86 PID 2180 wrote to memory of 4404 2180 msedge.exe 87 PID 2180 wrote to memory of 4404 2180 msedge.exe 87 PID 2180 wrote to memory of 1388 2180 msedge.exe 88 PID 2180 wrote to memory of 1388 2180 msedge.exe 88 PID 2180 wrote to memory of 1388 2180 msedge.exe 88 PID 2180 wrote to memory of 1388 2180 msedge.exe 88 PID 2180 wrote to memory of 1388 2180 msedge.exe 88 PID 2180 wrote to memory of 1388 2180 msedge.exe 88 PID 2180 wrote to memory of 1388 2180 msedge.exe 88 PID 2180 wrote to memory of 1388 2180 msedge.exe 88 PID 2180 wrote to memory of 1388 2180 msedge.exe 88 PID 2180 wrote to memory of 1388 2180 msedge.exe 88 PID 2180 wrote to memory of 1388 2180 msedge.exe 88 PID 2180 wrote to memory of 1388 2180 msedge.exe 88 PID 2180 wrote to memory of 1388 2180 msedge.exe 88 PID 2180 wrote to memory of 1388 2180 msedge.exe 88 PID 2180 wrote to memory of 1388 2180 msedge.exe 88 PID 2180 wrote to memory of 1388 2180 msedge.exe 88 PID 2180 wrote to memory of 1388 2180 msedge.exe 88 PID 2180 wrote to memory of 1388 2180 msedge.exe 88 PID 2180 wrote to memory of 1388 2180 msedge.exe 88 PID 2180 wrote to memory of 1388 2180 msedge.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a7ae322269fde1d1745b0dd5b7c5a47dec8ca798435cdc65c78bb9ddbaca925.exe"C:\Users\Admin\AppData\Local\Temp\6a7ae322269fde1d1745b0dd5b7c5a47dec8ca798435cdc65c78bb9ddbaca925.exe"1⤵PID:660
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 82⤵
- Program crash
PID:3320
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 660 -ip 6601⤵PID:4156
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe97943cb8,0x7ffe97943cc8,0x7ffe97943cd82⤵PID:2840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,14703155099764317090,17844142000978428772,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1856 /prefetch:22⤵PID:1428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1844,14703155099764317090,17844142000978428772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1844,14703155099764317090,17844142000978428772,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:82⤵PID:1388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,14703155099764317090,17844142000978428772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,14703155099764317090,17844142000978428772,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:1212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,14703155099764317090,17844142000978428772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:12⤵PID:1972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,14703155099764317090,17844142000978428772,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:12⤵PID:1824
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4516
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5012
Network
-
Remote address:8.8.8.8:53Request219.143.101.95.in-addr.arpaIN PTRResponse219.143.101.95.in-addr.arpaIN PTRa95-101-143-219deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestlogin.live.comIN AResponselogin.live.comIN CNAMElogin.msa.msidentity.comlogin.msa.msidentity.comIN CNAMEwww.tm.lg.prod.aadmsa.akadns.netwww.tm.lg.prod.aadmsa.akadns.netIN CNAMEprdv4a.aadg.msidentity.comprdv4a.aadg.msidentity.comIN CNAMEwww.tm.v4.a.prd.aadg.trafficmanager.netwww.tm.v4.a.prd.aadg.trafficmanager.netIN A20.190.160.17www.tm.v4.a.prd.aadg.trafficmanager.netIN A20.190.160.20www.tm.v4.a.prd.aadg.trafficmanager.netIN A40.126.32.68www.tm.v4.a.prd.aadg.trafficmanager.netIN A40.126.32.76www.tm.v4.a.prd.aadg.trafficmanager.netIN A40.126.32.74www.tm.v4.a.prd.aadg.trafficmanager.netIN A20.190.160.22www.tm.v4.a.prd.aadg.trafficmanager.netIN A40.126.32.136www.tm.v4.a.prd.aadg.trafficmanager.netIN A40.126.32.134
-
Remote address:8.8.8.8:53Request222.197.79.204.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request74.239.69.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestfp.msedge.netIN AResponsefp.msedge.netIN CNAME1.perf.msedge.net1.perf.msedge.netIN CNAMEa-0019.a-msedge.neta-0019.a-msedge.netIN CNAMEa-0019.a.dns.azurefd.neta-0019.a.dns.azurefd.netIN CNAMEa-0019.standard.a-msedge.neta-0019.standard.a-msedge.netIN A204.79.197.222
-
23.6kB 154.1kB 151 133
-
1.1kB 5.2kB 13 11
-
66.0kB 1.6MB 1217 1197
-
1.1kB 5.1kB 13 11
-
1.1kB 5.1kB 13 11
-
1.0kB 5.1kB 12 11
-
1.1kB 5.1kB 13 11
-
1.1kB 5.1kB 13 11
-
3.2kB 7.6kB 20 15
-
206 B 627 B 3 3
DNS Request
219.143.101.95.in-addr.arpa
DNS Request
login.live.com
DNS Response
20.190.160.1720.190.160.2040.126.32.6840.126.32.7640.126.32.7420.190.160.2240.126.32.13640.126.32.134
DNS Request
222.197.79.204.in-addr.arpa
-
130 B 336 B 2 2
DNS Request
74.239.69.13.in-addr.arpa
DNS Request
fp.msedge.net
DNS Response
204.79.197.222
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD54c3889d3f0d2246f800c495aec7c3f7c
SHA1dd38e6bf74617bfcf9d6cceff2f746a094114220
SHA2560a4781bca132edf11500537cbf95ff840c2b6fd33cd94809ca9929f00044bea4
SHA5122d6cb23e2977c0890f69751a96daeb71e0f12089625f32b34b032615435408f21047b90c19de09f83ef99957681440fdc0c985e079bb196371881b5fdca68a37
-
Filesize
152B
MD5c4a10f6df4922438ca68ada540730100
SHA14c7bfbe3e2358a28bf5b024c4be485fa6773629e
SHA256f286c908fea67163f02532503b5555a939f894c6f2e683d80679b7e5726a7c02
SHA512b4d407341989e0bbbe0cdd64f7757bea17f0141a89104301dd7ffe45e7511d3ea27c53306381a29c24df68bdb9677eb8c07d4d88874d86aba41bb6f0ce7a942c
-
Filesize
5KB
MD5f9551718a891eacd4264161aff68a5bf
SHA1444aabad23b1276116fa5a149fba239cdd3f79be
SHA2564cfdf2fefa1c6c5ba12b03003684536ae836f53153fe53c76478d5c2492d92ee
SHA512f6e22143735cde717a490968ec4f0e81f608590c1e868f3751110731b276ad5d63467f7b23a27bf48200778689136e08394770b4bd97163a3b7136e8d771d13e
-
Filesize
5KB
MD5fa79a25302b9090dd11ccf38c38ef44c
SHA1bd99a648dc0276a990b00ccbcdc9aff9f561ccb1
SHA2561841c8752d5a63b9ba40119c1491c3573aabc2b48c16b4f7cc1d91c557c4ecfd
SHA512b54fb0ef4a0adddd1dcbcb19f6004a08fe87a62252c16d4d0019bc9ce32f0a04b851bc971b06e14bbc88d759a9e9c1a29c9a62c2654e8147251f8a4fc96123b2
-
Filesize
10KB
MD5484a5d34f94831ccaeb03497106e851c
SHA1dad9b1525970e55f7f87199357851c24920e6cfc
SHA256522fb286791bdeb7ac7be52256720270d5bda4c2af7769615200b7420abc5607
SHA512086be15de9f0e853e3af2907973a3b2271ae15e4c68456b7dba18b4ff0c14c9a6877f179f2aa7cd322edb31b4f5cd165b7c773ce4c4b0d66bd14fbdbd5815920
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58