aaa5b307a530fd1d0a570b258663b33e8a60efeb89391d59300c671c8e2ba2e5

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

使用说明.html
Size

79B
MD5

e42e985ca15fa65fdf0ce8ba8c88fc9f
SHA1

c2f83bf5752b437420b5453eac38f3fcdac9ed26
SHA256

befe46777de125b91e2e2496d7f311797b1902cb27c96780729749b86fca877c
SHA512

c1d5d28db26910be83f19b074f56dec07e4d1b3900080113a16ccbc46fd6682edb229b7927b0501a90f1e7773d74a340e35fc4589be600401570672fb357ea85

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2720	msedge.exe
2720	msedge.exe
4904	msedge.exe
4904	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 3048	4904	msedge.exe	81
PID 4904 wrote to memory of 3048	4904	msedge.exe	81
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 4348	4904	msedge.exe	82
PID 4904 wrote to memory of 2720	4904	msedge.exe	83
PID 4904 wrote to memory of 2720	4904	msedge.exe	83
PID 4904 wrote to memory of 3500	4904	msedge.exe	84
PID 4904 wrote to memory of 3500	4904	msedge.exe	84
PID 4904 wrote to memory of 3500	4904	msedge.exe	84
PID 4904 wrote to memory of 3500	4904	msedge.exe	84
PID 4904 wrote to memory of 3500	4904	msedge.exe	84
PID 4904 wrote to memory of 3500	4904	msedge.exe	84
PID 4904 wrote to memory of 3500	4904	msedge.exe	84
PID 4904 wrote to memory of 3500	4904	msedge.exe	84
PID 4904 wrote to memory of 3500	4904	msedge.exe	84
PID 4904 wrote to memory of 3500	4904	msedge.exe	84
PID 4904 wrote to memory of 3500	4904	msedge.exe	84
PID 4904 wrote to memory of 3500	4904	msedge.exe	84
PID 4904 wrote to memory of 3500	4904	msedge.exe	84
PID 4904 wrote to memory of 3500	4904	msedge.exe	84
PID 4904 wrote to memory of 3500	4904	msedge.exe	84
PID 4904 wrote to memory of 3500	4904	msedge.exe	84
PID 4904 wrote to memory of 3500	4904	msedge.exe	84
PID 4904 wrote to memory of 3500	4904	msedge.exe	84
PID 4904 wrote to memory of 3500	4904	msedge.exe	84
PID 4904 wrote to memory of 3500	4904	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\使用说明.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab96846f8,0x7ffab9684708,0x7ffab9684718
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,851610062400984544,14049454401613391433,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,851610062400984544,14049454401613391433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,851610062400984544,14049454401613391433,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,851610062400984544,14049454401613391433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,851610062400984544,14049454401613391433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:1416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,851610062400984544,14049454401613391433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,851610062400984544,14049454401613391433,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4888 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2140

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
06b4abf8c370d441b7c06f1ae1100080

SHA1
f7e3cc811807b8a1e6ead264178843a152b646ed

SHA256
5da8966c666df07c08bfe39d8e76886658ba642fb5c1b1b2fa69e2a3385826da

SHA512
990f57c7d1ab1b1a32f89d16cd1c1ab5e717dcd7f9a500d44690d69f58bb962129e9d500c3a7a323accb8f60fe46cd05d4a4f18590e7eba7d5da72da9ea6ceb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fb14e248d68a70cd914197a535c6692f

SHA1
c530f75ca3e45ba45cd694970afc7425913e526e

SHA256
a61c71c936df1d71eb045472affc6e9f913b7accc2cac0e0fa6d2e2469a29168

SHA512
799fef849d3627b681e18bb7e2f2781f81abf088ce42da0b688133eb13b3c828499fc8d5c84cc07eb843babc4476eeb142e56019262e6b3cca28f2b23ae61385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b07081682064f85ccecb52fdd2b690f2

SHA1
348b52da6e179a7c1e642756b7851d255e1eb09f

SHA256
517e8d3f5a6a0194a3e4c1d31c739dc66a0c436426088d6ba523ef9460fa729e

SHA512
480c8147d599d761ac52c65702e92f65dd3dc3a2ecc85bb1c16e6c849af931685fe8948bfb7c3507acfd4b2977b9c132b2bc162031157c9bb94ccbaa9c88095c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7e61d1b4d6c93dd6565ac5838e383615

SHA1
175975d1accd48c2b51b7bd17e7faf440a77b05c

SHA256
a110397bc1a451675ecbb99743661cf0577be540f0fde780270914517a6ec45a

SHA512
a1ecf003f7a9063cb9bcf7f03222cbfc3e74e4354b906896daf2d149aeebca85373ca31e4d672d820d4a752828604fb09928f248c49bd55dc990d0d7c8ce7921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ba62ffae0f52bd19ca54c54f4aa9aa00

SHA1
fcee532764906eb179db9987dfcfe7da4cfa0b04

SHA256
d7179475b23d8f5750b0594858c3282efe10916025d1dfbe5be7b9b1e91acd2c

SHA512
efa3a05d41ca190da2d84e1c47270737ee25c01e033e1fdf8b2b0e918b2ededc0a3867ac9fabdeae2040a437c072418845b4e368438619b1b55fe567e9c34bb2

Download Submit