9637503226fae7e5ef5c6fb1ebb523d335ffac22a3410b1648763145380ab865

Analysis

max time kernel
112s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$0/Resources/BrowserSearch/alot_search_defend.html
Size

1KB
MD5

32ad78f67cba13b15f746cb9b172c3e7
SHA1

1a9d093b854adb26be538730f31b2de89db80b5d
SHA256

a98eab555814276b5016d687c3945093705dc610a755892a712b7b7a423c5f29
SHA512

95856f4924c5bfc6265e9767c2c0fb2fb4fa10bad780c4152c07c0fe9123f7efa8766d80ab82150755fa75979f4f7af4b3aab2e3181a66cfc91d04caf2f8bf50

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4152	msedge.exe
4152	msedge.exe
4480	msedge.exe
4480	msedge.exe
4060	identity_helper.exe
4060	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 3416	4480	msedge.exe	82
PID 4480 wrote to memory of 3416	4480	msedge.exe	82
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4400	4480	msedge.exe	83
PID 4480 wrote to memory of 4152	4480	msedge.exe	84
PID 4480 wrote to memory of 4152	4480	msedge.exe	84
PID 4480 wrote to memory of 1348	4480	msedge.exe	85
PID 4480 wrote to memory of 1348	4480	msedge.exe	85
PID 4480 wrote to memory of 1348	4480	msedge.exe	85
PID 4480 wrote to memory of 1348	4480	msedge.exe	85
PID 4480 wrote to memory of 1348	4480	msedge.exe	85
PID 4480 wrote to memory of 1348	4480	msedge.exe	85
PID 4480 wrote to memory of 1348	4480	msedge.exe	85
PID 4480 wrote to memory of 1348	4480	msedge.exe	85
PID 4480 wrote to memory of 1348	4480	msedge.exe	85
PID 4480 wrote to memory of 1348	4480	msedge.exe	85
PID 4480 wrote to memory of 1348	4480	msedge.exe	85
PID 4480 wrote to memory of 1348	4480	msedge.exe	85
PID 4480 wrote to memory of 1348	4480	msedge.exe	85
PID 4480 wrote to memory of 1348	4480	msedge.exe	85
PID 4480 wrote to memory of 1348	4480	msedge.exe	85
PID 4480 wrote to memory of 1348	4480	msedge.exe	85
PID 4480 wrote to memory of 1348	4480	msedge.exe	85
PID 4480 wrote to memory of 1348	4480	msedge.exe	85
PID 4480 wrote to memory of 1348	4480	msedge.exe	85
PID 4480 wrote to memory of 1348	4480	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\$0\Resources\BrowserSearch\alot_search_defend.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9c6946f8,0x7ffc9c694708,0x7ffc9c694718
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,15557011151154193550,2767997875864393681,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:2
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,15557011151154193550,2767997875864393681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,15557011151154193550,2767997875864393681,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
  2⤵
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15557011151154193550,2767997875864393681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15557011151154193550,2767997875864393681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,15557011151154193550,2767997875864393681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,15557011151154193550,2767997875864393681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15557011151154193550,2767997875864393681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15557011151154193550,2767997875864393681,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15557011151154193550,2767997875864393681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15557011151154193550,2767997875864393681,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:4072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
69e62ec273576b3121c2c8dc82226f31

SHA1
ae149e7661b17c394d465b85c08f54c73d355285

SHA256
e8451dc35a20c557c6ef45bc7a7702af62757fb5db6e48150ef99d64a7e2c013

SHA512
6a33bf0d096247be52958da85222550f5c93c7fa2394f0cad511a4b1488bb1ca5a7a2eab68e2874e56330ff7450f45f89fecc481af26b06aabf2630d218e5097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a9fc2d18843647129f7deb59affa6ce8

SHA1
f645af31caec1f04233b9189b22103fa17702849

SHA256
70a2da45e10091759b5bf5b30511a33f1482b6ab40cad45f7cae839d8bdcc2af

SHA512
b109c11bc35c6b125f56a56f6bd0d78ad2506c2c2c14a1bb5840e1719e15b92d99aea9bdb14add339ad5f8fb31c46e45cd8fdc5092be6c83ee73162af69648a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
742f723c79f97b2cac45845ceb32eecc

SHA1
fff6d7834a699a052a95036fddc5f9960638cd51

SHA256
cf19693b53731525e62137d39da2d16c1e88e73ed7332dcdebc6b44d1bbee765

SHA512
68bd190386a01ce6441be671c3a91c26bb6779d2743333e64fdc3c608eaacbcaed39b24e4231e1fadf8a573b0b4360ce5a6fb2ffbfce6f9e3dd17afd5877b529

Download Submit