Analysis

  • max time kernel
    145s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/09/2024, 05:16 UTC

General

  • Target

    docsis_cfg2.0.7/doc/index.html

  • Size

    6KB

  • MD5

    e9c374514c9452d307de0d074ef95b55

  • SHA1

    de5c6d0c2059b841a62d6a86abbeb23ac221b6ec

  • SHA256

    2b7e353dd45a3b0f155ef904a9e6c178fcef24d95922ee960df6cd6f62299af2

  • SHA512

    97237609c7d968c7a7d3251769b922e4286d415da1f25281957313570bcb6717f184b31c112231553a3ee6d34e49525d1cd503c18f9169acb9651ef10c6a2552

  • SSDEEP

    96:jAwfzDRHXNJsCTSTGhricBwmupEnt0gM1kfXxQ8IUAg5w0orw8Z0p8qBNoCcqE:jtt3w9TGViUupEnt0fCfhA2rp8SRE

Score
3/10

Malware Config

Signatures

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\docsis_cfg2.0.7\doc\index.html
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc28ee46f8,0x7ffc28ee4708,0x7ffc28ee4718
      2⤵
        PID:1168
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,4037682575958977691,11112177363971725463,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
        2⤵
          PID:2656
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,4037682575958977691,11112177363971725463,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4992
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,4037682575958977691,11112177363971725463,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2468 /prefetch:8
          2⤵
            PID:824
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4037682575958977691,11112177363971725463,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
            2⤵
              PID:1796
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4037682575958977691,11112177363971725463,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
              2⤵
                PID:3416
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,4037682575958977691,11112177363971725463,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 /prefetch:8
                2⤵
                  PID:3536
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,4037682575958977691,11112177363971725463,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:5092
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4037682575958977691,11112177363971725463,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
                  2⤵
                    PID:2144
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4037682575958977691,11112177363971725463,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
                    2⤵
                      PID:4576
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4037682575958977691,11112177363971725463,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
                      2⤵
                        PID:4476
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4037682575958977691,11112177363971725463,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
                        2⤵
                          PID:4140
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,4037682575958977691,11112177363971725463,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 /prefetch:2
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1420
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:3772
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:3096

                          Network

                          • flag-us
                            DNS
                            217.106.137.52.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            217.106.137.52.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            172.210.232.199.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            172.210.232.199.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            68.159.190.20.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            68.159.190.20.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            68.159.190.20.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            68.159.190.20.in-addr.arpa
                            IN PTR
                          • flag-us
                            DNS
                            68.159.190.20.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            68.159.190.20.in-addr.arpa
                            IN PTR
                          • flag-us
                            DNS
                            68.159.190.20.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            68.159.190.20.in-addr.arpa
                            IN PTR
                          • flag-us
                            DNS
                            68.159.190.20.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            68.159.190.20.in-addr.arpa
                            IN PTR
                          • flag-us
                            DNS
                            104.219.191.52.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            104.219.191.52.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            86.23.85.13.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            86.23.85.13.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            241.150.49.20.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            241.150.49.20.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            241.150.49.20.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            241.150.49.20.in-addr.arpa
                            IN PTR
                          • flag-us
                            DNS
                            198.187.3.20.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            198.187.3.20.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            198.187.3.20.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            198.187.3.20.in-addr.arpa
                            IN PTR
                          • flag-us
                            DNS
                            98.117.19.2.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            98.117.19.2.in-addr.arpa
                            IN PTR
                            Response
                            98.117.19.2.in-addr.arpa
                            IN PTR
                            a2-19-117-98deploystaticakamaitechnologiescom
                          • flag-us
                            DNS
                            48.229.111.52.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            48.229.111.52.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            48.229.111.52.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            48.229.111.52.in-addr.arpa
                            IN PTR
                          • flag-us
                            DNS
                            48.229.111.52.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            48.229.111.52.in-addr.arpa
                            IN PTR
                          No results found
                          • 8.8.8.8:53
                            217.106.137.52.in-addr.arpa
                            dns
                            73 B
                            147 B
                            1
                            1

                            DNS Request

                            217.106.137.52.in-addr.arpa

                          • 224.0.0.251:5353
                            457 B
                            7
                          • 8.8.8.8:53
                            172.210.232.199.in-addr.arpa
                            dns
                            74 B
                            128 B
                            1
                            1

                            DNS Request

                            172.210.232.199.in-addr.arpa

                          • 8.8.8.8:53
                            68.159.190.20.in-addr.arpa
                            dns
                            360 B
                            158 B
                            5
                            1

                            DNS Request

                            68.159.190.20.in-addr.arpa

                            DNS Request

                            68.159.190.20.in-addr.arpa

                            DNS Request

                            68.159.190.20.in-addr.arpa

                            DNS Request

                            68.159.190.20.in-addr.arpa

                            DNS Request

                            68.159.190.20.in-addr.arpa

                          • 8.8.8.8:53
                            104.219.191.52.in-addr.arpa
                            dns
                            73 B
                            147 B
                            1
                            1

                            DNS Request

                            104.219.191.52.in-addr.arpa

                          • 8.8.8.8:53
                            86.23.85.13.in-addr.arpa
                            dns
                            70 B
                            144 B
                            1
                            1

                            DNS Request

                            86.23.85.13.in-addr.arpa

                          • 8.8.8.8:53
                            198.187.3.20.in-addr.arpa
                            dns
                            142 B
                            157 B
                            2
                            1

                            DNS Request

                            198.187.3.20.in-addr.arpa

                            DNS Request

                            198.187.3.20.in-addr.arpa

                          • 8.8.8.8:53
                            241.150.49.20.in-addr.arpa
                            dns
                            144 B
                            158 B
                            2
                            1

                            DNS Request

                            241.150.49.20.in-addr.arpa

                            DNS Request

                            241.150.49.20.in-addr.arpa

                          • 8.8.8.8:53
                            98.117.19.2.in-addr.arpa
                            dns
                            70 B
                            133 B
                            1
                            1

                            DNS Request

                            98.117.19.2.in-addr.arpa

                          • 8.8.8.8:53
                            48.229.111.52.in-addr.arpa
                            dns
                            216 B
                            158 B
                            3
                            1

                            DNS Request

                            48.229.111.52.in-addr.arpa

                            DNS Request

                            48.229.111.52.in-addr.arpa

                            DNS Request

                            48.229.111.52.in-addr.arpa

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            53bc70ecb115bdbabe67620c416fe9b3

                            SHA1

                            af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

                            SHA256

                            b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

                            SHA512

                            cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            e765f3d75e6b0e4a7119c8b14d47d8da

                            SHA1

                            cc9f7c7826c2e1a129e7d98884926076c3714fc0

                            SHA256

                            986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

                            SHA512

                            a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            5KB

                            MD5

                            6076a6b262e151441f597b3a5ca661a3

                            SHA1

                            21c57e0235ae85ff0e8e17b65cac2dc78e4ad508

                            SHA256

                            9dd45ce00908391bb5d9170396c33737400eaa6ecbafa0f09915bc9b7e7d8a3a

                            SHA512

                            187c9d8af7aa9e6616a95b962f04e8b9a0c88b21a33f806fec973edc0803fc6b653e5da217a1cab7b14571e3ba4db8a75b266b6fd3652783c4b5acec5a26bfce

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            6KB

                            MD5

                            334d185b5f6e630ba876a86bb2cd22e7

                            SHA1

                            f9b8822dfbd99b5d3effde4bf2a32abbe5bf8cbb

                            SHA256

                            731f2a8feab107c8aaf90e593609ad9bad79f60844ebf01ceada80da9f4adc38

                            SHA512

                            aa6e0ef861ea584b6b59f3ad1b75ef5ff92adec96e9a9e36ad6d5a4bea0394eda497a52d9835b6ec10ede56c760f16e03a2f87eca64e0a689ac870682d56e2d6

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                            Filesize

                            16B

                            MD5

                            6752a1d65b201c13b62ea44016eb221f

                            SHA1

                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                            SHA256

                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                            SHA512

                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                            Filesize

                            10KB

                            MD5

                            2a51e541deda50d4cb9903e7472a1c6e

                            SHA1

                            f94960583b01dad03734249d44b6e0918e3db123

                            SHA256

                            3240bac301f89da168fae38f6da58f2628573f10622fee9a8166950a495a0df5

                            SHA512

                            cb919cd3daab9962b6b9972aeaec7372bdf694d258c04841fe3d3ec481e83758c8c2d50fd5d8b8ffe17e6997afb2f37fa06378c024c8cc8ec3bbbc7c97fb8c8e

                          We care about your privacy.

                          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.