979d9396c674ff499e38e39b7b7693d39effa98e71c95944e66952a77ef9caf7

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Readme-说明.htm
Size

379B
MD5

a09141dab0857a96a41f70017778b63d
SHA1

89027c035f406d2af6f1e87837a2bec14c03604a
SHA256

c652daec6e03b52f9c8349765c447ef8d8b79080df4e49bb7ea107a5d4de4d52
SHA512

45393c176b667047bbd8ad03a07a24919fdc288c058b6115348642c5b78652bbbfc105bf729f8ee04ae4f0add9678ee375053cfeab65cb185c7159918709ad48

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4264	msedge.exe
4264	msedge.exe
2588	msedge.exe
2588	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 2316	2588	msedge.exe	82
PID 2588 wrote to memory of 2316	2588	msedge.exe	82
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 3824	2588	msedge.exe	83
PID 2588 wrote to memory of 4264	2588	msedge.exe	84
PID 2588 wrote to memory of 4264	2588	msedge.exe	84
PID 2588 wrote to memory of 3084	2588	msedge.exe	85
PID 2588 wrote to memory of 3084	2588	msedge.exe	85
PID 2588 wrote to memory of 3084	2588	msedge.exe	85
PID 2588 wrote to memory of 3084	2588	msedge.exe	85
PID 2588 wrote to memory of 3084	2588	msedge.exe	85
PID 2588 wrote to memory of 3084	2588	msedge.exe	85
PID 2588 wrote to memory of 3084	2588	msedge.exe	85
PID 2588 wrote to memory of 3084	2588	msedge.exe	85
PID 2588 wrote to memory of 3084	2588	msedge.exe	85
PID 2588 wrote to memory of 3084	2588	msedge.exe	85
PID 2588 wrote to memory of 3084	2588	msedge.exe	85
PID 2588 wrote to memory of 3084	2588	msedge.exe	85
PID 2588 wrote to memory of 3084	2588	msedge.exe	85
PID 2588 wrote to memory of 3084	2588	msedge.exe	85
PID 2588 wrote to memory of 3084	2588	msedge.exe	85
PID 2588 wrote to memory of 3084	2588	msedge.exe	85
PID 2588 wrote to memory of 3084	2588	msedge.exe	85
PID 2588 wrote to memory of 3084	2588	msedge.exe	85
PID 2588 wrote to memory of 3084	2588	msedge.exe	85
PID 2588 wrote to memory of 3084	2588	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Readme-说明.htm
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaba0546f8,0x7ffaba054708,0x7ffaba054718
  2⤵
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,11986380070152570976,6310413044903392767,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,11986380070152570976,6310413044903392767,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,11986380070152570976,6310413044903392767,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2376 /prefetch:8
  2⤵
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,11986380070152570976,6310413044903392767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,11986380070152570976,6310413044903392767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,11986380070152570976,6310413044903392767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,11986380070152570976,6310413044903392767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4396 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,11986380070152570976,6310413044903392767,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5104 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4124

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
e4ff5a00994fe1f32660eb3776dd0aa6

SHA1
0052a469668891aef031f3cff1546bb6903f4265

SHA256
109843dfecf802dfa0f76030108eafb8978ebb9f025a9cc1297f913ca3f0a5df

SHA512
6f64fe39d0e7b3b837acf874f53752cd590f50a26a7d895df3ca923cf69f9a2530383ce6f31bab77a455fcfda86c0715cb7981aade9fbc63e6594f14691277b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
250B

MD5
a590a7628b086f006b4a5eb0eb50f845

SHA1
aab690416d027175898b19ca8a7c3fab97ea0a2c

SHA256
7e80cc0bef9c689f2751f582a37e51c2d0034e49c3e6853b2a6d16bf8bcc2eb8

SHA512
a8fc1b0edf8e90e8f2cbeb7aaf53428a3b55f3afd5cfee054e17f34f6979490d844ce8c1383deb57a22c4d573d8b47eb3fc61f02b9d4a6062cc91d621fdcf8ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1ccfee5462397168c56f8a9a8ef2bc13

SHA1
db7206870940809b95c50c0f3e21b7c89246671e

SHA256
9d3fd85e597808a7606a19fbb7f7dcf02e0808c5df6bffea7ad027de125eec59

SHA512
59e9696c890c49c53d9d89b7331b0cfd4457d00af8773f9d1c6b6a7a6f05a32b3f4968feebe741e794200dfa446338b38fa23d3449d18891c09d4f42ee2dc9a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8c9889137a1b042f922df6ee4cd73a99

SHA1
432d4e56b51c096450aefe8214d961b04ce52856

SHA256
cc51bb423fe00c81f7ef04c0e6082651abbf506da2b6b78ab802f2c625179429

SHA512
fcbf7e2c368c18786c442357163cded849fafac391c2460c600e87c004f26a3c16b92ce42d68eaf409c5eea4242ffe8d5e30fbf0a4f3b83ef72d666e68d4a4b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6967dc060f73a8cfdd853fda73059645

SHA1
c791659a3314b949b92f23710312e88ac52f6a79

SHA256
ce0f876496174a7576b28f16b162f809bc180e6a6c1d379016f1340c422be8a2

SHA512
fd3055ebdf2301ecf93fb5e1eb126c99b20fa3af13a68f9eac148cce395e49ec85ec28b03bd278be978d1aa72977d85d2dd3ddc43e28fc8fafcee31065f51d32

Download Submit