4a929b74cee02c899bfe711fce31d5c836d028876b8031e8de4583575847e196

Analysis

max time kernel
145s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qqdljlglqCNGR/必看说明.htm
Size

6KB
MD5

6a9f3b8faf3a8748fa8a1ddda1c3be82
SHA1

89b44cf7a8c1dcfa43bab0ce28b700fdb04fd7bc
SHA256

b3652317bcb781bd6338aebc067f49991c88c1697902e09df9e2b3009e34feef
SHA512

b86318a51c582782a24cc6d1773d97337e6fc574ece95dee32488bf53a06fb3c45006156c25fa78839d61931b54d370f7ef76af9c799e951438c32767741902e
SSDEEP

96:eugWlXZktTuDndkYWuokAbVXHISaQN1exgemaQNA5FaQ/APUgJX/kh8rW3H6aQN0:e3iXFDzeXdxfx2Fxh8rW3H6x9xzWn

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1848	msedge.exe
1848	msedge.exe
4196	msedge.exe
4196	msedge.exe
1524	identity_helper.exe
1524	identity_helper.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 4108	4196	msedge.exe	82
PID 4196 wrote to memory of 4108	4196	msedge.exe	82
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 4700	4196	msedge.exe	83
PID 4196 wrote to memory of 1848	4196	msedge.exe	84
PID 4196 wrote to memory of 1848	4196	msedge.exe	84
PID 4196 wrote to memory of 392	4196	msedge.exe	85
PID 4196 wrote to memory of 392	4196	msedge.exe	85
PID 4196 wrote to memory of 392	4196	msedge.exe	85
PID 4196 wrote to memory of 392	4196	msedge.exe	85
PID 4196 wrote to memory of 392	4196	msedge.exe	85
PID 4196 wrote to memory of 392	4196	msedge.exe	85
PID 4196 wrote to memory of 392	4196	msedge.exe	85
PID 4196 wrote to memory of 392	4196	msedge.exe	85
PID 4196 wrote to memory of 392	4196	msedge.exe	85
PID 4196 wrote to memory of 392	4196	msedge.exe	85
PID 4196 wrote to memory of 392	4196	msedge.exe	85
PID 4196 wrote to memory of 392	4196	msedge.exe	85
PID 4196 wrote to memory of 392	4196	msedge.exe	85
PID 4196 wrote to memory of 392	4196	msedge.exe	85
PID 4196 wrote to memory of 392	4196	msedge.exe	85
PID 4196 wrote to memory of 392	4196	msedge.exe	85
PID 4196 wrote to memory of 392	4196	msedge.exe	85
PID 4196 wrote to memory of 392	4196	msedge.exe	85
PID 4196 wrote to memory of 392	4196	msedge.exe	85
PID 4196 wrote to memory of 392	4196	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\qqdljlglqCNGR\必看说明.htm
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd95346f8,0x7ffcd9534708,0x7ffcd9534718
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,11888037309999741215,2819243297399817355,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:2
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,11888037309999741215,2819243297399817355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,11888037309999741215,2819243297399817355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,11888037309999741215,2819243297399817355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,11888037309999741215,2819243297399817355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,11888037309999741215,2819243297399817355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,11888037309999741215,2819243297399817355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,11888037309999741215,2819243297399817355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,11888037309999741215,2819243297399817355,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,11888037309999741215,2819243297399817355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,11888037309999741215,2819243297399817355,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,11888037309999741215,2819243297399817355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2200 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,11888037309999741215,2819243297399817355,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
4367a453b78a47ad5bf97b7f33a007fc

SHA1
b69fede882fa5b663f80b34a129447a700e1f265

SHA256
18f9fff1ffb1f66341f20680f4791ef5eb3009d7211735651460264917537113

SHA512
8084de188fff3c6f10c10f59f7b50964355995f80171d686716bb75293a6fd518bf1e7e03afe65eb1eef1edda1d1e794dc62f41b27ec756dc7827ead248a0ab5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d4c680c2135a415e69c7179bf3249fcd

SHA1
42a4c99b216d6dd61eb3e4a4e76238088ba6f0e0

SHA256
8a27836b436840392b30a5ff6a161a802b23015676eb6be6472b962a4159b5a0

SHA512
b3f7ca60a4150a849f37a68e8bcf782b44713776841700f0023d90e148aa3ba19d4e47e5eb78b48959668b2f0494a190ff37930ee88e98680880fec10a995ae0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e26222842e20179eefc4248e8cba513c

SHA1
93ceb4683eaba40cc588b6b00644128803bbae53

SHA256
5c971c20cac36b45f1f074cb7c3b9868d4496c5ce58411e21cb2327429c8187e

SHA512
e98b7f5f6354b57cc9a62d63d0888fae157fcff57b49a529f107fe9454e2056bf449d22f03ca0f8f41089252a6bee31e9871df312c8f78e18ce2c8b09524edae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3236915037ce0b62e2be3d1399fb55dd

SHA1
a5e83eeb927326a3be3fdce56a783d41c1e33168

SHA256
b8b46d93f58dee18c93da4fade71faefa66acf3eeb859ecbd863078438bc74c9

SHA512
f3816add6d03eb5520f66e0eac7c80de518dc30d81eccadc6878fb0db4a8d70cfe50b417928759d5091ea2af69ab73a3f02e454422297e52604c1d6afb1b638c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
004d3d75ab584f9ba36f47c2913711db

SHA1
0415e4fb3cddcf8bf1c974aa36022ec57688bcb5

SHA256
af3c7b3aba35bb3ea42b192cd8c1ba0b668ec3d532eb15db9bbd9b569ea9124c

SHA512
ddebc8beae7b2cae677eb8b4d9ff21dcc5749ea2fcd9fa1808ab665f221d695c8d446c3cec4b3324e016f3a9b12391aa2f69a4b36e4a98613297b67987420f3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e8b889529cb276b09574bd997e244bea

SHA1
8ed0f8e6994bdb5a05f70a7e4cb91fc5ee9781d4

SHA256
b1c09151b6e88bb6c34dcd6ab9496d701fd9a922cff0ae800798a508aa8c301b

SHA512
9b9e15273d987b815449847014b18a17f6e9d4034b02e561e1aec2aa4506ef6f1c0c8cd77a7433e28d0aa8cf340edffc2a559c22509cbaec0750210e5e42c8bf

Download Submit