e9cb16c7513e2782d1ea5eeb523ff155d7b62749cadeb6743d23c3f042043fc2

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MirServer/23bb.net爱上版本站长站.htm
Size

240B
MD5

fc93f0d9dd82f6ccb43e27fb07ff3463
SHA1

059ddbf1dbfda39ff20fa8743e80e4231e832b3c
SHA256

ebe9144c39f7276d5d1ca898ca8647b76d6df8ae0fb642c0fa47610c6a8ad9ca
SHA512

4adc9697b1be781db03163c0eb2bc448ba6244363f850dea07432a05011ac98f30ee9a1e40745996ce35faab5b4b151a4d2595e49bc2fe0f15bf1d132bf91647

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4216	msedge.exe
4216	msedge.exe
3168	msedge.exe
3168	msedge.exe
2152	identity_helper.exe
2152	identity_helper.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 2912	3168	msedge.exe	82
PID 3168 wrote to memory of 2912	3168	msedge.exe	82
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 3376	3168	msedge.exe	83
PID 3168 wrote to memory of 4216	3168	msedge.exe	84
PID 3168 wrote to memory of 4216	3168	msedge.exe	84
PID 3168 wrote to memory of 4212	3168	msedge.exe	85
PID 3168 wrote to memory of 4212	3168	msedge.exe	85
PID 3168 wrote to memory of 4212	3168	msedge.exe	85
PID 3168 wrote to memory of 4212	3168	msedge.exe	85
PID 3168 wrote to memory of 4212	3168	msedge.exe	85
PID 3168 wrote to memory of 4212	3168	msedge.exe	85
PID 3168 wrote to memory of 4212	3168	msedge.exe	85
PID 3168 wrote to memory of 4212	3168	msedge.exe	85
PID 3168 wrote to memory of 4212	3168	msedge.exe	85
PID 3168 wrote to memory of 4212	3168	msedge.exe	85
PID 3168 wrote to memory of 4212	3168	msedge.exe	85
PID 3168 wrote to memory of 4212	3168	msedge.exe	85
PID 3168 wrote to memory of 4212	3168	msedge.exe	85
PID 3168 wrote to memory of 4212	3168	msedge.exe	85
PID 3168 wrote to memory of 4212	3168	msedge.exe	85
PID 3168 wrote to memory of 4212	3168	msedge.exe	85
PID 3168 wrote to memory of 4212	3168	msedge.exe	85
PID 3168 wrote to memory of 4212	3168	msedge.exe	85
PID 3168 wrote to memory of 4212	3168	msedge.exe	85
PID 3168 wrote to memory of 4212	3168	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\MirServer\23bb.net爱上版本站长站.htm
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe5f9846f8,0x7ffe5f984708,0x7ffe5f984718
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,1299208870858392992,12460337173158615803,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2252,1299208870858392992,12460337173158615803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2252,1299208870858392992,12460337173158615803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2516 /prefetch:8
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1299208870858392992,12460337173158615803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1299208870858392992,12460337173158615803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1299208870858392992,12460337173158615803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1299208870858392992,12460337173158615803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,1299208870858392992,12460337173158615803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,1299208870858392992,12460337173158615803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1299208870858392992,12460337173158615803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1299208870858392992,12460337173158615803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1299208870858392992,12460337173158615803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
  2⤵
  PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1299208870858392992,12460337173158615803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,1299208870858392992,12460337173158615803,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5240 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3910b2d586769a472af0489ef2a15bd5

SHA1
bd3dc09139ff29500169cba7812a879fab521122

SHA256
f148eaad3b02fb441b9a02b586b95167a1f6d1ebdc156bc9ddcbd2c3b8e1bb6c

SHA512
933ac155025a60370d18ea515bd9378c08652e002b3f02b72f6ddf2241c10d53d1d4eaaa3996635964ddbe2bab345616c51ce3c8778238b0cf84b415621b24ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dd28b795ef38d8d4f07328c41a88b200

SHA1
2b93ea7609d886069c98d8d13c1da64ee217c661

SHA256
4c4c66a7c227a4b8f2f3e97dc9e745b2f78504ab9b5f99e40b5214bfdd90fc60

SHA512
60880d45158935c7f3fcebb2d16df4b404c3af9490adc278779acf110c4b9abc51c5010d4cd5e7b63fb711a74f467bebecdd2d454998189f935606df660a7a0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5825eb2017f92e3f2951db7b67d8fddd

SHA1
5dc896c4a9c706fd31c061e6b371a46112c4d3dc

SHA256
5737e747768a18409c71cc8c5f68f2e186797cc6833fb5fc4839964fb344bc2f

SHA512
36d4478810a000926ab3c80cbe782090802332b8fe9644ede77d2e42d636c48710f20e147332d8f3585a288cf72a59e088989bfe24202604e1b1aa7408ae2637

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6f8c1e0aaa3204f050b522a10fc35873

SHA1
42e9dfe838dcdeab2bbb3c34d3f561f2730580a6

SHA256
b71476c5c4c898871ed4b77f5fdf01a9e9a3cd60e37e523e528bafd4a47afeaf

SHA512
847cf1d2e971e1b24c00c2b207abdf5309788951557ab2e036a94ff29c0d195be1d2212d5d49d7fb2951345816806d06dd4b3ceddae96e18ca4cdf1a3a0983fc

Download Submit