38f776492d511b9a3fb0aefedb17a32ce1cbb78a35086a5b55f9d1080fdf2076

Analysis

max time kernel
240s
max time network
276s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
09/10/2024, 12:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Outlook-apz2nn3s.gif
Size

42B
MD5

32023bb33cfb2a1990a4ef2d85b6ac16
SHA1

23dcc6d4b5bfe00357fd0248bb5955b8e36bb8f1
SHA256

99c2917ee5b2a01459a923bdd1c676f15ee73b62b87f696e6735312d26f51e12
SHA512

d052ecec2839340876eb57247cfc2e777dd7f2e868dc37cd3f3f740c8deb94917a0c9f2a4fc8229987a0b91b04726de2d1e9f6bcbe3f9bef0e4b7e0d7f65ea12

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3576	msedge.exe
3576	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
1528	msedge.exe
1528	msedge.exe
664	identity_helper.exe
664	identity_helper.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 2872	3996	msedge.exe	79
PID 3996 wrote to memory of 2872	3996	msedge.exe	79
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 1140	3996	msedge.exe	80
PID 3996 wrote to memory of 3576	3996	msedge.exe	81
PID 3996 wrote to memory of 3576	3996	msedge.exe	81
PID 3996 wrote to memory of 2224	3996	msedge.exe	82
PID 3996 wrote to memory of 2224	3996	msedge.exe	82
PID 3996 wrote to memory of 2224	3996	msedge.exe	82
PID 3996 wrote to memory of 2224	3996	msedge.exe	82
PID 3996 wrote to memory of 2224	3996	msedge.exe	82
PID 3996 wrote to memory of 2224	3996	msedge.exe	82
PID 3996 wrote to memory of 2224	3996	msedge.exe	82
PID 3996 wrote to memory of 2224	3996	msedge.exe	82
PID 3996 wrote to memory of 2224	3996	msedge.exe	82
PID 3996 wrote to memory of 2224	3996	msedge.exe	82
PID 3996 wrote to memory of 2224	3996	msedge.exe	82
PID 3996 wrote to memory of 2224	3996	msedge.exe	82
PID 3996 wrote to memory of 2224	3996	msedge.exe	82
PID 3996 wrote to memory of 2224	3996	msedge.exe	82
PID 3996 wrote to memory of 2224	3996	msedge.exe	82
PID 3996 wrote to memory of 2224	3996	msedge.exe	82
PID 3996 wrote to memory of 2224	3996	msedge.exe	82
PID 3996 wrote to memory of 2224	3996	msedge.exe	82
PID 3996 wrote to memory of 2224	3996	msedge.exe	82
PID 3996 wrote to memory of 2224	3996	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Outlook-apz2nn3s.gif
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffea0433cb8,0x7ffea0433cc8,0x7ffea0433cd8
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1724,11825854082449344729,14257869155094028062,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1724,11825854082449344729,14257869155094028062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1724,11825854082449344729,14257869155094028062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,11825854082449344729,14257869155094028062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,11825854082449344729,14257869155094028062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,11825854082449344729,14257869155094028062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,11825854082449344729,14257869155094028062,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,11825854082449344729,14257869155094028062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,11825854082449344729,14257869155094028062,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1724,11825854082449344729,14257869155094028062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3956 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1724,11825854082449344729,14257869155094028062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1724,11825854082449344729,14257869155094028062,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5692 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3a9d83c22309c46e69a873df1f2eb600

SHA1
7dce56aa38d5203c9083daf4d9270b81798ca20c

SHA256
d6701168117eb743db2420905f679fd4ab2d850f56ddf9fe6e629f95d4724b65

SHA512
27a69df0dbcb1ffe8271b2d7e105c79a96b7bb534e639f97f631827db5dc62dd395a0c0a98bb8b7ee80872307e3b5355d1a2ec72edaf6409cf14057188ed6592

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bd6fa43e-0d98-451a-b966-604257bda42d.tmp

Filesize
5KB

MD5
0b6dd81eb13ca5345c43e964695023d2

SHA1
cedd5b7350a2ce67d867dba0a650e0e3b2fa33ad

SHA256
bccc875d823bef6858ed855d7017cadef6303ee6538a85e3725ad399e2ef32ff

SHA512
3c6d73bed74de7dd3e8a8caa4c336bb77bcb80fa41ef7f0eabc45bbde2bff35b3183270d39e9952d3e79ff95e8fc17a708eefd62d5ed2e09b7e1883672c26023

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d2a33a1ef98086f5ef99e22856ac7bfe

SHA1
48e2a3062ddaaff1987c0211c9193461aed5aac0

SHA256
20be06a973d27e79e5ff1f666f2cff62b7252cd609089f394fcf481989ab760e

SHA512
a608eae2855a08953ca7e7b858f51dbeef935ac7d7bdddbd4e113ad2fe921b1b28329f939d46299ac9a18b18d235075d90952f59497c3b1ebeafeabb31423e0c

Download Submit