Analysis
-
max time kernel
13s -
max time network
15s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2024 15:32
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://download.clipgrab.org/clipgrab-3.9.10-dotinstaller.exe
Resource
win10v2004-20241007-en
General
-
Target
https://download.clipgrab.org/clipgrab-3.9.10-dotinstaller.exe
Malware Config
Signatures
-
Downloads MZ/PE file
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 390340.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4996 msedge.exe 4996 msedge.exe 4876 msedge.exe 4876 msedge.exe 4356 identity_helper.exe 4356 identity_helper.exe 5368 msedge.exe 5368 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
pid Process 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4876 wrote to memory of 4588 4876 msedge.exe 85 PID 4876 wrote to memory of 4588 4876 msedge.exe 85 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 1428 4876 msedge.exe 86 PID 4876 wrote to memory of 4996 4876 msedge.exe 87 PID 4876 wrote to memory of 4996 4876 msedge.exe 87 PID 4876 wrote to memory of 2840 4876 msedge.exe 88 PID 4876 wrote to memory of 2840 4876 msedge.exe 88 PID 4876 wrote to memory of 2840 4876 msedge.exe 88 PID 4876 wrote to memory of 2840 4876 msedge.exe 88 PID 4876 wrote to memory of 2840 4876 msedge.exe 88 PID 4876 wrote to memory of 2840 4876 msedge.exe 88 PID 4876 wrote to memory of 2840 4876 msedge.exe 88 PID 4876 wrote to memory of 2840 4876 msedge.exe 88 PID 4876 wrote to memory of 2840 4876 msedge.exe 88 PID 4876 wrote to memory of 2840 4876 msedge.exe 88 PID 4876 wrote to memory of 2840 4876 msedge.exe 88 PID 4876 wrote to memory of 2840 4876 msedge.exe 88 PID 4876 wrote to memory of 2840 4876 msedge.exe 88 PID 4876 wrote to memory of 2840 4876 msedge.exe 88 PID 4876 wrote to memory of 2840 4876 msedge.exe 88 PID 4876 wrote to memory of 2840 4876 msedge.exe 88 PID 4876 wrote to memory of 2840 4876 msedge.exe 88 PID 4876 wrote to memory of 2840 4876 msedge.exe 88 PID 4876 wrote to memory of 2840 4876 msedge.exe 88 PID 4876 wrote to memory of 2840 4876 msedge.exe 88
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://download.clipgrab.org/clipgrab-3.9.10-dotinstaller.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbf7ad46f8,0x7ffbf7ad4708,0x7ffbf7ad47182⤵PID:4588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1356,13014919920281776520,11599134287219205615,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:22⤵PID:1428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1356,13014919920281776520,11599134287219205615,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2492 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1356,13014919920281776520,11599134287219205615,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:82⤵PID:2840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1356,13014919920281776520,11599134287219205615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:3624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1356,13014919920281776520,11599134287219205615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:2496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1356,13014919920281776520,11599134287219205615,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:82⤵PID:3920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1356,13014919920281776520,11599134287219205615,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1356,13014919920281776520,11599134287219205615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:12⤵PID:780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1356,13014919920281776520,11599134287219205615,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:12⤵PID:2744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1356,13014919920281776520,11599134287219205615,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4700 /prefetch:82⤵PID:4892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1356,13014919920281776520,11599134287219205615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:12⤵PID:3952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1356,13014919920281776520,11599134287219205615,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6176 /prefetch:82⤵PID:3556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1356,13014919920281776520,11599134287219205615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:12⤵PID:4932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1356,13014919920281776520,11599134287219205615,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:12⤵PID:1068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1356,13014919920281776520,11599134287219205615,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5940 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5368
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3404
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD599afa4934d1e3c56bbce114b356e8a99
SHA13f0e7a1a28d9d9c06b6663df5d83a65c84d52581
SHA25608e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8
SHA51276686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da
-
Filesize
152B
MD5443a627d539ca4eab732bad0cbe7332b
SHA186b18b906a1acd2a22f4b2c78ac3564c394a9569
SHA2561e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9
SHA512923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d
-
Filesize
189B
MD51a0c0ec4f9931a54b49eb975121f3bd7
SHA15f7ec205fbe4b2d5057359fbb8d62cc6f34d676c
SHA256dbbfa2209195c55b19cfe2a5ff0167e462d7c93570f45e23ea002de8856321b5
SHA51256300ab2175459426e89dc6ed8387852dea9d9ba857753b6917d24c11cddfd9c4447ca583b14f456e5302668c204dcdb423583c1a9412e4a4ff45131221036be
-
Filesize
5KB
MD52628f69ac4b0a731c9d4ad9e35b9cf35
SHA142dbc388ad63cda2c684bcbc04a3b14f0ded7df8
SHA256fab9d17fc102d620e9362fdb6cf457c4365eeee5a4ced1ec2bc702e95955f4c9
SHA5128ab0898778e371eb5b17b75d7266746f698fa90d828cc26d4e8e7e6989ab7f7df7faf6bd5f797832bb36f88fad44193795580204d94c7266812e2fca81857cfa
-
Filesize
6KB
MD56466901e253e6013c0e16b458ecd5eda
SHA169a6f8a09d5728f8378f13af7b3e855a610c6dd9
SHA25683882e6cc791b4d4299b591a31038e6176ad9d792fa93da983988aa1add0e2aa
SHA5123797c417af30a656fdf721a380aa4f63dfb370472be4a5ccee91514a306b3ae00468341b8654406fabe07be28338bff30c98dbc4de4b12aa77e716c3f141687f
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD55c6ebfa390cf1eb765fc9c2d6acfd679
SHA17bdc63a1c9b89316467dbc61e6f1ea65e0bb9635
SHA256c881ac392fc204ebb681e6c7c1a205979ecbc689e2ccbbaef66cd2ba10055027
SHA512e287fa71899f595905b7ff3638e8207349da2a9323bf28ee3dd75fa9bf1262871ba55a83ca5d2cde781bf3dfa66b9fdd72f7089d9519d71134276f7949562132
-
Filesize
11KB
MD52993a8220e7c8f761f0d2ae7ab406553
SHA13e39c8082c61f5106c145cfdeb5ee3e6ac14ef92
SHA256e4524f09dcd2c8288bb293a066e611f174563d0956fda83b144ca33ca71a195f
SHA5124a8470f3ce89ff8ec675af18c84619b65031c63d4d8380d144e0fa81040c5d30f07735b1e4b6f225ce83b2fa3c4776059792b6a5364b28ccc0e2318b9379e304
-
Filesize
2.8MB
MD5d5351a9afa0356b886f609ff7f53603d
SHA17368de3db110e4398be3edd3afdd6bc48f7bb9fd
SHA256e92c5cf7509dd9792fac8202fb08295dfc9e5f18663db81bf07990de1bc85893
SHA5128c36c8ba6569eab077c25d2f7ec4da93eb660d7223fbc534b09aae663c858d4c4aa79d0b7cacec9da63f74daf3395e860eb22b2ae21df127a6c78b779bfd155f