3e2e9b64c2701ed6fdd503b5cd52dcda17909a3f9f5f0f6c6b42ef8c9ae23c95

Resubmissions

05-12-2024 20:18

241205-y3mm3szpcx 3

05-12-2024 12:32

241205-pqsh5avkc1 3

05-12-2024 12:24

241205-pk96zstrft 10

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

registry.html
Size

1KB
MD5

689a1880d6c5c0af7d0e3e567fe3df23
SHA1

0e6f59da774e68d9aa8e18ae06865c473a721900
SHA256

3e2e9b64c2701ed6fdd503b5cd52dcda17909a3f9f5f0f6c6b42ef8c9ae23c95
SHA512

2ea34967d9a2c2478734537731fda96017e97fef4fd8ede1ec025e4fef992ca99fb8c412b15569edd697d451f26c6bce589783e0393dfe9538c158a7f1207160

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2112	msedge.exe
2112	msedge.exe
4584	msedge.exe
4584	msedge.exe
4976	identity_helper.exe
4976	identity_helper.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 1512	4584	msedge.exe	83
PID 4584 wrote to memory of 1512	4584	msedge.exe	83
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 820	4584	msedge.exe	84
PID 4584 wrote to memory of 2112	4584	msedge.exe	85
PID 4584 wrote to memory of 2112	4584	msedge.exe	85
PID 4584 wrote to memory of 4388	4584	msedge.exe	86
PID 4584 wrote to memory of 4388	4584	msedge.exe	86
PID 4584 wrote to memory of 4388	4584	msedge.exe	86
PID 4584 wrote to memory of 4388	4584	msedge.exe	86
PID 4584 wrote to memory of 4388	4584	msedge.exe	86
PID 4584 wrote to memory of 4388	4584	msedge.exe	86
PID 4584 wrote to memory of 4388	4584	msedge.exe	86
PID 4584 wrote to memory of 4388	4584	msedge.exe	86
PID 4584 wrote to memory of 4388	4584	msedge.exe	86
PID 4584 wrote to memory of 4388	4584	msedge.exe	86
PID 4584 wrote to memory of 4388	4584	msedge.exe	86
PID 4584 wrote to memory of 4388	4584	msedge.exe	86
PID 4584 wrote to memory of 4388	4584	msedge.exe	86
PID 4584 wrote to memory of 4388	4584	msedge.exe	86
PID 4584 wrote to memory of 4388	4584	msedge.exe	86
PID 4584 wrote to memory of 4388	4584	msedge.exe	86
PID 4584 wrote to memory of 4388	4584	msedge.exe	86
PID 4584 wrote to memory of 4388	4584	msedge.exe	86
PID 4584 wrote to memory of 4388	4584	msedge.exe	86
PID 4584 wrote to memory of 4388	4584	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\registry.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa0e1046f8,0x7ffa0e104708,0x7ffa0e104718
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,1478632502378739621,8063788465323599632,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,1478632502378739621,8063788465323599632,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,1478632502378739621,8063788465323599632,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1478632502378739621,8063788465323599632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1478632502378739621,8063788465323599632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,1478632502378739621,8063788465323599632,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:8
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,1478632502378739621,8063788465323599632,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1478632502378739621,8063788465323599632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1478632502378739621,8063788465323599632,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1478632502378739621,8063788465323599632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1478632502378739621,8063788465323599632,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,1478632502378739621,8063788465323599632,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4136 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
606B

MD5
8710ea76b2eb9842d2807e9d42c7e9ef

SHA1
0d279a3904bedfb3053d32f1ce7def848df1c39a

SHA256
4953f60a48102336e882ea430186fcc4fc0bccaa5940ab682c2ea6b8640a9f28

SHA512
6e88d32a6b32a08ae2d77b5ef90212263b410900a9e1f33572a99a4d5e887c7ab5f977363fd236eb332a5794e83a24f701cdc5fa967acf128d8df9a32226c8a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
630a39a9fd8c54edbf6f64278882e756

SHA1
52cfe0b48db3471dc38e33153bc76d05bf7dc928

SHA256
51e0ee3c04bc90b87b5dd725d0411f331df47ad918fbb832d8be31745eaf598f

SHA512
3cccfd4cfb12dfe65b44c36753b087194147659523e3459439c6def4131ec15b235b5bc900a975e22bf74a00e61c7a961de6c9105fde10a4e97e790b43ed2b66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fa08c3876268d78f24c6375dd8893706

SHA1
1b334109a1fc5a52eeba95e1754d36999a17d46a

SHA256
765b23d705190c193ff0311fb3d1f479af38e1a9dcc2b867c6fbc58c088b4ac1

SHA512
30883d8d8b8e6b310d49bbe69e704c1fd7f7a4fbb1fdbe2995359b1567509eb01b23d36e8453522c4d7832059e11680ac06c6abe8c0932bce5e28a8f6dec4698

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
419a118548faeb828bd855401407bc00

SHA1
13b59261ae0c5a7b9a9b4b238095ae3451b2f5b0

SHA256
e3ecdab16db20343cd8df315091052f5a0b8d3ad93b1aa9fa36513bad45b57a3

SHA512
316b37d2cb410add739a4b582a38bac426235b25be92f8052ec067eea07f1cebed4857d5f2ab878654db1849004b87b3b5811a88577e562b69ab6a249712c65f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
44413c007617db0f037d6f6412e2cd2e

SHA1
3be78d5907a0ff16683e73c4d9ddcca86fb6f9d5

SHA256
072886421241920b71371b3e85ec5e775d1b943e7fd005b9b37c7b11521ab0d6

SHA512
8aabf8f35831c3de431db62433e80404a4c9f1f291b3cfa49f46f1bc28f846b89813f401a870cb32206a12c2f697249f33c19674f9402a1ce9b405f9e5ecc6ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581642.TMP

Filesize
203B

MD5
3a947c62ac862958ded3e92a194b1752

SHA1
9872745228c06a17bf0be78dd02c7f7e318f87f5

SHA256
fa7b9c425997d4f07c97361d8ca3910dec25266fbb578257530c65abece31900

SHA512
01741e0b82b7d926427fcd002cbcdff7165f60d4f88802907fa6fbc1626fbc8b07331b75c9296fe44b26812c778b19bbd61e9b36b2b4435a6ca3b2fc3dbddba0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8aa228a6051c65505136bad3f6370c23

SHA1
cb092f31f1314b52c7ed2427c3512719d8b78d6a

SHA256
c8fd8d9fe3f13f82f61686bd8905285775f7601556d02dba3b83fc31d2127ac3

SHA512
82ca94b140a2326dfc69c564a64b7111e262c1ff22c3bac4e1e56b8ff6a1bd72e839bb4c00d13bd3d5658ca35e7d27b4fe92b6126bf0d1fca44bd70a9a9a20d4

Download Submit