Resubmissions

10-12-2024 08:15

241210-j53pravqar 10

Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    10-12-2024 08:15

General

  • Target

    https://github.com/fabrimagic72/malware-samples

Score
4/10

Malware Config

Signatures

  • Drops file in Program Files directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/fabrimagic72/malware-samples
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3700
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x128,0x12c,0x10c,0x130,0x7fff035e46f8,0x7fff035e4708,0x7fff035e4718
      2⤵
        PID:1988
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,14409194832360505959,14459393342938874789,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
        2⤵
          PID:4408
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,14409194832360505959,14459393342938874789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4664
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,14409194832360505959,14459393342938874789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
          2⤵
            PID:2064
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14409194832360505959,14459393342938874789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
            2⤵
              PID:1636
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14409194832360505959,14459393342938874789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
              2⤵
                PID:2136
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,14409194832360505959,14459393342938874789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:8
                2⤵
                  PID:2012
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
                  2⤵
                  • Drops file in Program Files directory
                  PID:2580
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff724105460,0x7ff724105470,0x7ff724105480
                    3⤵
                      PID:3172
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,14409194832360505959,14459393342938874789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3552
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14409194832360505959,14459393342938874789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
                    2⤵
                      PID:2700
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14409194832360505959,14459393342938874789,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
                      2⤵
                        PID:1956
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14409194832360505959,14459393342938874789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
                        2⤵
                          PID:2992
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14409194832360505959,14459393342938874789,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
                          2⤵
                            PID:3716
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,14409194832360505959,14459393342938874789,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2992 /prefetch:2
                            2⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:3388
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:3424
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:1740

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\588eda03-65d6-4002-9326-d4393af34b92.tmp

                              Filesize

                              8KB

                              MD5

                              7f5ef01c179c04999bf37afcb47a5649

                              SHA1

                              0bca2e389311fd9582afe7e1f0feb8ccf40e1cac

                              SHA256

                              df663b2f00b85a7c4bf6e0148f1e9b6e2d76995ab817f7f3796e287b4b7c159b

                              SHA512

                              336a07ac5711d82797738b452cc17d0ce60fd82104a6cafed91de091a44ddb4c97f098100819696a388612691f6b8e9c195dcfae45c9b4291ed3777851ec7e87

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                              Filesize

                              152B

                              MD5

                              b5fffb9ed7c2c7454da60348607ac641

                              SHA1

                              8d1e01517d1f0532f0871025a38d78f4520b8ebc

                              SHA256

                              c8dddfb100f2783ecbb92cec7f878b30d6015c2844296142e710fb9e10cc7c73

                              SHA512

                              9182a7b31363398393df0e9db6c9e16a14209630cb256e16ccbe41a908b80aa362fc1a736bdfa94d3b74c3db636dc51b717fc31d33a9fa26c3889dec6c0076a7

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                              Filesize

                              152B

                              MD5

                              32d05d01d96358f7d334df6dab8b12ed

                              SHA1

                              7b371e4797603b195a34721bb21f0e7f1e2929da

                              SHA256

                              287349738fb9020d95f6468fa4a98684685d0195ee5e63e717e4b09aa99b402e

                              SHA512

                              e7f73b1af7c7512899728708b890acd25d4c68e971f84d2d5bc24305f972778d8bced6a3c7e3d9f977cf2fc82e0d9e3746a6ccb0f9668a709ac8a4db290c551c

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                              Filesize

                              48B

                              MD5

                              7191f5d23eb3b1e2a28dda5590aff5ec

                              SHA1

                              0deebba7bbdf4e98259f1ae58cf127d4c8fec03e

                              SHA256

                              b24f8ca731c562f299ce4f5c6fb0be6b95d4fdc2e535fd44c685fa6d0a51edb9

                              SHA512

                              94ef061f6355d3ae776fff6688b1aac85bea41e4c4f82192982ebcaa1d45fb590819adaafac9e06b4fda3e36f939da32b2d1edaa6de688040cedc88cb0102c50

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                              Filesize

                              1KB

                              MD5

                              3598da6a9ecb2c6f8a51c71f3997be9b

                              SHA1

                              25c41208303e4069251b72511ee92ab0ebb379fa

                              SHA256

                              b8690687023325169d865e1d5d5cbb3097ac9f8ba9de0e3c9998e5309b3a38b5

                              SHA512

                              b750deb70d2d3fb5e3ecbb877135ec4e0ffca7066b82f643e5fe67ec961060032b01535b61a450acff0b1762ac53edc567eba93bede091ec0aff40db362284f6

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

                              Filesize

                              70KB

                              MD5

                              e5e3377341056643b0494b6842c0b544

                              SHA1

                              d53fd8e256ec9d5cef8ef5387872e544a2df9108

                              SHA256

                              e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

                              SHA512

                              83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                              Filesize

                              496B

                              MD5

                              d22266ba3d8db30279b96944f0cec985

                              SHA1

                              44e288cdfe75a5e8299ce32e75dd9e0705cdbac9

                              SHA256

                              77873629fa695e434160c86ae9116906ff65a97666d7d35a3ed63221b627c0bf

                              SHA512

                              d463aecbdac835dace5544b4267c86c2ed7d3165ba95095db6dfc3a25655f2391fa202a81d37b4a76a36f04456ed86df137302ad0e456fd59ecdfee3c69c6c1b

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe5878e4.TMP

                              Filesize

                              59B

                              MD5

                              2800881c775077e1c4b6e06bf4676de4

                              SHA1

                              2873631068c8b3b9495638c865915be822442c8b

                              SHA256

                              226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

                              SHA512

                              e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              5KB

                              MD5

                              4e389fb24c24036f211a4527335168fb

                              SHA1

                              4cf120b3a5b8adf989c015514ffc8c11beed163b

                              SHA256

                              14ed856dca2d5119bf60b7d217731c48ea2197b80fb2b42a3796557af084d457

                              SHA512

                              8c7d70f07cc0e8a13bfcbd0c20be49a0315ab9aa90a97c764b72ab0cdff0eb4d73758e16eced4db87e9fe910508a8ad71bd61e9c73d141d4e9edac379e576ffe

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              5KB

                              MD5

                              41dd9e8a065822e91ccc8cd53c8ed87e

                              SHA1

                              61c76a4908f475111ad36c82e5addf1e55b7adf1

                              SHA256

                              c1ff40b731ed0d7f15eeb05bfee4b8096a675fa3c07b0b5f46b1c00b0d620f96

                              SHA512

                              3804fdb7f37df1987775c80e3d9e54cc3a26794f2ce10377bcce93253f03d46b8316f700237a12df4fee15143bcbcf34aa7bc6044210cee3417fe5d2e1ddd0b6

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              5KB

                              MD5

                              2eb72991521d5638fc1af7396f2a432e

                              SHA1

                              1c54b7eb12063c93ad493793848e1e912af8d32c

                              SHA256

                              54bcf6c48d217339b8732a95344d842c4b3774ed1210a95d5b5a18aa2da5e790

                              SHA512

                              334e87cc94347e3c96387596baa43386c10c855d95ec456fd13525fed77f80633e3de4efee7b0ed636f811e066a2ae11cdfe606d9e8a0d656e5d362c94fa00cd

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                              Filesize

                              24KB

                              MD5

                              6e466bd18b7f6077ca9f1d3c125ac5c2

                              SHA1

                              32a4a64e853f294d98170b86bbace9669b58dfb8

                              SHA256

                              74fc4f126c0a55211be97a17dc55a73113008a6f27d0fc78b2b47234c0389ddc

                              SHA512

                              9bd77ee253ce4d2971a4b07ed892526ed20ff18a501c6ba2a180c92be62e4a56d4bbf20ba3fc4fbf9cf6ce68b3817cb67013ad5f30211c5af44c1e98608cb9e3

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                              Filesize

                              24KB

                              MD5

                              ac2b76299740efc6ea9da792f8863779

                              SHA1

                              06ad901d98134e52218f6714075d5d76418aa7f5

                              SHA256

                              cc35a810ed39033fa4f586141116e74e066e9c0c3a8c8a862e8949e3309f9199

                              SHA512

                              eec3c24ce665f00cd28a2b60eb496a685ca0042c484c1becee89c33c6b0c93d901686dc0142d3c490d349d8b967ecbbd2f45d26c64052fb41aad349100bd8f77

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                              Filesize

                              16B

                              MD5

                              206702161f94c5cd39fadd03f4014d98

                              SHA1

                              bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                              SHA256

                              1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                              SHA512

                              0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

                              Filesize

                              41B

                              MD5

                              5af87dfd673ba2115e2fcf5cfdb727ab

                              SHA1

                              d5b5bbf396dc291274584ef71f444f420b6056f1

                              SHA256

                              f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                              SHA512

                              de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

                              Filesize

                              16B

                              MD5

                              46295cac801e5d4857d09837238a6394

                              SHA1

                              44e0fa1b517dbf802b18faf0785eeea6ac51594b

                              SHA256

                              0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                              SHA512

                              8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

                              Filesize

                              3KB

                              MD5

                              b53b3bfa8081fcd942d366761b3df390

                              SHA1

                              8984634e3e7b6fcdbf2c9bd797402bccbdd0cdea

                              SHA256

                              9b070eedda264d6fb1257d551b6c1cc83bbff3c12ccbbffd58d05109ab7574b5

                              SHA512

                              8c0cc11cfee7c06a5b027179e22320d86ca8d1582e04b86579d402d9115cf69b95a346ad1a50f8efd201e90b40828d0882d49359a4d4827f2179d71b0608d629

                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

                              Filesize

                              3KB

                              MD5

                              7c96bebfc34223924f5c8708c085c98d

                              SHA1

                              fb0beeb7507ae3f8e8736c9bb536684da200a819

                              SHA256

                              208978ee1be0bfbee417f55be52f1c95f47f1c5c7bf10f5d164672c2f220cbff

                              SHA512

                              c5dffef1f3e6223ac1cf873c82db171adc91a50d54e7d0eb7db3e2dc8139fd90435d8a3d07443deeadba6be257183a04396475962d43a916d3e83c31040101ee