b72330d80e92063db94fb321e42789dd870b8580d40d44ef17c77ee6b23cc5d1

Resubmissions

17/03/2025, 09:19

250317-lajz9swvbv 4

14/03/2025, 20:12

250314-yy3tha1rs4 10

Analysis

max time kernel
24s
max time network
24s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
17/03/2025, 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

free.panel.rar.html
Size

9KB
MD5

87eed16d3517b84785e333076f2f1db1
SHA1

9cf5fa92b7c84b583760e64b71df8e28fd54d891
SHA256

b72330d80e92063db94fb321e42789dd870b8580d40d44ef17c77ee6b23cc5d1
SHA512

95d08591cd029d8455f489839dc034dba96a68674f477281fb82b57e8fa76f69756aad911bb2681776cf3280072bde767f59129ab006a4a874f54b32d1c1158b
SSDEEP

192:WHQs+W33+IQZBftXI3AXSIdSrHhAEtwFlQYx+bPiqlc2Db1:WHQs+23+nZBftGeh6HgbWPlc2Db1

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
412	msedge.exe
412	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4980	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 1124	412	msedge.exe	82
PID 412 wrote to memory of 1124	412	msedge.exe	82
PID 412 wrote to memory of 3488	412	msedge.exe	83
PID 412 wrote to memory of 3488	412	msedge.exe	83
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 1800	412	msedge.exe	84
PID 412 wrote to memory of 5180	412	msedge.exe	85
PID 412 wrote to memory of 5180	412	msedge.exe	85
PID 412 wrote to memory of 5180	412	msedge.exe	85
PID 412 wrote to memory of 5180	412	msedge.exe	85
PID 412 wrote to memory of 5180	412	msedge.exe	85
PID 412 wrote to memory of 5180	412	msedge.exe	85
PID 412 wrote to memory of 5180	412	msedge.exe	85
PID 412 wrote to memory of 5180	412	msedge.exe	85
PID 412 wrote to memory of 5180	412	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\free.panel.rar.html
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x28c,0x7ffa8f50f208,0x7ffa8f50f214,0x7ffa8f50f220
  2⤵
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1912,i,12845829707673213035,17532997612339859717,262144 --variations-seed-version --mojo-platform-channel-handle=2184 /prefetch:11
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2156,i,12845829707673213035,17532997612339859717,262144 --variations-seed-version --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2256,i,12845829707673213035,17532997612339859717,262144 --variations-seed-version --mojo-platform-channel-handle=2252 /prefetch:13
  2⤵
  PID:5180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3416,i,12845829707673213035,17532997612339859717,262144 --variations-seed-version --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3424,i,12845829707673213035,17532997612339859717,262144 --variations-seed-version --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:5584

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5108

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
509e630f2aea0919b6158790ecedff06

SHA1
ba9a6adff6f624a938f6ac99ece90fdeadcb47e7

SHA256
067308f8a68703d3069336cb4231478addc400f1b5cbb95a5948e87d9dc4f78b

SHA512
1cb2680d3b8ddef287547c26f32be407feae3346a8664288de38fe6157fb4aeceb72f780fd21522417298e1639b721b96846d381da34a5eb1f3695e8e6ef7264

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
00c86a2a00c9f0235c73a07ea0a5ae90

SHA1
a59e4f24760c49fdc6f6db198a7e1f90783b5a5a

SHA256
e123c10294d2c6b4f287bd223db5082e585d2fad2dae3f78acdf444085a0b1d5

SHA512
af8e58233b6dafe6f9cf0ab958b6fa979d7ded19bb3d35345353932cb97a2d9c8a8854d8c2157b6e8c570e86cc6d094f0f12d5b2d5ca0ffc1a97b72efa772cd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
08d671c1644e32aeee78d782b40eee9d

SHA1
6d02de85543723ec72396a0f56216ff671601958

SHA256
2832537e8c216268a4816e8bfb16553cd9eda38696b3e8df407375b26c64e097

SHA512
ce1843bc1e622c4f5e854a5ac62b91353b4395dbdebca7527d91cca0479b9c9f3c03e305d4db12ac108219d7047827c012308affee74934bf13a01e3d903f198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
1d41897bffe6dd795ab2827d01ade878

SHA1
0dee04924521df1a241b9f4ea6a249e646c207dc

SHA256
326e2dca7418ee24f897e2883edf5ba5533da6f0504c790c51b6e2e421cc4e24

SHA512
803d1b691c78692d5e218aadec5916003cb4788d075f9de1cac198c320fba1dfbf23e810adc40d17136c941d79ab3eda13092654cf77cf53a7d6543a9a1fcf0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
aa69797003a4048cc162caaf0e2a4bbb

SHA1
9a53b0530a6413308e8692b34d62d77d820f1e89

SHA256
fdf06a57da510c5498c64ec92243bddf9ce51c81910d308d77d0124e3ffeda4c

SHA512
d90aa8b6d75539d984804eb5652c7116a9e2849e0e62f781e9093f815d611cbe0b3b696d169d400dc0197ede37b001f4934d3a4d506798ea60e10d9a865dfe76

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
23KB

MD5
ae7a9ff5a5e4295f40ffa935c01c456f

SHA1
4f5d39886ae1463087d66fb061aef1e14ef51fa4

SHA256
3def0328144e8806500e0f3f9877e6b33a9680c91443acdc8b55005493d991fe

SHA512
10a37a4a6f3ae5e87a459fd6115dd547bf27db578b31631ccad57ee909b98bd0f0bf8184dc6e330db68bffdb075eee533ea307281edae8cb902f145b5e78f916

Download Submit