hxxp://google[.]com

Resubmissions

28/03/2025, 22:48

250328-2rgt8sszgz 4

28/03/2025, 19:38

250328-ycwhaszzbv 10

Analysis

max time kernel
17s
max time network
15s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
28/03/2025, 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 4588	4004	msedge.exe	83
PID 4004 wrote to memory of 4588	4004	msedge.exe	83
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 5944	4004	msedge.exe	84
PID 4004 wrote to memory of 5944	4004	msedge.exe	84
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 6120	4004	msedge.exe	85
PID 4004 wrote to memory of 2424	4004	msedge.exe	86
PID 4004 wrote to memory of 2424	4004	msedge.exe	86
PID 4004 wrote to memory of 2424	4004	msedge.exe	86
PID 4004 wrote to memory of 2424	4004	msedge.exe	86
PID 4004 wrote to memory of 2424	4004	msedge.exe	86
PID 4004 wrote to memory of 2424	4004	msedge.exe	86
PID 4004 wrote to memory of 2424	4004	msedge.exe	86
PID 4004 wrote to memory of 2424	4004	msedge.exe	86
PID 4004 wrote to memory of 2424	4004	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://google.com
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x30c,0x7ffc844df208,0x7ffc844df214,0x7ffc844df220
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1920,i,8883739374924384173,2349293031483066404,262144 --variations-seed-version --mojo-platform-channel-handle=2340 /prefetch:3
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2264,i,8883739374924384173,2349293031483066404,262144 --variations-seed-version --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2432,i,8883739374924384173,2349293031483066404,262144 --variations-seed-version --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3488,i,8883739374924384173,2349293031483066404,262144 --variations-seed-version --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3492,i,8883739374924384173,2349293031483066404,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=5080,i,8883739374924384173,2349293031483066404,262144 --variations-seed-version --mojo-platform-channel-handle=4268 /prefetch:1
  2⤵
  PID:1872

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
a7537931e1af5340f125d6c9a59b043e

SHA1
4f331e4af4a74ac232905bce9464665a0976545a

SHA256
2b657fd65c9331a37e3b44f1a6ed1259d7a6137586ed1807ec8f748268764e41

SHA512
1b06341297d01c8cef10e4a6ec5bf3a859363416625fe4dfcb24bd4e454a2300bbca758489a47ec10f1182154f4f927d67e9347a7b077882508224a7f0d8090e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
1c29303e6082879110d1fee94c293ac7

SHA1
d30df6de9fc5e49d56ac9e91568a0ff86dc5b74c

SHA256
3a3d0d9d97356f49dac876fac4695e2903ea1a9a0eca31bd09b98452a61ce20a

SHA512
2331e325211fe3bcfa920dfa9575d7231d63d434de9f3343c72525a77c60aff2dd4eb443e507e4e83008680d26c252c4ebfe1390195ecca21e933f0ed13e9318

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
7dd8da0fb87b0a05f6645ecedbc0be76

SHA1
1260e1f1555680d492971e68198b34cda23d9764

SHA256
68585a4500384ea429b2e30283a6dbfb140bff1cec61f3634ee05e5b815babb6

SHA512
bf41b5a6e6fc4a35f1224954af17e2fc6136077e8a187ffe0a72a84d198cd82f0d8d6db7c68afd774a7b1853f21cca9ffd19fdd965887a0b49641aa309a639e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
dc3f81a1b6b1efdc9b3c65b31fef7d68

SHA1
52351973ff6bbb05a78c0a2f90a6a1175235408a

SHA256
62c0725e188599056f1c24a925c82031dbc44de050046260e0b923f4606aa820

SHA512
afafb843623429bedb826f421e293537cc670933796e8b80a9dd2e91a69525cd855ce21e7f94c83c55caf24a0acbea0bbcb56e065c6c7cc79d5fdcb3ff9cd2af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
c54f1eb55187079176efc04979640bb2

SHA1
bcc93163ed161280a6b422052f24943ab871baa6

SHA256
3c7e8af1cb655c35255ebd06b30ea732fce9997f1b7cd801d09270748323c80a

SHA512
1a913510501e69aa16ad94cd11cd3b481e2c7c05725b5ca2841d5ae1f78510be5a029908ba761a1938fe919a828ce99eeb082b21e823a621604766c26c944579

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
11dcee50a9446a7c267055aa159d653c

SHA1
1c1798363daf8487ead3f5980aebfbf276f087ea

SHA256
cd644861c3ecaabc18b9929060042439b2de1b8518936478a954570c8edecf53

SHA512
21d9ed239d091442ddcec566ebfebf5c7d8133d4449f3163a71bee494ac1f37e9fc5104def3aac6580618c8c5a04bf2a66977cc6e88e903aab93a0b12facb2de

Download Submit