hxxps://mediakliniken[.]com/Mrich[.]lepoutre@sibelco[.]com

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/07/2023, 08:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://mediakliniken.com/[email protected]

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3444	msedge.exe
3444	msedge.exe
1388	msedge.exe
1388	msedge.exe
112	identity_helper.exe
112	identity_helper.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 4320	1388	msedge.exe	79
PID 1388 wrote to memory of 4320	1388	msedge.exe	79
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 4528	1388	msedge.exe	86
PID 1388 wrote to memory of 3444	1388	msedge.exe	85
PID 1388 wrote to memory of 3444	1388	msedge.exe	85
PID 1388 wrote to memory of 3524	1388	msedge.exe	87
PID 1388 wrote to memory of 3524	1388	msedge.exe	87
PID 1388 wrote to memory of 3524	1388	msedge.exe	87
PID 1388 wrote to memory of 3524	1388	msedge.exe	87
PID 1388 wrote to memory of 3524	1388	msedge.exe	87
PID 1388 wrote to memory of 3524	1388	msedge.exe	87
PID 1388 wrote to memory of 3524	1388	msedge.exe	87
PID 1388 wrote to memory of 3524	1388	msedge.exe	87
PID 1388 wrote to memory of 3524	1388	msedge.exe	87
PID 1388 wrote to memory of 3524	1388	msedge.exe	87
PID 1388 wrote to memory of 3524	1388	msedge.exe	87
PID 1388 wrote to memory of 3524	1388	msedge.exe	87
PID 1388 wrote to memory of 3524	1388	msedge.exe	87
PID 1388 wrote to memory of 3524	1388	msedge.exe	87
PID 1388 wrote to memory of 3524	1388	msedge.exe	87
PID 1388 wrote to memory of 3524	1388	msedge.exe	87
PID 1388 wrote to memory of 3524	1388	msedge.exe	87
PID 1388 wrote to memory of 3524	1388	msedge.exe	87
PID 1388 wrote to memory of 3524	1388	msedge.exe	87
PID 1388 wrote to memory of 3524	1388	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mediakliniken.com/[email protected]
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb0fda46f8,0x7ffb0fda4708,0x7ffb0fda4718
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,18063853837098446184,13297985317859230332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,18063853837098446184,13297985317859230332,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1968,18063853837098446184,13297985317859230332,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,18063853837098446184,13297985317859230332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,18063853837098446184,13297985317859230332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,18063853837098446184,13297985317859230332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,18063853837098446184,13297985317859230332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,18063853837098446184,13297985317859230332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,18063853837098446184,13297985317859230332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,18063853837098446184,13297985317859230332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,18063853837098446184,13297985317859230332,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,18063853837098446184,13297985317859230332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4244 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,18063853837098446184,13297985317859230332,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,18063853837098446184,13297985317859230332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,18063853837098446184,13297985317859230332,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1344 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3423d7e71b832850019e032730997f69

SHA1
bbc91ba3960fb8f7f2d5a190e6585010675d9061

SHA256
53770e40359b9738d8898520d7e4a57c28498edddbadf76ec4a599837aa0c649

SHA512
03d5fee4152300d6c5e9f72c059955c944c7e6d207e433e9fdd693639e63ea699a01696d7bbf56d2033fd52ad260c9ae36a2c5c888112d81bf7e04a3f273e65d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
5e4787bc89db498e9c2e7e8c3504c7cd

SHA1
c8ddd7109e5266490a1c355fcbd6807edd1f6b30

SHA256
9ce62c2c09b9cecb84ddbeba695e277be916dc5091ba3c75ec756080202fdfdb

SHA512
c77545bbe576085abc6fdd10317586f155f6eceda770a94d343cd6b243f0f5802ee0c997fdfdca956ccd4530337ac125e4297190ee6329ccce19356253f36789

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
705B

MD5
fad4124767112f86272a32ea61d21903

SHA1
279adb8dc66f06b255cc2381d7ef0ee5a890edca

SHA256
6dd6a6b66f3b797c55cc34c9b621878dfbf40306c8f71f2c6273241ccca0f745

SHA512
501c561602262fe7cc7f6b4b40c69e637f6a909198600b10ffdc02947845fe15ab7c7318ebcc347d33428229aba35baa5407e705bed01ed5d31552e6fd5f353f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0d0645f7502cd61f142b87716109522d

SHA1
2fdd888df070757ba05434a5561095b53be88685

SHA256
e09c969367be5fbd272a02f30d13e8feb5d74ccc06e4edea1de022a6d29f4398

SHA512
10f8e30dc51042d29a6f10217b4d9bac5f8757bcab17b1c3bb0bee65fecf6065c317eca548ac750dac5d753ad3917681b8562ba186bff9b64e1203133d8a5f7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ced7edfa09ee05dc25d96ac3c0532eb5

SHA1
1cf40553302f0646b092b3cd29325f767d151ae8

SHA256
b8e5a9c314f5630bdc07fe3a52c84fb20bcd1db1ac4d9ee49d512a70cf7b51a7

SHA512
add5f289ad8b76bda3d1f90a39f39e9f1b5b4380c1f7387939541862f98468f863206b0fd49e8ae54c19ae56e5202ebd30852cbb97f2f5ac38d8cd47d500bf44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
0e78f9a3ece93ae9434c64ea2bff51dc

SHA1
a0e4c75fe32417fe2df705987df5817326e1b3b9

SHA256
5c8ce4455f2a3e5f36f30e7100f85bdd5e44336a8312278769f89f68b8d60e68

SHA512
9d1686f0b38e3326ad036c8b218b61428204910f586dccf8b62ecbed09190f7664a719a89a6fbc0ecb429aecf5dd0ec06de44be3a1510369e427bde0626fd51d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c7f3627f07d4d74fc51e63ccab9ab3f5

SHA1
66ed1497569a38db260fb8fe54402d219a2717e1

SHA256
343c508729fb67a93ff2b90e650697e163fffa47a37e24fbcfe0f3d6da3ea2f0

SHA512
98330bd1852fdfe405ca843a3038807d4d05be722a583cbdfd48ee1f1460e87e5857b9a4160b10484722a5b764e77b2aeeef7b93387946a05c6e3c71adafd70b

Download Submit