hxxps://storage[.]googleapis[.]com/ysdygsudyfgiudsyfgiysidug/dqdsqfsdf[.]html#dqQ2UG[.]html?od=1sym64ac472387c0e_vl_Active11vl_18o4[.]2dg1y4o[.]O0000ri9bcf1q1d013_x11608[.]i9bcfMHgycWF3LTBwa3JsNHA0n4dTb

Analysis

max time kernel
143s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2023 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://storage.googleapis.com/ysdygsudyfgiudsyfgiysidug/dqdsqfsdf.html#dqQ2UG.html?od=1sym64ac472387c0e_vl_Active11vl_18o4.2dg1y4o.O0000ri9bcf1q1d013_x11608.i9bcfMHgycWF3LTBwa3JsNHA0n4dTb

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3324	msedge.exe
3324	msedge.exe
1616	msedge.exe
1616	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1616	msedge.exe
1616	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 3700	1616	msedge.exe	67
PID 1616 wrote to memory of 3700	1616	msedge.exe	67
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3236	1616	msedge.exe	87
PID 1616 wrote to memory of 3324	1616	msedge.exe	86
PID 1616 wrote to memory of 3324	1616	msedge.exe	86
PID 1616 wrote to memory of 3020	1616	msedge.exe	88
PID 1616 wrote to memory of 3020	1616	msedge.exe	88
PID 1616 wrote to memory of 3020	1616	msedge.exe	88
PID 1616 wrote to memory of 3020	1616	msedge.exe	88
PID 1616 wrote to memory of 3020	1616	msedge.exe	88
PID 1616 wrote to memory of 3020	1616	msedge.exe	88
PID 1616 wrote to memory of 3020	1616	msedge.exe	88
PID 1616 wrote to memory of 3020	1616	msedge.exe	88
PID 1616 wrote to memory of 3020	1616	msedge.exe	88
PID 1616 wrote to memory of 3020	1616	msedge.exe	88
PID 1616 wrote to memory of 3020	1616	msedge.exe	88
PID 1616 wrote to memory of 3020	1616	msedge.exe	88
PID 1616 wrote to memory of 3020	1616	msedge.exe	88
PID 1616 wrote to memory of 3020	1616	msedge.exe	88
PID 1616 wrote to memory of 3020	1616	msedge.exe	88
PID 1616 wrote to memory of 3020	1616	msedge.exe	88
PID 1616 wrote to memory of 3020	1616	msedge.exe	88
PID 1616 wrote to memory of 3020	1616	msedge.exe	88
PID 1616 wrote to memory of 3020	1616	msedge.exe	88
PID 1616 wrote to memory of 3020	1616	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://storage.googleapis.com/ysdygsudyfgiudsyfgiysidug/dqdsqfsdf.html#dqQ2UG.html?od=1sym64ac472387c0e_vl_Active11vl_18o4.2dg1y4o.O0000ri9bcf1q1d013_x11608.i9bcfMHgycWF3LTBwa3JsNHA0n4dTb
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc99d546f8,0x7ffc99d54708,0x7ffc99d54718
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,16281281724617359211,1792647889944732428,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,16281281724617359211,1792647889944732428,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,16281281724617359211,1792647889944732428,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2496 /prefetch:8
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16281281724617359211,1792647889944732428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16281281724617359211,1792647889944732428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,16281281724617359211,1792647889944732428,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4536 /prefetch:2
  2⤵
  PID:3828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f6f47b83c67fe32ee32811d6611d269c

SHA1
b32353d1d0ed26e0dd5b5f1f402ffd41a105d025

SHA256
ac1866f15ff34d1df4dafa761dbb7dc2c712fe01ac0e171706ef29e205549cbc

SHA512
6ee068efa9fbd3c972169427be2f6377a1204bf99b61579e4d78643e89e729ad65f2abcc70007fd0dd38428e7cd39010a253d6f9cd5e90409e207ddaf5d6720d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
311B

MD5
33dfc702feeb61688ee7844d192e2f3d

SHA1
3bdec2498e93720de92b68aa67f69f1fbdf838fe

SHA256
1acf1c64a03890bfb65bee217cc29f71cfeb6836c15f9c4c22160331432646a3

SHA512
93fa4ab1062ac111a58879a7e51c0cf8f6102f75ceb6e32024b5f5d8244379a23364bbad48bd12e7f5aa26c51317b78ee16c3ee13d0258b397baac5130e546ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8e470d8b084ca5ee7839b3d89b8f731a

SHA1
eb886d7d60d06ec66e5e61349f1c573ca6bacfbf

SHA256
40bae0ee55f243aacd7147e9305099a2789773a0a965dd0d4f8986a8e5474ca6

SHA512
2c7ec47d07afbf0b084abe31a17c9038c00996c9fafa8d5384d6e9703d624eac339f5abc87671ed0853c3ec17e335710b22a122bcb470613a7c06ba1e4f96a97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8d7a560a715e39bfa844382212ba3273

SHA1
ee4e0c6dc7121a398128265046d4e73858441f36

SHA256
144b9cd6e67bd9f09d7203b44d61f80c38d6fdd82b113f5a547305454796d373

SHA512
229cd0d7736e9e45d17af5614f4d5ac957d584d8659d64b06f272327ae8ef7cfb10bd7d16c1dced232616ef1a38d9e02acb340571a5da4ff6ad8a60360364a56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5544c64f2a8f49dabc19eb84267b1c9b

SHA1
c5b78d63a8bab1c7b985f7ea2f268d0d7809071e

SHA256
a1fcfee2974a77e76a7431a2069db301861ab42dd41769cead8697f41f5a497f

SHA512
38c80d7c810441fc87beff38929473088cf426b0a25a30820d8a060f493350d99bb8521b314afe00578ea54648fce2aa4e55880a83a4f1048c56307991726565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
5f1876e7339083cfe9e4b25265ebcebd

SHA1
0ee43be06ac603de0cf18f1a42b952aef16bceae

SHA256
1f2b5c4eae0555369a0bc733942d73f858827e74da3f2f2d1d72cafb4540e468

SHA512
060b18294446183b3b91770540f246e807908b8f8462437e9b9073dc710b5467e526b9b9b16807c67ab72d7286856b9083f774a3db8cbe1fe154f2848ec9bad3

Download Submit