hxxps://click[.]tp2[.]terrapinn[.]com/?qs=8d3599c26b3bdaf9e2072b713604179d833d5049709ca9aa7980797b1c7713e18d691d593a3b6fbdc7cf3817f7079166f5e4045ff27cf2c976bb39187dde0ae9

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2023, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://click.tp2.terrapinn.com/?qs=8d3599c26b3bdaf9e2072b713604179d833d5049709ca9aa7980797b1c7713e18d691d593a3b6fbdc7cf3817f7079166f5e4045ff27cf2c976bb39187dde0ae9

Score

6^/10

Malware Config

Signatures

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
81	jsonip.com
84	jsonip.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1632	msedge.exe
1632	msedge.exe
468	msedge.exe
468	msedge.exe
4936	identity_helper.exe
4936	identity_helper.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 4048	468	msedge.exe	23
PID 468 wrote to memory of 4048	468	msedge.exe	23
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 4464	468	msedge.exe	86
PID 468 wrote to memory of 1632	468	msedge.exe	85
PID 468 wrote to memory of 1632	468	msedge.exe	85
PID 468 wrote to memory of 864	468	msedge.exe	87
PID 468 wrote to memory of 864	468	msedge.exe	87
PID 468 wrote to memory of 864	468	msedge.exe	87
PID 468 wrote to memory of 864	468	msedge.exe	87
PID 468 wrote to memory of 864	468	msedge.exe	87
PID 468 wrote to memory of 864	468	msedge.exe	87
PID 468 wrote to memory of 864	468	msedge.exe	87
PID 468 wrote to memory of 864	468	msedge.exe	87
PID 468 wrote to memory of 864	468	msedge.exe	87
PID 468 wrote to memory of 864	468	msedge.exe	87
PID 468 wrote to memory of 864	468	msedge.exe	87
PID 468 wrote to memory of 864	468	msedge.exe	87
PID 468 wrote to memory of 864	468	msedge.exe	87
PID 468 wrote to memory of 864	468	msedge.exe	87
PID 468 wrote to memory of 864	468	msedge.exe	87
PID 468 wrote to memory of 864	468	msedge.exe	87
PID 468 wrote to memory of 864	468	msedge.exe	87
PID 468 wrote to memory of 864	468	msedge.exe	87
PID 468 wrote to memory of 864	468	msedge.exe	87
PID 468 wrote to memory of 864	468	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://click.tp2.terrapinn.com/?qs=8d3599c26b3bdaf9e2072b713604179d833d5049709ca9aa7980797b1c7713e18d691d593a3b6fbdc7cf3817f7079166f5e4045ff27cf2c976bb39187dde0ae9
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c7bb46f8,0x7ff8c7bb4708,0x7ff8c7bb4718
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,16792763799374184511,11451398261771273711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,16792763799374184511,11451398261771273711,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,16792763799374184511,11451398261771273711,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16792763799374184511,11451398261771273711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16792763799374184511,11451398261771273711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16792763799374184511,11451398261771273711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,16792763799374184511,11451398261771273711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:8
  2⤵
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,16792763799374184511,11451398261771273711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16792763799374184511,11451398261771273711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16792763799374184511,11451398261771273711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16792763799374184511,11451398261771273711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16792763799374184511,11451398261771273711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,16792763799374184511,11451398261771273711,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1128 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3423d7e71b832850019e032730997f69

SHA1
bbc91ba3960fb8f7f2d5a190e6585010675d9061

SHA256
53770e40359b9738d8898520d7e4a57c28498edddbadf76ec4a599837aa0c649

SHA512
03d5fee4152300d6c5e9f72c059955c944c7e6d207e433e9fdd693639e63ea699a01696d7bbf56d2033fd52ad260c9ae36a2c5c888112d81bf7e04a3f273e65d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
171KB

MD5
442d0e9e8515f3517372c89d7d94fe9b

SHA1
768598cde1ba553c3b208f842b06eb80b94f2939

SHA256
205f37c78cda70f635fd72e1d99079d7c4d88e54e88b04a0d746455eefe3b979

SHA512
cd396095eb7640706063c45d951e49ec380ddd5f61088a26df2471d4424b14579708842ff971a5abe41f03218364ee5f7246d26bf2a0d3e08998bd580abcf739

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
39aef8939275353036145196f836ebf8

SHA1
4df4d368f88cca8793620aa144db1640c0216051

SHA256
decc9ee8d3fc79c16d6ba085ea53d990fdc4d1ccb33f37dc46e8721d4cc2e40e

SHA512
6a01b52454b7af20e56089781ed4d195f5938f6c718a444ff948cc7713832b1f2af67dcecb7db9a57b6ac14ae766f5f8b508312a7d3dea548b9beb7b3b6beed5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
3a911de4e3fb6add198da99d4ea7d5db

SHA1
49dec6915d0ad82870734384211f36fd86070018

SHA256
b267d1616707a6830d4be0f99da372234c996d9a9d2327d3dc0227ae58e5e7e9

SHA512
cab639d8014d608e7126a5893a6615acbbf8e2c55d299b1ea8766b21f88cc41fd09fd2b9be592f797ec2c2334e7727e3557b6656043546f4136e25926be9205f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d11e7b3a0c1e0edf3b81f0f7c32a615a

SHA1
332d3ad028f6fa09b1d801e561a86b2b4a2212bb

SHA256
9150c5eacb64505d14ab12bb4acef07cd129fef367d126d36f73365d9d2567af

SHA512
e812a915d5ca6b4c53a21227b23b185c91691522bf1693e257be7803d001c3882366dc224f200713f65cffaf847967899c274411424a4e369fb17287022a84a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
40cf7733ac72381f13b85f26edc27e81

SHA1
33a4ae455ec94bd066d31c97249506ee7aca5189

SHA256
430fb7874deeb521189e368a2d3dbe0eb3b28012bbf64a8741fd302f99190a49

SHA512
3122ca6d5c7eb02bb107fa98a82adb9a4f30ee7d6d9f3310cac8fbd3f31eff612b4e785ba8ec4b2a608e016d8be2c2ffe6053f9b7d45979cdd67727ca1c44d8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
0e78f9a3ece93ae9434c64ea2bff51dc

SHA1
a0e4c75fe32417fe2df705987df5817326e1b3b9

SHA256
5c8ce4455f2a3e5f36f30e7100f85bdd5e44336a8312278769f89f68b8d60e68

SHA512
9d1686f0b38e3326ad036c8b218b61428204910f586dccf8b62ecbed09190f7664a719a89a6fbc0ecb429aecf5dd0ec06de44be3a1510369e427bde0626fd51d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
af1b6a70367d1950aab264e6b76309a3

SHA1
78f8ecad0e288b7b701a82c7cb04369d5983cc33

SHA256
d6b430e24904290b888841f1574981e2d75559243389780604e3659dd9472505

SHA512
49948af5bd52453ee553e444a641780333ad2e5e0c19caaadde96d4d586ad4a767b5264550b4679c5c7a8ffb5ff9a14382d3791201101eb31129210c25ba401f

Download Submit