hxxps://pub[.]marq[.]com/3d63a679-5900-4dd8-afd9-25aa3e986df1/

Analysis

max time kernel
19s
max time network
19s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2023, 21:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://pub.marq.com/3d63a679-5900-4dd8-afd9-25aa3e986df1/

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1128	msedge.exe
1128	msedge.exe
2920	msedge.exe
2920	msedge.exe
5000	identity_helper.exe
5000	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 4328	2920	msedge.exe	47
PID 2920 wrote to memory of 4328	2920	msedge.exe	47
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 2140	2920	msedge.exe	82
PID 2920 wrote to memory of 1128	2920	msedge.exe	83
PID 2920 wrote to memory of 1128	2920	msedge.exe	83
PID 2920 wrote to memory of 3008	2920	msedge.exe	85
PID 2920 wrote to memory of 3008	2920	msedge.exe	85
PID 2920 wrote to memory of 3008	2920	msedge.exe	85
PID 2920 wrote to memory of 3008	2920	msedge.exe	85
PID 2920 wrote to memory of 3008	2920	msedge.exe	85
PID 2920 wrote to memory of 3008	2920	msedge.exe	85
PID 2920 wrote to memory of 3008	2920	msedge.exe	85
PID 2920 wrote to memory of 3008	2920	msedge.exe	85
PID 2920 wrote to memory of 3008	2920	msedge.exe	85
PID 2920 wrote to memory of 3008	2920	msedge.exe	85
PID 2920 wrote to memory of 3008	2920	msedge.exe	85
PID 2920 wrote to memory of 3008	2920	msedge.exe	85
PID 2920 wrote to memory of 3008	2920	msedge.exe	85
PID 2920 wrote to memory of 3008	2920	msedge.exe	85
PID 2920 wrote to memory of 3008	2920	msedge.exe	85
PID 2920 wrote to memory of 3008	2920	msedge.exe	85
PID 2920 wrote to memory of 3008	2920	msedge.exe	85
PID 2920 wrote to memory of 3008	2920	msedge.exe	85
PID 2920 wrote to memory of 3008	2920	msedge.exe	85
PID 2920 wrote to memory of 3008	2920	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pub.marq.com/3d63a679-5900-4dd8-afd9-25aa3e986df1/
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff833d946f8,0x7ff833d94708,0x7ff833d94718
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,8877633064487475859,6150632917103094094,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,8877633064487475859,6150632917103094094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,8877633064487475859,6150632917103094094,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8877633064487475859,6150632917103094094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8877633064487475859,6150632917103094094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,8877633064487475859,6150632917103094094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,8877633064487475859,6150632917103094094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8877633064487475859,6150632917103094094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8877633064487475859,6150632917103094094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8877633064487475859,6150632917103094094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8877633064487475859,6150632917103094094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:4928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3423d7e71b832850019e032730997f69

SHA1
bbc91ba3960fb8f7f2d5a190e6585010675d9061

SHA256
53770e40359b9738d8898520d7e4a57c28498edddbadf76ec4a599837aa0c649

SHA512
03d5fee4152300d6c5e9f72c059955c944c7e6d207e433e9fdd693639e63ea699a01696d7bbf56d2033fd52ad260c9ae36a2c5c888112d81bf7e04a3f273e65d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
196acbbdeee2c91af7b684e1fa1380a9

SHA1
c7627c76b6a22b70bbf4aa6813e9f11ee568b427

SHA256
013a219bb8be7dafe9594dcce8d069a9b38ba0cd13fb7ec510bf354c312649f7

SHA512
de409913153fb10cab5cfbf93246c5ee746d14077628097cb347a2c3c4e08a4a6e01bee10c94784750566cc79f5b12199ed6a85f33e349745a8cc6dc55ebd49b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
28f6f9a63d42d93b21d5241fc067b78e

SHA1
810fe8852214446d8c124d35a98b24ff38393d87

SHA256
6b267bc6fe5417b5b1b4e1f496d6c1de6489ff6f0d0b0db703404bbf5b4683ec

SHA512
ef456b8cdb391461ce91b47bac4b0c66d5f602a288f55b363284c1dc47818b43f4f249c3ec439263804b3d24b950e7a1ec54201ae16fb8a539319759c69f37ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
0e78f9a3ece93ae9434c64ea2bff51dc

SHA1
a0e4c75fe32417fe2df705987df5817326e1b3b9

SHA256
5c8ce4455f2a3e5f36f30e7100f85bdd5e44336a8312278769f89f68b8d60e68

SHA512
9d1686f0b38e3326ad036c8b218b61428204910f586dccf8b62ecbed09190f7664a719a89a6fbc0ecb429aecf5dd0ec06de44be3a1510369e427bde0626fd51d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b97c96b3c078966c592ad501acc58ac9

SHA1
97f2e362f6be4ec2eb44f92775ca28c3cbeb1aaa

SHA256
68edda03c6959c95520e47a5b0363ba75adff6e6db619b96f73684457ab7e932

SHA512
62a0ed225449ea86017f8a7ffb2ada8c13c584372f0a0b80d14615a2717ea38c2a0fd636d2d1000ec2485850b83faf0289e3df10b64884761daf0b82bc2c4d77

Download Submit