Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
08/08/2023, 10:31
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://ehi.mitarbeiterangebote.de/login?wt_mc=news.2023.8.A.None
Resource
win10v2004-20230703-en
General
-
Target
https://ehi.mitarbeiterangebote.de/login?wt_mc=news.2023.8.A.None
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 5000 msedge.exe 5000 msedge.exe 1372 msedge.exe 1372 msedge.exe 4928 identity_helper.exe 4928 identity_helper.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1372 wrote to memory of 2776 1372 msedge.exe 64 PID 1372 wrote to memory of 2776 1372 msedge.exe 64 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 4492 1372 msedge.exe 85 PID 1372 wrote to memory of 5000 1372 msedge.exe 84 PID 1372 wrote to memory of 5000 1372 msedge.exe 84 PID 1372 wrote to memory of 4300 1372 msedge.exe 86 PID 1372 wrote to memory of 4300 1372 msedge.exe 86 PID 1372 wrote to memory of 4300 1372 msedge.exe 86 PID 1372 wrote to memory of 4300 1372 msedge.exe 86 PID 1372 wrote to memory of 4300 1372 msedge.exe 86 PID 1372 wrote to memory of 4300 1372 msedge.exe 86 PID 1372 wrote to memory of 4300 1372 msedge.exe 86 PID 1372 wrote to memory of 4300 1372 msedge.exe 86 PID 1372 wrote to memory of 4300 1372 msedge.exe 86 PID 1372 wrote to memory of 4300 1372 msedge.exe 86 PID 1372 wrote to memory of 4300 1372 msedge.exe 86 PID 1372 wrote to memory of 4300 1372 msedge.exe 86 PID 1372 wrote to memory of 4300 1372 msedge.exe 86 PID 1372 wrote to memory of 4300 1372 msedge.exe 86 PID 1372 wrote to memory of 4300 1372 msedge.exe 86 PID 1372 wrote to memory of 4300 1372 msedge.exe 86 PID 1372 wrote to memory of 4300 1372 msedge.exe 86 PID 1372 wrote to memory of 4300 1372 msedge.exe 86 PID 1372 wrote to memory of 4300 1372 msedge.exe 86 PID 1372 wrote to memory of 4300 1372 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ehi.mitarbeiterangebote.de/login?wt_mc=news.2023.8.A.None1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4dc146f8,0x7fff4dc14708,0x7fff4dc147182⤵PID:2776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,15156922946403213012,6981614127404849991,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,15156922946403213012,6981614127404849991,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:22⤵PID:4492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,15156922946403213012,6981614127404849991,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1492 /prefetch:82⤵PID:4300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15156922946403213012,6981614127404849991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:2624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15156922946403213012,6981614127404849991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:3584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,15156922946403213012,6981614127404849991,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:82⤵PID:4864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,15156922946403213012,6981614127404849991,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15156922946403213012,6981614127404849991,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:12⤵PID:2828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15156922946403213012,6981614127404849991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:12⤵PID:2344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15156922946403213012,6981614127404849991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵PID:2440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15156922946403213012,6981614127404849991,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵PID:2212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,15156922946403213012,6981614127404849991,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2524
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2512
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:112
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f6f47b83c67fe32ee32811d6611d269c
SHA1b32353d1d0ed26e0dd5b5f1f402ffd41a105d025
SHA256ac1866f15ff34d1df4dafa761dbb7dc2c712fe01ac0e171706ef29e205549cbc
SHA5126ee068efa9fbd3c972169427be2f6377a1204bf99b61579e4d78643e89e729ad65f2abcc70007fd0dd38428e7cd39010a253d6f9cd5e90409e207ddaf5d6720d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize288B
MD50bca557d1ee0720c930765daca779f47
SHA122bbcd8e64ebd92c5cb9fbc04c273e9bb2fbd5db
SHA256f4781ba1748aaec0f255e65c22bae006d6d8ae559609baa111eb46041f50a474
SHA5123aaae9a2348ce9d4fdd43b3e8091558c100419300b8b41d6a55af4f4d72026093f8222a08db56c05e7d8c1f5fac2a01b4ff095d1f730abba1f57b52b43a0d701
-
Filesize
431B
MD539903db6963b8ba1309d667129b67873
SHA1859d3853428f603961d5202799142e1f00ef6882
SHA256b7b227ad192913119ea18ca2f825459443961e44c4be18ec1c112fd7adb39b08
SHA512758128724c50e2763479c5e902b5eb798a3ef1bcd85348c529ecbf241d1e4d052d91bc1d066f4943feee37498f2c38a9a3705426d1e7494f090c5d2b636dd37f
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD5e083d8e95a10c9226128e1b3261b4f9f
SHA163cef51231f7767784349b17ae35c3deac7c3820
SHA2568f6a3a472937619314fe663874831844bceebb54a64d79e1d1eb53b43ec15baa
SHA512755a7bac3bdcc95ad49adfef2d0cd72db28bfa08ae03edb4ee9a811bffc8d2b4eaff6b9d17818a75eb15eb5c91a390c8e237894fae33a9594a40cfb6df6e9cee
-
Filesize
6KB
MD57fcc68cb6de9d7c68c6bdec758473f00
SHA1a1d13628bc42d7010bb9a3147c97ed7c3fe087eb
SHA2563279854de05aabe44ff4d93593ec9c9777974ecdb962c5209010463b91545e83
SHA51230736649c95ecbbf0b70ae3ce0d5248808ae77aaf2e47959519e07f0a7d0ee5ba764429d9be7debca02c45e650c89f9708e111cf58b5239561708615b8942cb7
-
Filesize
24KB
MD55544c64f2a8f49dabc19eb84267b1c9b
SHA1c5b78d63a8bab1c7b985f7ea2f268d0d7809071e
SHA256a1fcfee2974a77e76a7431a2069db301861ab42dd41769cead8697f41f5a497f
SHA51238c80d7c810441fc87beff38929473088cf426b0a25a30820d8a060f493350d99bb8521b314afe00578ea54648fce2aa4e55880a83a4f1048c56307991726565
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD5163851422b4272b9aef892a554dbf311
SHA1effa8b6196af5c721e5938bae361269c45800bcd
SHA2569f47f01e17bf210d6778055214e71e3e2cd47f43bfbfb89c3aa13c24ad052e8e
SHA512e40565b23b0c05cbe993988b36ece09c7a038b442227aa1c3e762caa62ef2a3845eae888cadc1c42fa326a1653de58da66f0bcac08971dbba206155d182f6146