hxxps://owlsnestresort-secondary[.]z1[.]web[.]core[.]windows[.]net/

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2023, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://owlsnestresort-secondary.z1.web.core.windows.net/

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3880	msedge.exe
3880	msedge.exe
1560	msedge.exe
1560	msedge.exe
4604	identity_helper.exe
4604	identity_helper.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 3752	1560	msedge.exe	74
PID 1560 wrote to memory of 3752	1560	msedge.exe	74
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 4344	1560	msedge.exe	82
PID 1560 wrote to memory of 3880	1560	msedge.exe	81
PID 1560 wrote to memory of 3880	1560	msedge.exe	81
PID 1560 wrote to memory of 2752	1560	msedge.exe	83
PID 1560 wrote to memory of 2752	1560	msedge.exe	83
PID 1560 wrote to memory of 2752	1560	msedge.exe	83
PID 1560 wrote to memory of 2752	1560	msedge.exe	83
PID 1560 wrote to memory of 2752	1560	msedge.exe	83
PID 1560 wrote to memory of 2752	1560	msedge.exe	83
PID 1560 wrote to memory of 2752	1560	msedge.exe	83
PID 1560 wrote to memory of 2752	1560	msedge.exe	83
PID 1560 wrote to memory of 2752	1560	msedge.exe	83
PID 1560 wrote to memory of 2752	1560	msedge.exe	83
PID 1560 wrote to memory of 2752	1560	msedge.exe	83
PID 1560 wrote to memory of 2752	1560	msedge.exe	83
PID 1560 wrote to memory of 2752	1560	msedge.exe	83
PID 1560 wrote to memory of 2752	1560	msedge.exe	83
PID 1560 wrote to memory of 2752	1560	msedge.exe	83
PID 1560 wrote to memory of 2752	1560	msedge.exe	83
PID 1560 wrote to memory of 2752	1560	msedge.exe	83
PID 1560 wrote to memory of 2752	1560	msedge.exe	83
PID 1560 wrote to memory of 2752	1560	msedge.exe	83
PID 1560 wrote to memory of 2752	1560	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://owlsnestresort-secondary.z1.web.core.windows.net/
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff3af746f8,0x7fff3af74708,0x7fff3af74718
  2⤵
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,10635709518945281971,3450082975628576612,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,10635709518945281971,3450082975628576612,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1836,10635709518945281971,3450082975628576612,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,10635709518945281971,3450082975628576612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,10635709518945281971,3450082975628576612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1836,10635709518945281971,3450082975628576612,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1836,10635709518945281971,3450082975628576612,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,10635709518945281971,3450082975628576612,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,10635709518945281971,3450082975628576612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,10635709518945281971,3450082975628576612,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,10635709518945281971,3450082975628576612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,10635709518945281971,3450082975628576612,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4728 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a7ad9bb1054aa03e39b3554833d0c3ec

SHA1
cbd5b99ca100bc2f1292df23bf8e2a5a6f9640d9

SHA256
0c3eae39386b4117ad26187afc4933e254468cd12d813271f4b7420cee73c189

SHA512
d1d0b77e0bc412b4ee687e849531a7c9b70200d45d0bdbf38357b6fc59af835522e749b2fd8c2d4cde73518970568c38d73416c97381a11cc6029c14b1678276

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
d9db8dcf305785c01513f0f49560f8e3

SHA1
43eba5f1802adb52d29cbb96e05bc4def92261b9

SHA256
61f2bd957bec85f80213959c94cbb09889a7ad3987e9892a2e3203375ef9781f

SHA512
837f3267220ddb6b140ebd9e8eafd93c92a4329566307bc47aeee9e062786f595bae25804908832f7ba0d2e97a04913172ece24013e9e4e47ad14c245d54c5c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
968B

MD5
0a343955e194795e7dc7983e0f8a6f30

SHA1
759c9e0e6fb6234c6b50b146f6d17591898d98a4

SHA256
dac6f693b269ed1879d99a4a2369eb20e3b16ddacaa39790a95461f7efe14f1b

SHA512
ff2dd987e33cf74128725294438bb57cd11bc0e1be87824a020f4b6d8924ac3c2eea4a07b90dc568c749851f615c8e258ee24324eddae2c29ee8ab575c662f4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
39daefae3fefb02b1f3a844caf23b793

SHA1
4071c076421bda83125f7def05c519a872afacf1

SHA256
ceb59a72d182be4bb4d82f21fb54702bffdcfacfc325326567282187ba09dfba

SHA512
437a981e26c2cd50e1805a75888426d9bee17863aed810f662244c74c76b64b3f3ee8901c548b900da6d6cf22ce599306be03b8319d93b39c46315b3e91d0c20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
32e7626fdf5ea21a226f8634680f720a

SHA1
f267a2b166eb1cbd2d8a08a58fde2c84b8483b29

SHA256
404cd657835e922695c4082a4eae47647ad6dc0da4d7c56b461557cf62410a0a

SHA512
561fdc6cfd2a16e8f3a1b1548bc608f0f2f8e2133fd999ade8ad7064fada9f06f5f6d218e72b433eac6b87f72f716a4419705d5665235ae38ed150c82bc5ae7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e62cc4051e1f8eaa0abda5d730a2496b

SHA1
d15346e40b196bc313cbfe5ac96b3c90b83345be

SHA256
ffb5b740b8777d010f0d32a120092084c3cd32eaceb937188d698ddc22df2fcb

SHA512
3e8f6d89c7c153177b2149d86cd8602ceafedf66f5335a86b19dfa46fc38c47f6ff9a272c3b71b4464a5921ebdf2461fba25692ca916b9715bac520bf1e81a22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b3ded9ac8483b2c9ddf36e70c4da5345

SHA1
2b2b6d6d8fd51d36b020c8e9046b81380ae1e85c

SHA256
5e0e549bb9f206a1300ca1cfea7cd2c2ae9eb6d26f013c33682d0941836b0993

SHA512
8512f269e84cd8c79bf4509b5802344d21914e6f9215331aeec8bb40163e46caa449aa44a45d3f9d840047a9a1b35e48c469743fb300d5e6190277f5fb6deda0

Download Submit