hxxps://vekqi[.]pythonanywhere[.]com

Analysis

max time kernel
24s
max time network
26s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2023, 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://vekqi.pythonanywhere.com

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1498570331-2313266200-788959944-1000\{85DF9C71-5F72-4C0E-B323-34A914D87A8A}	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4164	msedge.exe
4164	msedge.exe
640	msedge.exe
640	msedge.exe
2460	identity_helper.exe
2460	identity_helper.exe
412	msedge.exe
412	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 792	640	msedge.exe	81
PID 640 wrote to memory of 792	640	msedge.exe	81
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4328	640	msedge.exe	85
PID 640 wrote to memory of 4164	640	msedge.exe	83
PID 640 wrote to memory of 4164	640	msedge.exe	83
PID 640 wrote to memory of 3212	640	msedge.exe	84
PID 640 wrote to memory of 3212	640	msedge.exe	84
PID 640 wrote to memory of 3212	640	msedge.exe	84
PID 640 wrote to memory of 3212	640	msedge.exe	84
PID 640 wrote to memory of 3212	640	msedge.exe	84
PID 640 wrote to memory of 3212	640	msedge.exe	84
PID 640 wrote to memory of 3212	640	msedge.exe	84
PID 640 wrote to memory of 3212	640	msedge.exe	84
PID 640 wrote to memory of 3212	640	msedge.exe	84
PID 640 wrote to memory of 3212	640	msedge.exe	84
PID 640 wrote to memory of 3212	640	msedge.exe	84
PID 640 wrote to memory of 3212	640	msedge.exe	84
PID 640 wrote to memory of 3212	640	msedge.exe	84
PID 640 wrote to memory of 3212	640	msedge.exe	84
PID 640 wrote to memory of 3212	640	msedge.exe	84
PID 640 wrote to memory of 3212	640	msedge.exe	84
PID 640 wrote to memory of 3212	640	msedge.exe	84
PID 640 wrote to memory of 3212	640	msedge.exe	84
PID 640 wrote to memory of 3212	640	msedge.exe	84
PID 640 wrote to memory of 3212	640	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://vekqi.pythonanywhere.com
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff873e446f8,0x7ff873e44708,0x7ff873e44718
  2⤵
  PID:792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,3299238841804480841,13513791252993857687,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,3299238841804480841,13513791252993857687,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,3299238841804480841,13513791252993857687,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3299238841804480841,13513791252993857687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3299238841804480841,13513791252993857687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3299238841804480841,13513791252993857687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,3299238841804480841,13513791252993857687,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,3299238841804480841,13513791252993857687,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3299238841804480841,13513791252993857687,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3299238841804480841,13513791252993857687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2076,3299238841804480841,13513791252993857687,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2076,3299238841804480841,13513791252993857687,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6020 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3299238841804480841,13513791252993857687,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3299238841804480841,13513791252993857687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:2916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8411007bafe7b1182af1ad3a1809b4f8

SHA1
4a78ee0762aadd53accae8bb211b8b18dc602070

SHA256
1f274d0d144942d00e43fb94f9c27fc91c68dce50cd374ac6be4472b08215ca3

SHA512
909e2e33b7614cb8bbd14e0dfff1b7f98f4abbf735f88292546ce3bfa665e4cb5ee4418561004e56afc5dd30d21483b05f6358dad5624c0dc3ab1ba9a3be18eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
31KB

MD5
4709c4f9967219e4f5f3daaf9721d51d

SHA1
10dc7726ebf51da76c9c0b973ec83e503cbe9f4f

SHA256
3354df802944fb4c9f54c707835e3f1db5aad1d59cda21556f3e82857ceaf9c4

SHA512
268bd2ed5d23a6498b5b1b40bd1a80b8ffbb4f59a84ca10e03d6017659643bb0354f5fb2fc7414b0e48b83650e8a3653048d0b90622366490a6bbbea07bee5f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9205cf299bb016bfd430ebf19dd597bd

SHA1
65e62e0b8477d45b4bd1bd09ca973df9bc193382

SHA256
14956e09523a4960253131eee343e9cdebd51774dee15639b7c780282c82f6c3

SHA512
1b6dcbca6c80df3e0df9789ca63b522ae0731c0e251d2e141f96faed65e56f913b9245b564012a3ad14e6df52820500992e1ea6639d7d3acfd14df4277c191d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e95acaf60d9ca99252b817a269d1e674

SHA1
af473b8debd74bfd820f32eb3a33f2566cefb671

SHA256
58e1a24ce11e98278b8de0820f18fff69aa4d3177754ed121397271d5fea0bbb

SHA512
0866acb42bb07f040833a8767a9071509e149896d238c20661cc320b2e931ca384e0cc68a540990c7ef31e4ba981314b8f7fb31afa8f9a949ea6ed40d19f3423

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
8caf4d73cc5a7d5e3fb3f9f1a9d4a0cc

SHA1
83f8586805286b716c70ddd14a2b7ec6a4d9d0fe

SHA256
0e0c905b688340512e84db6cf8af6dbdfe29195fefde15bd02e4917a2c5fda8c

SHA512
084ef25ea21ee1083735c61b758281ba84b607e42d0186c35c3700b24a176ada47bf2e76ed7dadd3846f2b458c977e83835ced01cda47cdd7ab2d00e5a1a294e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
537B

MD5
9a4422683540a3fad70950557f643ad6

SHA1
60d6e85abf9c2ba32a9920e39989edd9d464c4e1

SHA256
44c8ac8ebd52818681d1660fb6419a4c79f8d538627406c835d27ee647ab9337

SHA512
053f1429e0ff23d85ac8caf7e8dd30decc1e599128a97452dd9be69a461a3555948e45a9a9b600cfddb7e1a5ceedf4394d3c9171be7d9337844fe7317bf7846c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58b4d4.TMP

Filesize
370B

MD5
3b6f04e3f70e1e3aca123f1a077639f2

SHA1
2ef985821206b62a231d279639d14e161d3abcdd

SHA256
3987f1396c52091d41433685f031c9415d22731bc64e37d515f112defc98acd9

SHA512
5f8b3faf732a6320be0e72c94e2854bfbe50856f7a895541624fc50a7ac274b4fe5ba4083deb31e4ae8eccade65341bb8de5b887563ffd91d28bc4593b10c0bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d34ca3171eeebf65b7f74cb31f6620ed

SHA1
4de6b8cb17677ab69f2263b48edf264485dd6355

SHA256
97bc6a04b674e19694b43e25bc1807577152b5b29d5cd67609d6fe026d195a91

SHA512
1756fd881aa09b693cdea867176fe7f0b5b8a70f640a934dfba56a3fa6aa919da45c3381e1e24361a037177b66ce48c31973f83e67a58868e0f37f2c499dbc3c

Download Submit