hxxps://f[.]fcert[.]co/fsend2/delta_f/varios/off/?id=aXZBTzloVTlqUkRkQVpzMnlHMDBFQT09&redirige=personal&proceso=geo&tipo=Ver_correo_explorador&url2=hxxps://f[.]fcert[.]co/fsend2/w/m/a/?chk=TVRJMk16SXdNak13T0RJeU9EZz1hNTBmNmRoNWFmTVRBd01qZzVPRE0wTmc9PQ==

Resubmissions

25/08/2023, 23:16

230825-29f1nahb4y 1

25/08/2023, 22:54

230825-2v13aafc63 1

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2023, 23:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://f.fcert.co/fsend2/delta_f/varios/off/?id=aXZBTzloVTlqUkRkQVpzMnlHMDBFQT09&redirige=personal&proceso=geo&tipo=Ver_correo_explorador&url2=https://f.fcert.co/fsend2/w/m/a/?chk=TVRJMk16SXdNak13T0RJeU9EZz1hNTBmNmRoNWFmTVRBd01qZzVPRE0wTmc9PQ==

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1108	msedge.exe
1108	msedge.exe
3556	msedge.exe
3556	msedge.exe
4400	identity_helper.exe
4400	identity_helper.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 4272	3556	msedge.exe	83
PID 3556 wrote to memory of 4272	3556	msedge.exe	83
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 2216	3556	msedge.exe	85
PID 3556 wrote to memory of 1108	3556	msedge.exe	84
PID 3556 wrote to memory of 1108	3556	msedge.exe	84
PID 3556 wrote to memory of 4988	3556	msedge.exe	86
PID 3556 wrote to memory of 4988	3556	msedge.exe	86
PID 3556 wrote to memory of 4988	3556	msedge.exe	86
PID 3556 wrote to memory of 4988	3556	msedge.exe	86
PID 3556 wrote to memory of 4988	3556	msedge.exe	86
PID 3556 wrote to memory of 4988	3556	msedge.exe	86
PID 3556 wrote to memory of 4988	3556	msedge.exe	86
PID 3556 wrote to memory of 4988	3556	msedge.exe	86
PID 3556 wrote to memory of 4988	3556	msedge.exe	86
PID 3556 wrote to memory of 4988	3556	msedge.exe	86
PID 3556 wrote to memory of 4988	3556	msedge.exe	86
PID 3556 wrote to memory of 4988	3556	msedge.exe	86
PID 3556 wrote to memory of 4988	3556	msedge.exe	86
PID 3556 wrote to memory of 4988	3556	msedge.exe	86
PID 3556 wrote to memory of 4988	3556	msedge.exe	86
PID 3556 wrote to memory of 4988	3556	msedge.exe	86
PID 3556 wrote to memory of 4988	3556	msedge.exe	86
PID 3556 wrote to memory of 4988	3556	msedge.exe	86
PID 3556 wrote to memory of 4988	3556	msedge.exe	86
PID 3556 wrote to memory of 4988	3556	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://f.fcert.co/fsend2/delta_f/varios/off/?id=aXZBTzloVTlqUkRkQVpzMnlHMDBFQT09&redirige=personal&proceso=geo&tipo=Ver_correo_explorador&url2=https://f.fcert.co/fsend2/w/m/a/?chk=TVRJMk16SXdNak13T0RJeU9EZz1hNTBmNmRoNWFmTVRBd01qZzVPRE0wTmc9PQ==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8a95d46f8,0x7ff8a95d4708,0x7ff8a95d4718
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,10718303953481793446,9592093993691777653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,10718303953481793446,9592093993691777653,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,10718303953481793446,9592093993691777653,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10718303953481793446,9592093993691777653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10718303953481793446,9592093993691777653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,10718303953481793446,9592093993691777653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,10718303953481793446,9592093993691777653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10718303953481793446,9592093993691777653,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10718303953481793446,9592093993691777653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10718303953481793446,9592093993691777653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10718303953481793446,9592093993691777653,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,10718303953481793446,9592093993691777653,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2876 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5088

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f6f47b83c67fe32ee32811d6611d269c

SHA1
b32353d1d0ed26e0dd5b5f1f402ffd41a105d025

SHA256
ac1866f15ff34d1df4dafa761dbb7dc2c712fe01ac0e171706ef29e205549cbc

SHA512
6ee068efa9fbd3c972169427be2f6377a1204bf99b61579e4d78643e89e729ad65f2abcc70007fd0dd38428e7cd39010a253d6f9cd5e90409e207ddaf5d6720d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
178B

MD5
ce16bfd13505da84885d0daa2c1279c6

SHA1
810bc492c8d619651ab453e80ff88c319ad5b580

SHA256
0f831529a4cc395b83c9d8779e76dc4853f264e34f09ced0fe5f116863d6f13b

SHA512
82a342dae14243eb81c0b80553c185c8d85cded2e71696f36a2701ff27b0b5ff36b3dffe8a5dca21ea7095e0a64e85bd3df522100f7888b98750e466ebdbb7f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
762285c3d9bcbebd85603f342e3ccd43

SHA1
82cc5cef75fd9837973c7be2ac4f1a7ce82ba095

SHA256
a7e4ff2baa29b0c953723177bae1b6e1974e7e2cca499fad5ee6b10fa635e200

SHA512
3aa5dac19a1ac937a028537340d6cd8353460878d85d8254df3214c9bfd05ad503ec160e84e1638e1b8acf90103aaa22d782e260998803d2e28b70f9ac70bbfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
17f1ccb85255333631553f746589b63b

SHA1
2b88bfe2b40efd352473eac967b72b51f2cc3f79

SHA256
f9935d9842c748e9361c5ed520ff1926dc8372761314716505859b14ee2c43cc

SHA512
af706ea5fe0d3774652e31905c2209fe50577ce825e723b54472f3462f704726551cb9cc6b3baa0f48d2683b3c85602757f60f34da38658dd87102a6010ce04d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cfd5671f14817ac8b2ac68716b44b817

SHA1
afda12db48346d19471f7aa8da701085424e5942

SHA256
5a7e0799acc34a1fe57b609b693e1601db60acec666de13bad19a2349c8fc6c0

SHA512
988a61619edff19a7364fc46c6791e574f17ee9b69745adef546c7cd7430af34a3cbf50c0b2e17b799fe36a55edb8fb52ee2a4e49bda5008be1c291f5f66d637

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
080cc2188d69bea16f91429acd41e3e0

SHA1
22564f316e6e66d178347b866cfeee973f7c7501

SHA256
3442747689592eaec876595191d337f3b3209722f265add7b862720bac8dd9ea

SHA512
35eefe3ca0654a03e4d29856515e58da2de387d4b96e44dd1432643f76056c9abc004abe3e3a6a1d9679f2b746a3708fd83d40a131f4facb7102e614afc709c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5544c64f2a8f49dabc19eb84267b1c9b

SHA1
c5b78d63a8bab1c7b985f7ea2f268d0d7809071e

SHA256
a1fcfee2974a77e76a7431a2069db301861ab42dd41769cead8697f41f5a497f

SHA512
38c80d7c810441fc87beff38929473088cf426b0a25a30820d8a060f493350d99bb8521b314afe00578ea54648fce2aa4e55880a83a4f1048c56307991726565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e4333b65743223e22a3d4d20a373e766

SHA1
eaf83fda8c43ac9b27cc05e20845c81645628768

SHA256
7113fa88f6f963f20968a716f7d9a31786777fc97b687408c1dbdb32e9650633

SHA512
0c8342283e32b8fd3b8eff2401eb18b5a38ed7ec89a35ec81b6e826d6748775ce27019809bbf59aaa31598c1898f7a0ec767a954aee7a96948a1262d64d3ab12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
52cb91908a4a4cd69e097782eea7bbbb

SHA1
f25ac3f814084768b12f00935d1df06c359d5d3c

SHA256
4aca6a38bff76bf6f91b0e63d1eb6cfa6542ea382d68ac865cb70c341c30bfcc

SHA512
1e9f3f89a514feba7db95f6032d5326b8ea198f6cd2bed32c130d490514b1818a817eb5a6c14f25668a3d88f09bea62f9a1ab706e2a07e26e9225f6ecdc68084

Download Submit