hxxps://239917rdirct9927ebeb002872023[.]sieraddns[.]com/

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230824-en
resource tags

arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2023, 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://239917rdirct9927ebeb002872023.sieraddns.com/

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
5072	msedge.exe
5072	msedge.exe
2080	msedge.exe
2080	msedge.exe
944	identity_helper.exe
944	identity_helper.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 4720	2080	msedge.exe	82
PID 2080 wrote to memory of 4720	2080	msedge.exe	82
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 2064	2080	msedge.exe	83
PID 2080 wrote to memory of 5072	2080	msedge.exe	84
PID 2080 wrote to memory of 5072	2080	msedge.exe	84
PID 2080 wrote to memory of 3672	2080	msedge.exe	85
PID 2080 wrote to memory of 3672	2080	msedge.exe	85
PID 2080 wrote to memory of 3672	2080	msedge.exe	85
PID 2080 wrote to memory of 3672	2080	msedge.exe	85
PID 2080 wrote to memory of 3672	2080	msedge.exe	85
PID 2080 wrote to memory of 3672	2080	msedge.exe	85
PID 2080 wrote to memory of 3672	2080	msedge.exe	85
PID 2080 wrote to memory of 3672	2080	msedge.exe	85
PID 2080 wrote to memory of 3672	2080	msedge.exe	85
PID 2080 wrote to memory of 3672	2080	msedge.exe	85
PID 2080 wrote to memory of 3672	2080	msedge.exe	85
PID 2080 wrote to memory of 3672	2080	msedge.exe	85
PID 2080 wrote to memory of 3672	2080	msedge.exe	85
PID 2080 wrote to memory of 3672	2080	msedge.exe	85
PID 2080 wrote to memory of 3672	2080	msedge.exe	85
PID 2080 wrote to memory of 3672	2080	msedge.exe	85
PID 2080 wrote to memory of 3672	2080	msedge.exe	85
PID 2080 wrote to memory of 3672	2080	msedge.exe	85
PID 2080 wrote to memory of 3672	2080	msedge.exe	85
PID 2080 wrote to memory of 3672	2080	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://239917rdirct9927ebeb002872023.sieraddns.com/
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa7ef346f8,0x7ffa7ef34708,0x7ffa7ef34718
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,9616608641572405164,7461966913991124137,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,9616608641572405164,7461966913991124137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,9616608641572405164,7461966913991124137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3160 /prefetch:8
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,9616608641572405164,7461966913991124137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,9616608641572405164,7461966913991124137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,9616608641572405164,7461966913991124137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2756 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,9616608641572405164,7461966913991124137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2772 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,9616608641572405164,7461966913991124137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,9616608641572405164,7461966913991124137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 /prefetch:8
  2⤵
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,9616608641572405164,7461966913991124137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,9616608641572405164,7461966913991124137,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,9616608641572405164,7461966913991124137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,9616608641572405164,7461966913991124137,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,9616608641572405164,7461966913991124137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2132 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,9616608641572405164,7461966913991124137,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2864 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3590c7788f1f36717cbd298007259a6f

SHA1
9e9a602016435a1d642e18a54d8d6589f938a5bb

SHA256
09a08de2fcd19e304c3b8f6e04f5e4da257a3f18759827be4e9c6af862412174

SHA512
07df3ee7e2d4a313c996c6b8451450556a75e5ac8e4d10595f255164fdd25d6bc596ad579d90f6496c78a15a3c6fc349d748dd7c5f4b2b51d330c52577e2988a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
433370524eb7705a2638c4476abb8bab

SHA1
2cabd06021982dfaf99b53f07329e40f97524f22

SHA256
2401c0f4a08490480ea1baa2304ed8ea491e2ad418f02005121a7ae9a6ca0f7d

SHA512
a20ff0bb0bc6e4b74e796ec85c86d9a18a53a9d5826b4c1d828a54aa1abff93b92f4b7c8a5377a76eff72eea34272ce2b4d7943c98e57a8a32d0acc1a0647801

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
487B

MD5
4ca0e95a31a8962f77da9040a293754c

SHA1
5eace88ffeae093ef3057874f8a43386e07d19ed

SHA256
561257b90ee4f1755a0ead5a19e92de0daf6fb306d93862bd21e6ab2995fa33d

SHA512
7b30323e0c226a5038a32f05ce1bdf3e4cdc3fb2b429723a641f9a7ca4bd46691605f79ad6d703445b1c20d362d8e4a6d5db370faee446ca319e3cefb98a2542

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7b39e072290914c5598f92fb52ebf3d5

SHA1
1166914a9e561732271306f05c9f7f9fde4dc0a7

SHA256
337c0a25be528eaaf336ba96f60491e867f9aeb9176a5321fd734fb1be03c2ad

SHA512
1087665442391f4dbea1a3f2700d8cce2b03295ac2231a16fa9567bafec1259a9f07268d6f54e08a54fdbb00ca284f48ab0343949357b09dfd054fdcc53cf6d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9811c8bb0a34fc6b07814a1635a53c5b

SHA1
7f3c7edd2ba09df3efa5facb75f6175073c5076b

SHA256
c43d00f120fd13fdad43955b7f6b0b09bdf0bf6d07c58f387d1a4e8cef6fd0a5

SHA512
cccd75e52dbf6df7bd26b6ea7c3970668fbd3e938878d18469741406726ab024b8b4f95caf7af0e125b407dcde6692967b5d5c45964abd6d919326ef648d639d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
a128973ca2ca245299ef7e60156b4ef8

SHA1
d39a437204591bbff98d673e6d1c4f869683ebcc

SHA256
5c6e1f3c7213460c24dc670521adbe32ec76df5e3facc0a7b92a3fa9e340b302

SHA512
bbbdbe2fae61c2a27b4aadfbda2efae2675156dcea6edb8b45fbe83f397f8a1f50d694d8bcd1f53939a277722baf102f3f80caffadfcf0ca80d7408d77d8c490

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
db058f8e40e0b861dfe71594d9c46d31

SHA1
e426336d692fa78ffad3320d20cd368501e4e0a0

SHA256
c7b3f5399747de9287b05303c4b66150b529ffa67f0c6d920645218df1189eb6

SHA512
88d9fcc09f00b3810fdf1a9af5c6050bb8301bb86c230dd5971ca7dbab273c8ff144109d55eb682d18632843d83238f3bf38db3f3cbdceddc5288a68b692c0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e40b3a3918f6ac4a0e94d9b5c9e477e2

SHA1
9518e5040cb6713b84898e6641359ea27d9322d1

SHA256
2bebf4ddf6e36826c28319e50fb7633017e30fd3d8683b3b6a540a61265d52fe

SHA512
bc79a5881a08016743853c0d9bbcf896855b356a2da443411091be231c02d64d5875a4c56aa35401bf469cdef67a09b3c81c4798c3adfef532863e4b67e8a563

Download Submit