hxxps://tax-control[.]info/secure-login

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230824-en
resource tags

arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2023 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://tax-control.info/secure-login

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3088	msedge.exe
3088	msedge.exe
2228	msedge.exe
2228	msedge.exe
4980	identity_helper.exe
4980	identity_helper.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 5096	3088	msedge.exe	84
PID 3088 wrote to memory of 5096	3088	msedge.exe	84
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 1136	3088	msedge.exe	85
PID 3088 wrote to memory of 2228	3088	msedge.exe	86
PID 3088 wrote to memory of 2228	3088	msedge.exe	86
PID 3088 wrote to memory of 1204	3088	msedge.exe	87
PID 3088 wrote to memory of 1204	3088	msedge.exe	87
PID 3088 wrote to memory of 1204	3088	msedge.exe	87
PID 3088 wrote to memory of 1204	3088	msedge.exe	87
PID 3088 wrote to memory of 1204	3088	msedge.exe	87
PID 3088 wrote to memory of 1204	3088	msedge.exe	87
PID 3088 wrote to memory of 1204	3088	msedge.exe	87
PID 3088 wrote to memory of 1204	3088	msedge.exe	87
PID 3088 wrote to memory of 1204	3088	msedge.exe	87
PID 3088 wrote to memory of 1204	3088	msedge.exe	87
PID 3088 wrote to memory of 1204	3088	msedge.exe	87
PID 3088 wrote to memory of 1204	3088	msedge.exe	87
PID 3088 wrote to memory of 1204	3088	msedge.exe	87
PID 3088 wrote to memory of 1204	3088	msedge.exe	87
PID 3088 wrote to memory of 1204	3088	msedge.exe	87
PID 3088 wrote to memory of 1204	3088	msedge.exe	87
PID 3088 wrote to memory of 1204	3088	msedge.exe	87
PID 3088 wrote to memory of 1204	3088	msedge.exe	87
PID 3088 wrote to memory of 1204	3088	msedge.exe	87
PID 3088 wrote to memory of 1204	3088	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://tax-control.info/secure-login
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa533e46f8,0x7ffa533e4708,0x7ffa533e4718
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,9974833737829807211,17763890683809499306,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,9974833737829807211,17763890683809499306,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,9974833737829807211,17763890683809499306,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
  2⤵
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9974833737829807211,17763890683809499306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9974833737829807211,17763890683809499306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9974833737829807211,17763890683809499306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:1
  2⤵
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9974833737829807211,17763890683809499306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,9974833737829807211,17763890683809499306,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,9974833737829807211,17763890683809499306,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9974833737829807211,17763890683809499306,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9974833737829807211,17763890683809499306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9974833737829807211,17763890683809499306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9974833737829807211,17763890683809499306,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9974833737829807211,17763890683809499306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1404 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9974833737829807211,17763890683809499306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,9974833737829807211,17763890683809499306,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5872 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3590c7788f1f36717cbd298007259a6f

SHA1
9e9a602016435a1d642e18a54d8d6589f938a5bb

SHA256
09a08de2fcd19e304c3b8f6e04f5e4da257a3f18759827be4e9c6af862412174

SHA512
07df3ee7e2d4a313c996c6b8451450556a75e5ac8e4d10595f255164fdd25d6bc596ad579d90f6496c78a15a3c6fc349d748dd7c5f4b2b51d330c52577e2988a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
34cbcc38ded53eec816fb1e7d822c174

SHA1
5f46f8858ecdbca5f4c9de8bc4b8f3ae8957ea89

SHA256
acff00c8ea7ee9751b5f79d26a03868d7dceaa26946d7398abe57ea370af1fa8

SHA512
173c72ec8c61f5081c768416bebcc54517364d4563fd2f4df80404d06bfe5b37783b41a632dd8941c384611a55d66e1a2761f8828b0957090204d10268883f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
41df0457a4a747652ab4f0a098870564

SHA1
962b7584b9f6e323c2fe5c520fd4514f134a3b57

SHA256
4156ce2e690498fc5db990fbf379a4e5744918e20b64d66b75f54babaf487210

SHA512
62900e0067227acd0d2e3ef0a470fd0e380a2db58c5a7a8b3330e210f4169fd3859887980eb36b8718a6f77ce6c8acc7f8d3d9e38990426838b6c210c88a8c03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
a128973ca2ca245299ef7e60156b4ef8

SHA1
d39a437204591bbff98d673e6d1c4f869683ebcc

SHA256
5c6e1f3c7213460c24dc670521adbe32ec76df5e3facc0a7b92a3fa9e340b302

SHA512
bbbdbe2fae61c2a27b4aadfbda2efae2675156dcea6edb8b45fbe83f397f8a1f50d694d8bcd1f53939a277722baf102f3f80caffadfcf0ca80d7408d77d8c490

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fd77d162b36568c117e4c593822c4203

SHA1
b7b615b9f9bb1ce6b701be3b95cf317b97ca9d0e

SHA256
13b1ac9ff3d7b239301a7e0ce01b3e4e5e30e33f70b6d792f04c60b3cd89d0d4

SHA512
c805746ad41a4d61e1e18bccbe92fda2c3f78e36cb813084346da3125b30427c57765782acd8d1a456137554858d39a4aae7178d473a0ad4729cd017cec873d5

Download Submit