hxxp://m[.]worldxcup[.]com

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2023 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://m.worldxcup.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1808	msedge.exe
1808	msedge.exe
3604	msedge.exe
3604	msedge.exe
3588	identity_helper.exe
3588	identity_helper.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 4560	3604	msedge.exe	84
PID 3604 wrote to memory of 4560	3604	msedge.exe	84
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 1808	3604	msedge.exe	85
PID 3604 wrote to memory of 1808	3604	msedge.exe	85
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://m.worldxcup.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff2c1046f8,0x7fff2c104708,0x7fff2c104718
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,4373818184217673097,3163496319326887768,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,4373818184217673097,3163496319326887768,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,4373818184217673097,3163496319326887768,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4373818184217673097,3163496319326887768,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4373818184217673097,3163496319326887768,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4373818184217673097,3163496319326887768,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,4373818184217673097,3163496319326887768,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,4373818184217673097,3163496319326887768,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4373818184217673097,3163496319326887768,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4373818184217673097,3163496319326887768,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4373818184217673097,3163496319326887768,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4373818184217673097,3163496319326887768,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,4373818184217673097,3163496319326887768,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3172 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d686809520430031d6ecf2c8de5f735

SHA1
64e3932e857e1b34077e1b7793f40ad35abaf6b8

SHA256
c5f61a0a6d91e818e9ada3e527de4a5975767d6425823b33ea107cec0c99874b

SHA512
8a5adfc8d90f0752672879cf18f55be8e80e36e2a7bdf281ee3967f9953413dc31c33a0b52ada169c3f628896a28caba1769d8d33874903260ad6c8d5a925e36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
c88495b27bb47b2aa8164f400c150876

SHA1
176aa5e1b846dc11e34c8f0083c3a3bdebf90f16

SHA256
4269afceef7bab7fd0ca9229697a8eef3cafb287fef2f7a1e921ba1850878c09

SHA512
87cd2ec65c950c318fd0ebf03230a0c7ad417769471ece74c83ff35b781fbd4c9e71aedeb65f0d92ec28e7dba05d2e8f9e0b5cc67805fe7fbc34817e09de867a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
804B

MD5
4b900760b4c340c52bfee1990201296c

SHA1
ac06b049cccfa2894b68442344466e918c9ee48b

SHA256
0431c667c31a0bc6d6857a174d5112c8f2adf37729dbe72fc3425ef6949eeec6

SHA512
9bc7755006ad471c9537a978b91224f4501ba7128adbe7b4bb97427ba57f3c3bc11633ac143c0c9101a764f119d5a0bea06e79c20a9268df33daac6e0c0a5d3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1731aaa8fc3b1572fe38970d5aa32874

SHA1
96714d88b0ad394b41a516d07d9e6221e84586f6

SHA256
2387a28fcff4f34af46b260a4df00ef10fe3e91262a86512aa5abbce2860b1ce

SHA512
8e781cda56b6aede694a876463b0fb3e5964edc41efbc3e2829af2ebf5fa0599c365d29267c5f757b32604e522f58cc1d51f843f015be7dcec67627bc794f245

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5ba99267faaecb534342a23edff7d96d

SHA1
346515569af6a42405d751926ee6299e7ff6d5f8

SHA256
594bc5c58da0f7cca39b63ab1436f0ebac2bf1d057b9c26d80eb2430e31fa388

SHA512
0b04fe51b1b45b1c0e62b8803d1eb27f9cbaf034122404a48c7e1e97b9f053784fff689253668acf1c860b61b641c6746022dc6d2d617f4157ecb20025f628c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
0ea195b890a87594deb9c6aa963c1426

SHA1
4065f3fe0b70940a968f2ca342bac336be048082

SHA256
c51961b927f80537702a7ff5f77501c1e088cbfcc22199675400ea88876f4ef9

SHA512
59ae3e1e530b5c081089ee615fb5d227a1964068bcda421de1319e958438353bbed8ca275897deb097a564a6a60400e1faf6c3e1aa5764d1fbba15bdc1d9ddf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
200ea27b01cd199b370612b82e0b2ed9

SHA1
aad956bd4fea2863d6369172c1ede43736110308

SHA256
1322b18dc900a605aeb34c5d548dd93dfe5182f663039dc43229da7ee0cc97d5

SHA512
7320f92f88204099cb0ab275868f4061f2fc820a2aa20cc6cb2e972ee59ad317e28689a7f1b58331397fb99daa39c4d5b089ec89f0ea7edfc1e13d7597cd4ace

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3de23d7d9e1d93a8342dd709f0fd3c56

SHA1
1d4f66393f13b7cec34346b2505a103460f5c469

SHA256
dd29c802263ae31674d7d6db4ccb38fdf989c4a956f82b71d738f06055375a61

SHA512
486ee66c2eeafa0c535bf1a720bbbe4721414f89e36d5d68ad41583bbf8ed58cc000113689b2702d0a5bf75ca5ec29fadb42751ce47830489e719c29e3ba92ff

Download Submit