hxxps://afimalls[.]com/

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2023, 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://afimalls.com/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4340	msedge.exe
4340	msedge.exe
1760	msedge.exe
1760	msedge.exe
1596	identity_helper.exe
1596	identity_helper.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 4100	1760	msedge.exe	68
PID 1760 wrote to memory of 4100	1760	msedge.exe	68
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 2724	1760	msedge.exe	86
PID 1760 wrote to memory of 4340	1760	msedge.exe	85
PID 1760 wrote to memory of 4340	1760	msedge.exe	85
PID 1760 wrote to memory of 3460	1760	msedge.exe	87
PID 1760 wrote to memory of 3460	1760	msedge.exe	87
PID 1760 wrote to memory of 3460	1760	msedge.exe	87
PID 1760 wrote to memory of 3460	1760	msedge.exe	87
PID 1760 wrote to memory of 3460	1760	msedge.exe	87
PID 1760 wrote to memory of 3460	1760	msedge.exe	87
PID 1760 wrote to memory of 3460	1760	msedge.exe	87
PID 1760 wrote to memory of 3460	1760	msedge.exe	87
PID 1760 wrote to memory of 3460	1760	msedge.exe	87
PID 1760 wrote to memory of 3460	1760	msedge.exe	87
PID 1760 wrote to memory of 3460	1760	msedge.exe	87
PID 1760 wrote to memory of 3460	1760	msedge.exe	87
PID 1760 wrote to memory of 3460	1760	msedge.exe	87
PID 1760 wrote to memory of 3460	1760	msedge.exe	87
PID 1760 wrote to memory of 3460	1760	msedge.exe	87
PID 1760 wrote to memory of 3460	1760	msedge.exe	87
PID 1760 wrote to memory of 3460	1760	msedge.exe	87
PID 1760 wrote to memory of 3460	1760	msedge.exe	87
PID 1760 wrote to memory of 3460	1760	msedge.exe	87
PID 1760 wrote to memory of 3460	1760	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://afimalls.com/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf9c346f8,0x7ffcf9c34708,0x7ffcf9c34718
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,1327800486325649882,11065745219244116319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,1327800486325649882,11065745219244116319,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,1327800486325649882,11065745219244116319,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1327800486325649882,11065745219244116319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1327800486325649882,11065745219244116319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,1327800486325649882,11065745219244116319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,1327800486325649882,11065745219244116319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1327800486325649882,11065745219244116319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1327800486325649882,11065745219244116319,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1327800486325649882,11065745219244116319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1327800486325649882,11065745219244116319,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:2580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,1327800486325649882,11065745219244116319,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f7e75a88fe92d5147528c475c6908243

SHA1
7831682352cfdb17da7174cea8674e61e6fe7ff6

SHA256
4faebaa12ccf24466cb17632b61174043ca23e183a44b29e9e3f6cfc2ce3192d

SHA512
f210c56502e232b9e9b47c13eeb941a2ae7ee5b7b27742902172935e8986b23292151f21dd2d930d384b4dc74af032297b36947d1f8251ce5208cbdf93a56ff6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
cac334a0675c4e04aaeffec03ad1c411

SHA1
a95390dbbd9eb579e1c5a45540893cd4febc2163

SHA256
11f060bd367f76856a2ad3129e46c503f584768941e5ad683cbc1209a58d079a

SHA512
34818649882c0e134c830cba97ae01405cbd885c7522845efab0c12a381888969f95252169585414b17ab724d3b7def3c277912317ca412c1ee233a7e318051b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
470B

MD5
a528d47d24630619404631efe2000b6c

SHA1
ac2dac87d7058e2de1ea7dc0fe6b042978b0bb24

SHA256
b859b7b0acc25c61abdfa73c15b329a2e1b77305aebdb399362a4f2361ec8e18

SHA512
e3e84e1adb9f95049139f45d8a55155abaaff5895fd29b5d06562dac93068c40ea1a1369b3eefec3c91716a0366b540f7b206aa26e42aeebd4781eb737d816ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
786b961f6bc64804a3c291485ae589c5

SHA1
e9522874be8cf473018577f5509c978db095387b

SHA256
fed8ae9aafc83b28d865ac110b28033295afb005763404ac60e94bbd61b61bca

SHA512
6ac408e71087b4b67f7e1481492f4a51d995852a84b072ea523441add22eb625b6f0d05930eec063385fc8e80a910fe27395f5c9c3bd52b1e00386ffc2216945

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5e49c379657d030f30a2bcfdf2076050

SHA1
aed66d56fe850186ee4ebdfd98f122c7f847c430

SHA256
299378ee7779ebeef4501c7e2490591db0c48a2f2645c0bb44bd7056ac019a60

SHA512
7fb4b2affb1b0025e37925bdc84e272e906b42bd6d3bb0e42fcde20a3b9e27000a5241ac0d787435eb87f41588d16fe2b6808267ea49612eecbf39c4b29d3047

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
88d76733cde18621ed7567c0cfda2ab7

SHA1
41859bb156cfd94dbd7bd185567df2a9a5479998

SHA256
17a4767dee231bad758aa0b51bd7b7d8e6201c936e5b58aa76bbe5275c0c89cb

SHA512
e6555a48831412daf4af0a0039b47611428984d22ab0f851c62e68dfc9f91546542d0d68c759a988cc997b0fb1998e7aec10fa918869ed15742bfc4899f72f0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fafbeda0fa541f6889ae99fd6837fabe

SHA1
dc66b4b25acb19b03702f4a21b017cd3247dac22

SHA256
addce110d1aca689dddef9d5dff5174538622e20773d5d9a1b2b2b06d74b6a49

SHA512
19dc0afdeefc68e496f6f427698e499b3497b2d568cb3939aa738c3f8ee58403e53c7da48dccb21f4410c9694f5cb53a6c07b9c09b7d33d098c38e69db7a7807

Download Submit