hxxp://nonstoplameefficiency[.]banortemxin[.]repl[.]co/

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
17/09/2023, 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://nonstoplameefficiency.banortemxin.repl.co/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1236	msedge.exe
1236	msedge.exe
1116	msedge.exe
1116	msedge.exe
4928	identity_helper.exe
4928	identity_helper.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 2464	1236	msedge.exe	29
PID 1236 wrote to memory of 2464	1236	msedge.exe	29
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 2128	1236	msedge.exe	87
PID 1236 wrote to memory of 1116	1236	msedge.exe	86
PID 1236 wrote to memory of 1116	1236	msedge.exe	86
PID 1236 wrote to memory of 4352	1236	msedge.exe	88
PID 1236 wrote to memory of 4352	1236	msedge.exe	88
PID 1236 wrote to memory of 4352	1236	msedge.exe	88
PID 1236 wrote to memory of 4352	1236	msedge.exe	88
PID 1236 wrote to memory of 4352	1236	msedge.exe	88
PID 1236 wrote to memory of 4352	1236	msedge.exe	88
PID 1236 wrote to memory of 4352	1236	msedge.exe	88
PID 1236 wrote to memory of 4352	1236	msedge.exe	88
PID 1236 wrote to memory of 4352	1236	msedge.exe	88
PID 1236 wrote to memory of 4352	1236	msedge.exe	88
PID 1236 wrote to memory of 4352	1236	msedge.exe	88
PID 1236 wrote to memory of 4352	1236	msedge.exe	88
PID 1236 wrote to memory of 4352	1236	msedge.exe	88
PID 1236 wrote to memory of 4352	1236	msedge.exe	88
PID 1236 wrote to memory of 4352	1236	msedge.exe	88
PID 1236 wrote to memory of 4352	1236	msedge.exe	88
PID 1236 wrote to memory of 4352	1236	msedge.exe	88
PID 1236 wrote to memory of 4352	1236	msedge.exe	88
PID 1236 wrote to memory of 4352	1236	msedge.exe	88
PID 1236 wrote to memory of 4352	1236	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://nonstoplameefficiency.banortemxin.repl.co/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa63f946f8,0x7ffa63f94708,0x7ffa63f94718
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,11796607726285331833,4384225216303512248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,11796607726285331833,4384225216303512248,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,11796607726285331833,4384225216303512248,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11796607726285331833,4384225216303512248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11796607726285331833,4384225216303512248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11796607726285331833,4384225216303512248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,11796607726285331833,4384225216303512248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,11796607726285331833,4384225216303512248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11796607726285331833,4384225216303512248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11796607726285331833,4384225216303512248,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11796607726285331833,4384225216303512248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11796607726285331833,4384225216303512248,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,11796607726285331833,4384225216303512248,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4892 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
209B

MD5
b79e3d551d219ebef87f107b1bd639f8

SHA1
6e77069b734ee785f95640eb62437387509b22a7

SHA256
063ca7e45c4055f89cd9b79229dbdd36419c15218674f22f9e287bc971036de1

SHA512
4e05811e6c396c22934e0e59688015f90c84eb009c33030d72f48c0911d528db3289b81758e284e40d9b89781c65f2d092bc009bf013db629d0fb6dfd7f48308

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c9dd055022dd028c4e274679726f3a10

SHA1
a3085ab6a20703ca6a5c9f86e7c481bef8076ea3

SHA256
71336cf4438a163b324f6be7b8e22823ab34936e76ffa0cdebb4a03468ed9347

SHA512
a8d96e89e2c593f90bfe79cd068f6a696bfecfee79c5b5e0a81c2cc84f6d30709af2b70aa6d3a2cf59006f463edcd0f0aaefb46c6713a19f040f865cc4e17be6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
72fb2f82dd4a2304b0d798cecc84998f

SHA1
71f0f01b7ed42def37659917ee9119dd8185f246

SHA256
862dbe417739951a1e567dfe2b502d820416e54a11be474dfafd96203162d6cf

SHA512
03c1a35ab54c9e0caff9a8f8a48cc32b9dd56dde30959f72ffb6922660eda49bda741878ef5bf6b2cdca4f49edd1f1423530b7ebfebc042c787fd347e45f6bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
25ac77f8c7c7b76b93c8346e41b89a95

SHA1
5a8f769162bab0a75b1014fb8b94f9bb1fb7970a

SHA256
8ad26364375358eac8238a730ef826749677c62d709003d84e758f0e7478cc4b

SHA512
df64a3593882972f3b10c997b118087c97a7fa684cd722624d7f5fb41d645c605d59a89eccf7518570ff9e73b4310432c4bb5864ee58e78c0743c0c1606853a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
de1f53aae1cdc80770889730ebfa4e7a

SHA1
db6c1d96b8fe97912d0c5e59b5f2e4bf4fc87c53

SHA256
c533659674c97d7396ddf7b9dbd87894705a6931ae5f54f9cb79d792129392ec

SHA512
64660f9ba215ccd65207107c00c8e01a258fe7ec99f063f0e119f1ac6f70cdf46e4be4eceec4315f2c52e6065053af313c7e070da07afaed6dcb3e5121bbb849

Download Submit