hxxps://posts-lu[.]top/

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
18/09/2023, 12:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://posts-lu.top/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2360	msedge.exe
2360	msedge.exe
876	msedge.exe
876	msedge.exe
1632	identity_helper.exe
1632	identity_helper.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 3388	876	msedge.exe	60
PID 876 wrote to memory of 3388	876	msedge.exe	60
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 4036	876	msedge.exe	86
PID 876 wrote to memory of 2360	876	msedge.exe	85
PID 876 wrote to memory of 2360	876	msedge.exe	85
PID 876 wrote to memory of 1908	876	msedge.exe	87
PID 876 wrote to memory of 1908	876	msedge.exe	87
PID 876 wrote to memory of 1908	876	msedge.exe	87
PID 876 wrote to memory of 1908	876	msedge.exe	87
PID 876 wrote to memory of 1908	876	msedge.exe	87
PID 876 wrote to memory of 1908	876	msedge.exe	87
PID 876 wrote to memory of 1908	876	msedge.exe	87
PID 876 wrote to memory of 1908	876	msedge.exe	87
PID 876 wrote to memory of 1908	876	msedge.exe	87
PID 876 wrote to memory of 1908	876	msedge.exe	87
PID 876 wrote to memory of 1908	876	msedge.exe	87
PID 876 wrote to memory of 1908	876	msedge.exe	87
PID 876 wrote to memory of 1908	876	msedge.exe	87
PID 876 wrote to memory of 1908	876	msedge.exe	87
PID 876 wrote to memory of 1908	876	msedge.exe	87
PID 876 wrote to memory of 1908	876	msedge.exe	87
PID 876 wrote to memory of 1908	876	msedge.exe	87
PID 876 wrote to memory of 1908	876	msedge.exe	87
PID 876 wrote to memory of 1908	876	msedge.exe	87
PID 876 wrote to memory of 1908	876	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://posts-lu.top/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8c2646f8,0x7ffa8c264708,0x7ffa8c264718
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,11306419876018855385,15999298784659216773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,11306419876018855385,15999298784659216773,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,11306419876018855385,15999298784659216773,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11306419876018855385,15999298784659216773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11306419876018855385,15999298784659216773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11306419876018855385,15999298784659216773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11306419876018855385,15999298784659216773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,11306419876018855385,15999298784659216773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,11306419876018855385,15999298784659216773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11306419876018855385,15999298784659216773,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11306419876018855385,15999298784659216773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11306419876018855385,15999298784659216773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11306419876018855385,15999298784659216773,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,11306419876018855385,15999298784659216773,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1264 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1222f8c867acd00b1fc43a44dacce158

SHA1
586ba251caf62b5012a03db9ba3a70890fc5af01

SHA256
1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a

SHA512
ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
475991ba0963039250358d9ea0cf1487

SHA1
f5ebe5faf9f4f1c41c69145f7b7f37b507bbee24

SHA256
5a4674fea6d8f25350b4922a99558299009b00b8256c7dbe4bbebe4248e1c0eb

SHA512
3756c871f318707a33bb643afb0bc2e11dcfda0e93bf17f599e45cebeb6ff1ecdc431e4ac4585bfbff6cc3bc1641b37b796b7d5fd8de5836504e56a0c9e8fc52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d4dcdaaed897126aee8c6655e68e4552

SHA1
784d3fc53a88f7efeb3c6f86ce4ae0b81b435fa6

SHA256
799bf0e2597c13543cde4ad7d4ce42451af9f0a6dcfffefddb0dc273c0e8bf0a

SHA512
421112c0e42eb400f890d380e54b9639bbdfb7fe579e434ef4288b9369bf5a4de1a1d13f146c09f5fdb455cd41815f13291a7a3c715aa5905751c587b7ee6430

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
05a91e71be791229d2054e85de8f4867

SHA1
1af594881940e3066b02cc5315443c9f8cd187f7

SHA256
f8b4f97407212e04ecc7522383023cfbac6f754f96ebde729a116c193f74b331

SHA512
e0173d88af8d10969340a4fa64c8a2b99c9bf69828e2c578dd21bf2e714f7ac40e2261a5a37056ced5d6f91fd8f3fb60e0612b76b1b6aca6585dae019af30122

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
722e5850827f7869e7740c910db77191

SHA1
f1a63a3f187e5bf4dde546a54645109d79657efb

SHA256
3b414d5aaf49395bb6bd42d2244ecb9c16ccb55e73c9e06f22ec6afb59893706

SHA512
83499feaebc9170fe9d1ef1e9431d6508c21ac892d963982dc76e918a97bca232542bad435043bc1252bcae47351fae723df355d24ba732c6fc94d677d1b2614

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f7461cfd171fe54409c21352329a872a

SHA1
6208d9466429a08e4a3b2f505db27726557317a8

SHA256
b6f40baddca572fa13a3de17ef4a4968c673a92d491c859459e9ede18fc33af8

SHA512
56e2b5f745a3db037e52c87379457bcfe84fe572e130b37b423bdad294887a77d736758bfba32155ea64cb0326d16a24b1c654a44ae4fbc0b6b3a5de509c6193

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
15ad31a14e9a92d2937174141e80c28d

SHA1
b09e8d44c07123754008ba2f9ff4b8d4e332d4e5

SHA256
bf983e704839ef295b4c957f1adeee146aaf58f2dbf5b1e2d4b709cec65eccde

SHA512
ec744a79ccbfca52357d4f0212e7afd26bc93efd566dd5d861bf0671069ba5cb7e84069e0ea091c73dee57e9de9bb412fb68852281ae9bd84c11a871f5362296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0b9b27378c873ef45db83ac6b8ebdae8

SHA1
3b5a72e197e0b10b908876d0dea3eb406670cdd7

SHA256
9f765cffbb159988843aead12d4c9d78d05d5cb6a2b5274d4ba338a6df0578cf

SHA512
8908f43ab37d557d35c2ec59581f120a37e5719ad9fcdd5d4c7740dc40294a61c48d805383a98ef9e167c42eeaed3d96d3b796c288c44235768eb1da7e6e4598

Download Submit