hxxps://soixanteseize-for-wpp[.]netlify[.]app/production/tdi22vxlinhbpw4wndtrgg

Analysis

max time kernel
241s
max time network
272s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2023, 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://soixanteseize-for-wpp.netlify.app/production/tdi22vxlinhbpw4wndtrgg

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3696	msedge.exe
3696	msedge.exe
3140	msedge.exe
3140	msedge.exe
1408	identity_helper.exe
1408	identity_helper.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 1428	3140	msedge.exe	36
PID 3140 wrote to memory of 1428	3140	msedge.exe	36
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3296	3140	msedge.exe	85
PID 3140 wrote to memory of 3696	3140	msedge.exe	86
PID 3140 wrote to memory of 3696	3140	msedge.exe	86
PID 3140 wrote to memory of 4260	3140	msedge.exe	87
PID 3140 wrote to memory of 4260	3140	msedge.exe	87
PID 3140 wrote to memory of 4260	3140	msedge.exe	87
PID 3140 wrote to memory of 4260	3140	msedge.exe	87
PID 3140 wrote to memory of 4260	3140	msedge.exe	87
PID 3140 wrote to memory of 4260	3140	msedge.exe	87
PID 3140 wrote to memory of 4260	3140	msedge.exe	87
PID 3140 wrote to memory of 4260	3140	msedge.exe	87
PID 3140 wrote to memory of 4260	3140	msedge.exe	87
PID 3140 wrote to memory of 4260	3140	msedge.exe	87
PID 3140 wrote to memory of 4260	3140	msedge.exe	87
PID 3140 wrote to memory of 4260	3140	msedge.exe	87
PID 3140 wrote to memory of 4260	3140	msedge.exe	87
PID 3140 wrote to memory of 4260	3140	msedge.exe	87
PID 3140 wrote to memory of 4260	3140	msedge.exe	87
PID 3140 wrote to memory of 4260	3140	msedge.exe	87
PID 3140 wrote to memory of 4260	3140	msedge.exe	87
PID 3140 wrote to memory of 4260	3140	msedge.exe	87
PID 3140 wrote to memory of 4260	3140	msedge.exe	87
PID 3140 wrote to memory of 4260	3140	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://soixanteseize-for-wpp.netlify.app/production/tdi22vxlinhbpw4wndtrgg
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb36b346f8,0x7ffb36b34708,0x7ffb36b34718
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,13573013903507739588,9089430612859715797,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,13573013903507739588,9089430612859715797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,13573013903507739588,9089430612859715797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13573013903507739588,9089430612859715797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13573013903507739588,9089430612859715797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,13573013903507739588,9089430612859715797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,13573013903507739588,9089430612859715797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13573013903507739588,9089430612859715797,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=184 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13573013903507739588,9089430612859715797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4500 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13573013903507739588,9089430612859715797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13573013903507739588,9089430612859715797,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,13573013903507739588,9089430612859715797,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1840 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3272

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
201B

MD5
cfaa322eacc9d10ffb87f630eaf66da2

SHA1
8b5356734a9b3741e9d971657b6b73ecb6368644

SHA256
3e381ba37c0afacc3fa134aac76fc0169e657c52da6209d10279e6297f37779c

SHA512
2ef144949a79ad97a76f036a04c2a2d162739eb3cc7eb5ccf9ad9a86439384fae7fc32176061fd2d07e08357be35fc4489112a2b8974406503046d31aaff9020

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e61a418d9718e248e11c2dd05c1578c0

SHA1
ff69901e275ce4b097223b43b4cb1f9d875695ed

SHA256
dc59133a2a47bb8c0775a250b4d8df4ad06d0c2d2da777962c7e358a31f0c413

SHA512
56cae44fbd4647b060a0c3e35d4bc304e289564d6ac4a92485cbba6986753013db83b901e193932e060094b381fb45dec3376fd3c01700f837198e2170b9bbfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
53447b43b138d8564aed5a6d445b9051

SHA1
ab841d4ba6db1033905d633b561f0169671f6acc

SHA256
3fce8a53f5b9ea2454d62cc2f8ced099308564c53a9db907437440daedd2abaa

SHA512
c21dcea3be2ce779fdac5865142ec49050f8893b96bcd837256e8a4afafe9acc5132da102df3c91a4abb0804af5bddb5d03d067fcd3f38b31bd166000c043442

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ce09e89be2495ba89ed0a7b328ee654e

SHA1
95ac4b26e075f6664e1bc1ad143fa54621979980

SHA256
117620271a3e0a274fab9e82f92881bcc9a148b6c959f1f2c28822abde88b2dd

SHA512
312b32bede8d119882938fee6cf820d3aac2b588b1bd805dd90d0314d4f1f56ab0e0f4ea50cc48cc57aadee4a0d77bf2d00d566b68784dc0bec46d866330da20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
25ac77f8c7c7b76b93c8346e41b89a95

SHA1
5a8f769162bab0a75b1014fb8b94f9bb1fb7970a

SHA256
8ad26364375358eac8238a730ef826749677c62d709003d84e758f0e7478cc4b

SHA512
df64a3593882972f3b10c997b118087c97a7fa684cd722624d7f5fb41d645c605d59a89eccf7518570ff9e73b4310432c4bb5864ee58e78c0743c0c1606853a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
a3e9b37ad3bb66f4124599beea3332d8

SHA1
b544266394cefa080e05c2e98c8e6d2463fe25f6

SHA256
2cd4fccae2e66b303beafaaa6fc5c46cbd47248c035de9a7464e01427028afca

SHA512
a8f5b0ae675afe81b5fa98530e9f4cfdec131df8797b6eb5342276022e2b900ac991be70223904fbc5d22a9bc91cf9266f118fba8e1a601366c6c3539497e857

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b6ec.TMP

Filesize
203B

MD5
bd14ff21f40e2877bc5f4bf830930262

SHA1
ee872983dfed71525540871877439416e84a52db

SHA256
f085c823eea8338783a7e29f7114faccaaa21b4ed785fa54359587445ae38e41

SHA512
3e115acd417d90cefa688ea694e2bd27cba9ac6506b2080c523bf1290b384f2508bcf488557e8e5e88af959b721fdf0000b06835177c9ee4a41ce7134d85fe8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9764c4be319a10eb17dc23ab2228f8ae

SHA1
ef56626c5eb1aebb9476fb32e0a25cf9938da485

SHA256
36c465df7684ddaca820c86858a3c4ecd1d9ffe97aec9109922ed4c86e580d30

SHA512
79716d749e3f2f722978459d6ade832fdd8b326736273c1fc81980cc2b29a1d93d001383cda0583fceb7e14a0ea66f0424c2f7f33e10c5be98f91bbe4a53edc4

Download Submit