hxxps://jemelynnwick[.]dorik[.]io/

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2023 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://jemelynnwick.dorik.io/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2304	msedge.exe
2304	msedge.exe
4376	msedge.exe
4376	msedge.exe
3496	identity_helper.exe
3496	identity_helper.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 1056	4376	msedge.exe	81
PID 4376 wrote to memory of 1056	4376	msedge.exe	81
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 4528	4376	msedge.exe	85
PID 4376 wrote to memory of 2304	4376	msedge.exe	86
PID 4376 wrote to memory of 2304	4376	msedge.exe	86
PID 4376 wrote to memory of 580	4376	msedge.exe	87
PID 4376 wrote to memory of 580	4376	msedge.exe	87
PID 4376 wrote to memory of 580	4376	msedge.exe	87
PID 4376 wrote to memory of 580	4376	msedge.exe	87
PID 4376 wrote to memory of 580	4376	msedge.exe	87
PID 4376 wrote to memory of 580	4376	msedge.exe	87
PID 4376 wrote to memory of 580	4376	msedge.exe	87
PID 4376 wrote to memory of 580	4376	msedge.exe	87
PID 4376 wrote to memory of 580	4376	msedge.exe	87
PID 4376 wrote to memory of 580	4376	msedge.exe	87
PID 4376 wrote to memory of 580	4376	msedge.exe	87
PID 4376 wrote to memory of 580	4376	msedge.exe	87
PID 4376 wrote to memory of 580	4376	msedge.exe	87
PID 4376 wrote to memory of 580	4376	msedge.exe	87
PID 4376 wrote to memory of 580	4376	msedge.exe	87
PID 4376 wrote to memory of 580	4376	msedge.exe	87
PID 4376 wrote to memory of 580	4376	msedge.exe	87
PID 4376 wrote to memory of 580	4376	msedge.exe	87
PID 4376 wrote to memory of 580	4376	msedge.exe	87
PID 4376 wrote to memory of 580	4376	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://jemelynnwick.dorik.io/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa78cc46f8,0x7ffa78cc4708,0x7ffa78cc4718
  2⤵
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,9165609072281158322,9337651474712596011,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,9165609072281158322,9337651474712596011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,9165609072281158322,9337651474712596011,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9165609072281158322,9337651474712596011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9165609072281158322,9337651474712596011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,9165609072281158322,9337651474712596011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,9165609072281158322,9337651474712596011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9165609072281158322,9337651474712596011,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9165609072281158322,9337651474712596011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9165609072281158322,9337651474712596011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9165609072281158322,9337651474712596011,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,9165609072281158322,9337651474712596011,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1480 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
404B

MD5
132825dc51d2f9d0443208915f2d03d3

SHA1
ea7f1a6df25a99ede934af75dbfa6f9665c4ebf7

SHA256
5cbff6815eaedc8140cd74ec23dd10b3cf4fcc094374049a083643e4689f513e

SHA512
7b72053db01b08653faeed2de84bb799a9b3fcf236ead06178f3b9cc005c732583e3992330705e31e30f2b62cdd122d0779e6d677292f2d40d205778d8eb0369

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
37439fc795ea7a17646e142f1c93bde2

SHA1
56bd4571aca92b1ad96767691a11c3e6e116cf87

SHA256
c8d53b0d84c37aa17a305308c01f859a46805b30582b00657f71acf51dcfa0b3

SHA512
c3eb9b62ec31965a3be1c99d5de747167b56cead265efb99c5abaa788c9e6c0bae9132a2549ca4fbcf23cdb1df0a6f1ae5c8b8cebf01561c4a1b25856264a43b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e3683709d973a3231ccd1914fb72c246

SHA1
30775deac5b8e8188fe25a35473d49ca17e6f45c

SHA256
bee82feafdbf56bfeb7311e63e070ac9fe8e88f0dff1419c9ee51e0287fee555

SHA512
fb96ed13e7c9f52f9ff7c0dbc935992e6c072acad38f4cef5dcba1a970e97b52e5136523f4358013a287a017dbfce5d9f79dc774b4bf146d12a440e9987345d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a8f8435e32bb2585b666a9746fd2b59c

SHA1
c5590d26c04f5a83d9e7336de537b0fa24446766

SHA256
187f9f31dee12f1042c5c195c74485c29d55316d74eff2a5c619722e500267a8

SHA512
ff5c0b1489cc7e79e8d50d9982c9b3f1566072db289ba6da235fbf97ec756077adbd6861fc171f60bea2b9a7ba94dfb028446663ff5296719fe0ac30308e17a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
25ac77f8c7c7b76b93c8346e41b89a95

SHA1
5a8f769162bab0a75b1014fb8b94f9bb1fb7970a

SHA256
8ad26364375358eac8238a730ef826749677c62d709003d84e758f0e7478cc4b

SHA512
df64a3593882972f3b10c997b118087c97a7fa684cd722624d7f5fb41d645c605d59a89eccf7518570ff9e73b4310432c4bb5864ee58e78c0743c0c1606853a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f092ea6df65201e4a123688ba2786000

SHA1
7868b569f341fea4daafb812ae1e3f5dc953ea12

SHA256
f8f4f7b82891fada034968d85763e04adf32d274f48da3a8aae144fda669b377

SHA512
f3c3af465d1a3f482656a80a7044652a3a385de2ca653db400a6f79496d15881483b78c37b524dbb53db17ae2eb9f763a8ac21d29ccb6497356ad68ac4570487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
924422dc4db4cc22b01b8183197565bd

SHA1
328d862cfac8cbcb39e10302541c30e00535150a

SHA256
a4b12cf3270a260197a48c849c5e81b9f256f38075c6225d2e8240dcaf62eb09

SHA512
f2906b8f369c66091dd0a5021dcc8209479d370cd7ee4fcd1e2fe8d6ff0a58fa1fd10100a7c209470d5b8b700f262312a738a1dc67377c9b853527ec2b3b3915

Download Submit