hxxp://eadigital[.]it

Analysis

max time kernel
146s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2023, 06:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://eadigital.it

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1300	msedge.exe
1300	msedge.exe
336	msedge.exe
336	msedge.exe
4408	identity_helper.exe
4408	identity_helper.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 336 wrote to memory of 3924	336	msedge.exe	82
PID 336 wrote to memory of 3924	336	msedge.exe	82
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1136	336	msedge.exe	85
PID 336 wrote to memory of 1300	336	msedge.exe	84
PID 336 wrote to memory of 1300	336	msedge.exe	84
PID 336 wrote to memory of 3648	336	msedge.exe	86
PID 336 wrote to memory of 3648	336	msedge.exe	86
PID 336 wrote to memory of 3648	336	msedge.exe	86
PID 336 wrote to memory of 3648	336	msedge.exe	86
PID 336 wrote to memory of 3648	336	msedge.exe	86
PID 336 wrote to memory of 3648	336	msedge.exe	86
PID 336 wrote to memory of 3648	336	msedge.exe	86
PID 336 wrote to memory of 3648	336	msedge.exe	86
PID 336 wrote to memory of 3648	336	msedge.exe	86
PID 336 wrote to memory of 3648	336	msedge.exe	86
PID 336 wrote to memory of 3648	336	msedge.exe	86
PID 336 wrote to memory of 3648	336	msedge.exe	86
PID 336 wrote to memory of 3648	336	msedge.exe	86
PID 336 wrote to memory of 3648	336	msedge.exe	86
PID 336 wrote to memory of 3648	336	msedge.exe	86
PID 336 wrote to memory of 3648	336	msedge.exe	86
PID 336 wrote to memory of 3648	336	msedge.exe	86
PID 336 wrote to memory of 3648	336	msedge.exe	86
PID 336 wrote to memory of 3648	336	msedge.exe	86
PID 336 wrote to memory of 3648	336	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://eadigital.it
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0d4f46f8,0x7ffc0d4f4708,0x7ffc0d4f4718
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,13013748097406993044,11552509108752768529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13013748097406993044,11552509108752768529,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,13013748097406993044,11552509108752768529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13013748097406993044,11552509108752768529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13013748097406993044,11552509108752768529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13013748097406993044,11552509108752768529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13013748097406993044,11552509108752768529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13013748097406993044,11552509108752768529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13013748097406993044,11552509108752768529,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13013748097406993044,11552509108752768529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13013748097406993044,11552509108752768529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13013748097406993044,11552509108752768529,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13013748097406993044,11552509108752768529,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4652 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d8f4eadb68a3e3d1bf2fa3006af5510

SHA1
d5d8239ec8a3bf5dadf52360350251d90d9e0142

SHA256
85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c

SHA512
554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
2d1277cd58c429043d698c73b9346bcb

SHA1
710175ba2a8d113456b67c5da8503a4ed3ec67b8

SHA256
31c35f392a7dbc85c4eeb9f7256f39736ca7cbe89218800370e95fe401301f4d

SHA512
00146d40ae85bc436e728c7e2c27a27c21410a5ae6ad09a0331c089112ef9e4db00c5cc4a0b1fcd81513259cf372ac33cdf666690553c9123d034a78a8a4bbd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
651B

MD5
9127df4c6acc0ff4cfe03313cc2ba589

SHA1
c337bb98d337111b71c40b7b649d94771d5b3c90

SHA256
5b59ac0e5d7142db77d82b70e8bab53b6892fdc0bc9e9e45635a00e66a83c39f

SHA512
747936921f46a5457ea074d9498fe0e479d265f7e764865e197e4387ab80a2b4ba0c32b7f344b4479ed064749d4d077401acb8c977edc63c433f133960cf9534

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
776e7185ca2aaaea054f78d404c4ecf4

SHA1
cfed2bc53e24302dd7505625b25759356185c461

SHA256
74e846626b418890f0eccfddba32be428a8094443b4e2fd399ab91acb0abf3c5

SHA512
7e867af7aefe80aab05a2a67018618f0bca8998138abdc24eadc89056821a4c4e234eda080d27ecc1b5e35db01ef4115231e0742a6ffb472c48a7a9b50e3fb21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
26b98ae5f3c700a2c32959bd277dcaf3

SHA1
2d1421019967a58032a71168199f5c81193ec785

SHA256
9f6ed1dfa681d73011e13c620c0dab65bddceec9298c6a76d972533c4c0a664b

SHA512
5ffa8d42a1915788ec3a41869a0b0ae1f8b21ad779778ff845f4ec8149079cd5a11e7daaac66c77d9f2e51e2b00ff8272850db605d848d99e30f2856439cf6c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d985875547ce8936a14b00d1e571365f

SHA1
040d8e5bd318357941fca03b49f66a1470824cb3

SHA256
8455a012296a7f4b10ade39e1300cda1b04fd0fc1832ffc043e66f48c6aecfbf

SHA512
ca31d3d6c44d52a1f817731da2e7ac98402cd19eeb4b48906950a2f22f961c8b1f665c3eaa62bf73cd44eb94ea377f7e2ceff9ef682a543771344dab9dbf5a38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1cff39d0446cf3bd3859fb0466024455

SHA1
f5852bb415c41be83a4fd1431e8066e869e017c0

SHA256
8b870b5e16f63438c2ec66bef910ece309cec7722651a4d0509f269542e71d97

SHA512
26c4838fe885e745793c64596b8bfc9b66a47f62249fe665e5be77055b226aa6e821cd4dae5a3e47203e7aedf6b256984b80294b67d1fe9c0750121aa0d07dd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
932e5cc2136588a011b92ab49415b7b4

SHA1
6316f96312f9132d3af61f54da2dfd9d2717e99e

SHA256
2de3bf876c49375446dd0526c8ff253bfbfb43316d3e6eebdc14b1f49b2d3fbf

SHA512
7cc974055835abcae7031b220928892869f2946a657dba7a133169835dcfc92e711270eb12a65e64454f82b394881079a1a930b59c910055e1d44991e5107e30

Download Submit