hxxp://Marydelhomes[.]com

Analysis

max time kernel
961s
max time network
1047s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2023, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://Marydelhomes.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
656	msedge.exe
656	msedge.exe
180	msedge.exe
180	msedge.exe
1880	identity_helper.exe
1880	identity_helper.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 180 wrote to memory of 2596	180	msedge.exe	84
PID 180 wrote to memory of 2596	180	msedge.exe	84
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 4644	180	msedge.exe	86
PID 180 wrote to memory of 656	180	msedge.exe	85
PID 180 wrote to memory of 656	180	msedge.exe	85
PID 180 wrote to memory of 2152	180	msedge.exe	87
PID 180 wrote to memory of 2152	180	msedge.exe	87
PID 180 wrote to memory of 2152	180	msedge.exe	87
PID 180 wrote to memory of 2152	180	msedge.exe	87
PID 180 wrote to memory of 2152	180	msedge.exe	87
PID 180 wrote to memory of 2152	180	msedge.exe	87
PID 180 wrote to memory of 2152	180	msedge.exe	87
PID 180 wrote to memory of 2152	180	msedge.exe	87
PID 180 wrote to memory of 2152	180	msedge.exe	87
PID 180 wrote to memory of 2152	180	msedge.exe	87
PID 180 wrote to memory of 2152	180	msedge.exe	87
PID 180 wrote to memory of 2152	180	msedge.exe	87
PID 180 wrote to memory of 2152	180	msedge.exe	87
PID 180 wrote to memory of 2152	180	msedge.exe	87
PID 180 wrote to memory of 2152	180	msedge.exe	87
PID 180 wrote to memory of 2152	180	msedge.exe	87
PID 180 wrote to memory of 2152	180	msedge.exe	87
PID 180 wrote to memory of 2152	180	msedge.exe	87
PID 180 wrote to memory of 2152	180	msedge.exe	87
PID 180 wrote to memory of 2152	180	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://Marydelhomes.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8108746f8,0x7ff810874708,0x7ff810874718
  2⤵
  PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,6365949118351466187,2820795397561772460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,6365949118351466187,2820795397561772460,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,6365949118351466187,2820795397561772460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6365949118351466187,2820795397561772460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6365949118351466187,2820795397561772460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6365949118351466187,2820795397561772460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,6365949118351466187,2820795397561772460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,6365949118351466187,2820795397561772460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6365949118351466187,2820795397561772460,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6365949118351466187,2820795397561772460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6365949118351466187,2820795397561772460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6365949118351466187,2820795397561772460,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,6365949118351466187,2820795397561772460,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f95638730ec51abd55794c140ca826c9

SHA1
77c415e2599fbdfe16530c2ab533fd6b193e82ef

SHA256
106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3

SHA512
0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
b3e4322b54c89dea2937fd53fe8f9542

SHA1
047cc30e22e573146181dcc8b411e94843c6f740

SHA256
ff136816a4fb867bac7882e4dc7bab8ae4226955aeddbe2478e304d156336334

SHA512
8a381d268ae3e189e2f910610f31e28337545915c5dd9236c5a4f571e293dd098adae7443d6076b06a6dee1e5adcf3a77f78c669a016126e1ce6d48397913d23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
27aa21f8ece9633a3cec1de2e60d1705

SHA1
381c10c5f8ad192275ba641c41b57749982ad5dc

SHA256
e93ce5a38ada26d96bdc9792ebc6509442d5dae95e316df6a605a2c23a4ed9e5

SHA512
aa542fce2196ba4a85d733e497b55b81b5cb953796d2467cb2f65d459614c5ec591289ef8bfe65e26865a8a70194bb7a4882ded051dbf4451a2cdd9460b9ce5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
31408c4979dfbcf39dc1f18e98e60dec

SHA1
4fba55d539468a0a48609baf04a7d5104abd2521

SHA256
d02524f45ad914a01b1abaad32f3f871716a06e4eac10a7678c30f3450711ab5

SHA512
765e39c0de1a6ba999b6811157cb159b919068b9f12d4903b937511d317d7b4bab14d087d15327916a71a366e3be39a05c8da6299fd9b67f29af36629bd2ae7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f8e9d1a79c9a4a7e491091476c1fd87f

SHA1
7b1e467effc70c9ce948ce9c4b69ff18be98aa63

SHA256
49aaaaee826efed609a3230e111b866f5207bd4b90642c5e481f762ae7fe26a2

SHA512
14b8d5a85458fbbd86a4cf3731893f2246f1ae8da1066eedc7f5ea47d1a60b909175053c8f856926230b07bd5765d77c4e406ca8ca0cf855facbc208d84bcc4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
4a078fb8a7c67594a6c2aa724e2ac684

SHA1
92bc5b49985c8588c60f6f85c50a516fae0332f4

SHA256
c225fb924400745c1cd7b56fffaee71dce06613c91fbbb9aa247401ccb49e1ee

SHA512
188270df5243186d00ca8cc457f8ab7f7b2cd6368d987c3673f9c8944a4be6687b30daf8715429bd1b335391118d0ce840e3cb919ff4138c6273b286fb57b2b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ed819a465d76857f386a7791fb5f369a

SHA1
d335ed5ac44ebc8f8f1e8e2d4822d3324161cf59

SHA256
ea61d83ce5f5863a5e9bc3f82f88e010216d1f6f2e697cfb290dc55817e4ae29

SHA512
a712b43c9698175e1a0e62b5febbbae0c22282b0221e051d63c6ff500f293c6206b12cf5617adcfe1f249ae78109f57a248ccc36651d53f0fc32c0782ee63faf

Download Submit