hxxp://www[.]yandex[.]sberbank[.]yandex[.]yandex[.]yk-mid-prod2-res[.]ito[.]pay[.]pay[.]unileverbrazil-mktx[.]unileverbrazil-mkt-prod1-res[.]campaignex[.]unileverbrazil-mkt-provito[.]pay[.]sber[.]unileverbrazil-mkt-prgnex[.]unileverbrazil-mkt-provito[.]pay[.]sbegn[.]ltroth[.]com

Analysis

max time kernel
139s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2023, 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.yandex.sberbank.yandex.yandex.yk-mid-prod2-res.ito.pay.pay.unileverbrazil-mktx.unileverbrazil-mkt-prod1-res.campaignex.unileverbrazil-mkt-provito.pay.sber.unileverbrazil-mkt-prgnex.unileverbrazil-mkt-provito.pay.sbegn.ltroth.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3500	msedge.exe
3500	msedge.exe
2604	msedge.exe
2604	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 3364	2604	msedge.exe	84
PID 2604 wrote to memory of 3364	2604	msedge.exe	84
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 4824	2604	msedge.exe	87
PID 2604 wrote to memory of 3500	2604	msedge.exe	88
PID 2604 wrote to memory of 3500	2604	msedge.exe	88
PID 2604 wrote to memory of 1352	2604	msedge.exe	89
PID 2604 wrote to memory of 1352	2604	msedge.exe	89
PID 2604 wrote to memory of 1352	2604	msedge.exe	89
PID 2604 wrote to memory of 1352	2604	msedge.exe	89
PID 2604 wrote to memory of 1352	2604	msedge.exe	89
PID 2604 wrote to memory of 1352	2604	msedge.exe	89
PID 2604 wrote to memory of 1352	2604	msedge.exe	89
PID 2604 wrote to memory of 1352	2604	msedge.exe	89
PID 2604 wrote to memory of 1352	2604	msedge.exe	89
PID 2604 wrote to memory of 1352	2604	msedge.exe	89
PID 2604 wrote to memory of 1352	2604	msedge.exe	89
PID 2604 wrote to memory of 1352	2604	msedge.exe	89
PID 2604 wrote to memory of 1352	2604	msedge.exe	89
PID 2604 wrote to memory of 1352	2604	msedge.exe	89
PID 2604 wrote to memory of 1352	2604	msedge.exe	89
PID 2604 wrote to memory of 1352	2604	msedge.exe	89
PID 2604 wrote to memory of 1352	2604	msedge.exe	89
PID 2604 wrote to memory of 1352	2604	msedge.exe	89
PID 2604 wrote to memory of 1352	2604	msedge.exe	89
PID 2604 wrote to memory of 1352	2604	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd73d46f8,0x7ffdd73d4708,0x7ffdd73d4718
1⤵
PID:3364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.yandex.sberbank.yandex.yandex.yk-mid-prod2-res.ito.pay.pay.unileverbrazil-mktx.unileverbrazil-mkt-prod1-res.campaignex.unileverbrazil-mkt-provito.pay.sber.unileverbrazil-mkt-prgnex.unileverbrazil-mkt-provito.pay.sbegn.ltroth.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,1715022729910003880,13160749264017777618,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,1715022729910003880,13160749264017777618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,1715022729910003880,13160749264017777618,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,1715022729910003880,13160749264017777618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,1715022729910003880,13160749264017777618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,1715022729910003880,13160749264017777618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
  2⤵
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,1715022729910003880,13160749264017777618,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5012 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d8f4eadb68a3e3d1bf2fa3006af5510

SHA1
d5d8239ec8a3bf5dadf52360350251d90d9e0142

SHA256
85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c

SHA512
554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
400B

MD5
6fa03d4bf4536d25832ff9a19f89de7d

SHA1
a0d4c3bf29673df144557a9029484b40768c639f

SHA256
36d9d913b4a778af7ee9dc754b9aa3992a0a9619784af7c95198ab0841469159

SHA512
d54483858cb0a5d14bb38e661448f9c5d956cc5e2cc2db3c7171d16535bc726b6ecbfeb1a7f8bfe587cf9b5093859a0bc55a29acc8531c5948bdbe8327a6210f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6ac00aaaa95aacd911c99362b994fa05

SHA1
87fa115c4c50c788db2179bb04eee9ce59abafed

SHA256
83c608d85476e4eb48664297372fc6c26158e0d2785820c3f862484c61725986

SHA512
e1de5d7cbf2a3343c54dbe48256ca1226e044d5865d25f193929e4da92f53974be1fb1263ad595ac02cbcb404fab85ba01bc34191b19dcd34ce2f59cc1fefb5d

Download Submit