hxxps://www[.]google[.]com[//]amp/s/nancyrips[.]com/rosongd/gdhno/mmnbb/Daniel[.]Simmons@siemensgamesa[.]com

Analysis

max time kernel
30s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2023, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.google.com//amp/s/nancyrips.com/rosongd/gdhno/mmnbb/[email protected]

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3752	msedge.exe
3752	msedge.exe
3816	msedge.exe
3816	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3752 wrote to memory of 4532	3752	msedge.exe	65
PID 3752 wrote to memory of 4532	3752	msedge.exe	65
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 4916	3752	msedge.exe	87
PID 3752 wrote to memory of 3816	3752	msedge.exe	86
PID 3752 wrote to memory of 3816	3752	msedge.exe	86
PID 3752 wrote to memory of 736	3752	msedge.exe	88
PID 3752 wrote to memory of 736	3752	msedge.exe	88
PID 3752 wrote to memory of 736	3752	msedge.exe	88
PID 3752 wrote to memory of 736	3752	msedge.exe	88
PID 3752 wrote to memory of 736	3752	msedge.exe	88
PID 3752 wrote to memory of 736	3752	msedge.exe	88
PID 3752 wrote to memory of 736	3752	msedge.exe	88
PID 3752 wrote to memory of 736	3752	msedge.exe	88
PID 3752 wrote to memory of 736	3752	msedge.exe	88
PID 3752 wrote to memory of 736	3752	msedge.exe	88
PID 3752 wrote to memory of 736	3752	msedge.exe	88
PID 3752 wrote to memory of 736	3752	msedge.exe	88
PID 3752 wrote to memory of 736	3752	msedge.exe	88
PID 3752 wrote to memory of 736	3752	msedge.exe	88
PID 3752 wrote to memory of 736	3752	msedge.exe	88
PID 3752 wrote to memory of 736	3752	msedge.exe	88
PID 3752 wrote to memory of 736	3752	msedge.exe	88
PID 3752 wrote to memory of 736	3752	msedge.exe	88
PID 3752 wrote to memory of 736	3752	msedge.exe	88
PID 3752 wrote to memory of 736	3752	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com//amp/s/nancyrips.com/rosongd/gdhno/mmnbb/[email protected]
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1fc746f8,0x7ffe1fc74708,0x7ffe1fc74718
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,6448041786163041525,14523614688040663767,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,6448041786163041525,14523614688040663767,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,6448041786163041525,14523614688040663767,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,6448041786163041525,14523614688040663767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,6448041786163041525,14523614688040663767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,6448041786163041525,14523614688040663767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,6448041786163041525,14523614688040663767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,6448041786163041525,14523614688040663767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,6448041786163041525,14523614688040663767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,6448041786163041525,14523614688040663767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,6448041786163041525,14523614688040663767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:1120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
7cbb58c8fb23932d32cee2da713d3105

SHA1
d242c89d24e90969430fe73cc2bdcf71de322960

SHA256
a9149032ab7cf7e871b62ce78a8603de1d284016dc86ebba45ffc7fd1d8feae4

SHA512
931a06d5551de2d1741f60317cb827653cd95a0bde0749454438deb2edf299446101c7d93f914d6135460e10750a39475ed02836f48c3d6baef938028235eadd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
8674fb0a5760db69d68c9263f460b959

SHA1
5072014523172b6550a0e223c920ed70c51ecb70

SHA256
445f18522729531b31ceeb4c9e71be7d569f273364a5bbc4e1cda5c2c808f53e

SHA512
59c054750a54ac430e6bc71926c00de3e7f64cebf1e383b485238b817f827722d1ed0b5a8a5633da514ec1af4eb9b2979921f7fa22ce05c67894b471d0ae2efb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6678271182a690f345ea733de952211b

SHA1
16a682da35d6ebed055392f7c3e7927c2436e409

SHA256
6d5fc9c24823010985e238e99db8083532bcf6225b5e2861e0c56a3fe0dd768b

SHA512
7912c62564532473d055194369c4bf473930d816f917ecc433de2b855463042c71d28a87af2d8118bb5d536fa88407f8884e47e55bf290a3d9fcc0c452d45cbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fe96cbb959b945778d0f5d237feb30c1

SHA1
b517cdd588f2805697fe4dd28115d65c61bd2309

SHA256
998e7ce25270210313d219c9c55228d3990146dce6ebb7917b1ca6ad118e625b

SHA512
fb5b33ba28d1802e4ad0de7cf71c3dedbe04ca25368ab7874e4ac3d854f80f870e134956e67cb534824a517b3f93cb5903b98e657ed8b3f194500119c029f01e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
b690c7643af8bf5f3a96b59e33522135

SHA1
204ca48a942ecba4d2f2ef844275c3f5905ed453

SHA256
4577c23a112c820b430e2b16d0283f4715b06f64164e1e5bf883034a7201c695

SHA512
f690f6f5cb19c2e7338feda4741c47b107e48e86db530829cff7e4a0737b813051d31625b1f3108bf8a2f496fad14767b6c255bc816a3e8a3bc43d4c2b63036d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e7e1d0dc9f7999201d2d8aee380cd487

SHA1
b84393ec0d13a25643d8ab1e8f291b2de390531b

SHA256
1c79fa1fc86c253c8ff49be74bb22c188dc69f9c2d85c4189adae59f9d58f5ae

SHA512
2416361e947cbbdf8c2409d9ec77e803ca7eaa312292a9cd413ac57ab94dcfc06cc719643eba88352479fb53d66f9818b41d76766155842e4e747119065e4ec3

Download Submit