hxxps://52[.]22[.]41[.]97

Analysis

max time kernel
321s
max time network
338s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://52.22.41.97

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4192	msedge.exe
4192	msedge.exe
4028	msedge.exe
4028	msedge.exe
2432	identity_helper.exe
2432	identity_helper.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 4328	4028	msedge.exe	81
PID 4028 wrote to memory of 4328	4028	msedge.exe	81
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 2028	4028	msedge.exe	83
PID 4028 wrote to memory of 4192	4028	msedge.exe	82
PID 4028 wrote to memory of 4192	4028	msedge.exe	82
PID 4028 wrote to memory of 3852	4028	msedge.exe	84
PID 4028 wrote to memory of 3852	4028	msedge.exe	84
PID 4028 wrote to memory of 3852	4028	msedge.exe	84
PID 4028 wrote to memory of 3852	4028	msedge.exe	84
PID 4028 wrote to memory of 3852	4028	msedge.exe	84
PID 4028 wrote to memory of 3852	4028	msedge.exe	84
PID 4028 wrote to memory of 3852	4028	msedge.exe	84
PID 4028 wrote to memory of 3852	4028	msedge.exe	84
PID 4028 wrote to memory of 3852	4028	msedge.exe	84
PID 4028 wrote to memory of 3852	4028	msedge.exe	84
PID 4028 wrote to memory of 3852	4028	msedge.exe	84
PID 4028 wrote to memory of 3852	4028	msedge.exe	84
PID 4028 wrote to memory of 3852	4028	msedge.exe	84
PID 4028 wrote to memory of 3852	4028	msedge.exe	84
PID 4028 wrote to memory of 3852	4028	msedge.exe	84
PID 4028 wrote to memory of 3852	4028	msedge.exe	84
PID 4028 wrote to memory of 3852	4028	msedge.exe	84
PID 4028 wrote to memory of 3852	4028	msedge.exe	84
PID 4028 wrote to memory of 3852	4028	msedge.exe	84
PID 4028 wrote to memory of 3852	4028	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://52.22.41.97
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd7f7d46f8,0x7ffd7f7d4708,0x7ffd7f7d4718
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,8320472664531458769,12183635848553254923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,8320472664531458769,12183635848553254923,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,8320472664531458769,12183635848553254923,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8320472664531458769,12183635848553254923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8320472664531458769,12183635848553254923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8320472664531458769,12183635848553254923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:496
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,8320472664531458769,12183635848553254923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,8320472664531458769,12183635848553254923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8320472664531458769,12183635848553254923,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8320472664531458769,12183635848553254923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8320472664531458769,12183635848553254923,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8320472664531458769,12183635848553254923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,8320472664531458769,12183635848553254923,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3156 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1222f8c867acd00b1fc43a44dacce158

SHA1
586ba251caf62b5012a03db9ba3a70890fc5af01

SHA256
1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a

SHA512
ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9ed30c82d7124a6a20f106f186b76cbf

SHA1
d431d712ebe4917a5a8e63785b102762ebc353d5

SHA256
e0b1ec81fc47b19490a62f180e6f655d11d490493212de2316988a7b5e884470

SHA512
0905d81284bb4c6215bce54d78d926dd44606117eec82a85ae115a5f0d5e0990cb64c2888085074e3ce276fe222ff2448202b44b99ed76310490d156410f679c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c933cd5449abbceb917b3b40b24e647c

SHA1
46971a69dc4f39596dc32f5bf007f1298b53edee

SHA256
16e39d03d544041365f6f1f59431390a4a95d4ae69b5240cbdcbea2a5c118f22

SHA512
b03b24a47af37afaf9064e55d8519954638b17d83253a4d741e57a1d8bb2fe49ad68f3fcab96bb3416e98b6fd4c7bb47b227c7a893f718977295ffd47eed0d4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2c493182697a684b03ab3ac2b30063f7

SHA1
8c4621472dc19592b45ceda6430e1d76c0d57f63

SHA256
242de88c74febe83724bd77669821714653c5aeebb6556d66da991f48adbb720

SHA512
850987a667cb00c26288cfbf2f26b92c45e7e669f4d19ea2c9c2c5557cdfd07447c7b6f8df83352c17e4b5fe2ef201988874bafce8316ef05e78f9085f711fd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
15ad31a14e9a92d2937174141e80c28d

SHA1
b09e8d44c07123754008ba2f9ff4b8d4e332d4e5

SHA256
bf983e704839ef295b4c957f1adeee146aaf58f2dbf5b1e2d4b709cec65eccde

SHA512
ec744a79ccbfca52357d4f0212e7afd26bc93efd566dd5d861bf0671069ba5cb7e84069e0ea091c73dee57e9de9bb412fb68852281ae9bd84c11a871f5362296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0a528d20a7ed702f12453c984ca53a33

SHA1
5312d9756ea6af2938bddb407f09dc95e040cc0a

SHA256
f4410e6bf5c5a58ea29dd6c88615c29de89df110e6dcbe70597d4de4f0c5a075

SHA512
60d4092fbf4d0b0544aabac36ec3111d56725671691be3a7d606d2fd6294a50879341700760ef15dca11d5e6ddee0cc1f391fb964a066debb1ff5bfb816f0cf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
417f14e0dfaf177719575a37e2f7aba9

SHA1
89019878b2ea2fba81dfd74e451d09e24e9fea18

SHA256
e427763c9fc0f373385d186e7bfda8772e01ae4fc42ff01ad0b6ed01fa5c94a9

SHA512
d3a5ec6ed7a42c853f2d8265ecabfb55b8a86a821466b741bebef7ea4e5213ea04e7ec333e2cfcd967c4c04291cae6b4169639b9902d9c42b769aabc98d92cc6

Download Submit