hxxps://www[.]a193gradeb7[.]com/specification/images/footer-bg[.]png

Analysis

max time kernel
198s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.a193gradeb7.com/specification/images/footer-bg.png

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4044	msedge.exe
4044	msedge.exe
4124	msedge.exe
4124	msedge.exe
1444	identity_helper.exe
1444	identity_helper.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 4328	4124	msedge.exe	54
PID 4124 wrote to memory of 4328	4124	msedge.exe	54
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 3280	4124	msedge.exe	85
PID 4124 wrote to memory of 4044	4124	msedge.exe	87
PID 4124 wrote to memory of 4044	4124	msedge.exe	87
PID 4124 wrote to memory of 412	4124	msedge.exe	88
PID 4124 wrote to memory of 412	4124	msedge.exe	88
PID 4124 wrote to memory of 412	4124	msedge.exe	88
PID 4124 wrote to memory of 412	4124	msedge.exe	88
PID 4124 wrote to memory of 412	4124	msedge.exe	88
PID 4124 wrote to memory of 412	4124	msedge.exe	88
PID 4124 wrote to memory of 412	4124	msedge.exe	88
PID 4124 wrote to memory of 412	4124	msedge.exe	88
PID 4124 wrote to memory of 412	4124	msedge.exe	88
PID 4124 wrote to memory of 412	4124	msedge.exe	88
PID 4124 wrote to memory of 412	4124	msedge.exe	88
PID 4124 wrote to memory of 412	4124	msedge.exe	88
PID 4124 wrote to memory of 412	4124	msedge.exe	88
PID 4124 wrote to memory of 412	4124	msedge.exe	88
PID 4124 wrote to memory of 412	4124	msedge.exe	88
PID 4124 wrote to memory of 412	4124	msedge.exe	88
PID 4124 wrote to memory of 412	4124	msedge.exe	88
PID 4124 wrote to memory of 412	4124	msedge.exe	88
PID 4124 wrote to memory of 412	4124	msedge.exe	88
PID 4124 wrote to memory of 412	4124	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.a193gradeb7.com/specification/images/footer-bg.png
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ae4d46f8,0x7ff8ae4d4708,0x7ff8ae4d4718
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,18020036336181382618,3326565350033857858,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,18020036336181382618,3326565350033857858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2828 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,18020036336181382618,3326565350033857858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3148 /prefetch:8
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,18020036336181382618,3326565350033857858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,18020036336181382618,3326565350033857858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,18020036336181382618,3326565350033857858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,18020036336181382618,3326565350033857858,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,18020036336181382618,3326565350033857858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,18020036336181382618,3326565350033857858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,18020036336181382618,3326565350033857858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,18020036336181382618,3326565350033857858,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,18020036336181382618,3326565350033857858,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2660 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
db9dbef3f8b1f616429f605c1ebca2f0

SHA1
ffba76f0836c024828d4ff1982cc4240c41a8f16

SHA256
3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1

SHA512
4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9db2a031-1eef-4606-95d2-4d4fd71d337d.tmp

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fad785b3556a7cf2ea54ea290467c719

SHA1
07577e9bf460d4ea7842155a5ca4edc62f2b11f2

SHA256
15cf21d61dd57eeddf2c19a132c8e8e3c02bead4c57a8a957d72843e049c7789

SHA512
534163f76b230cc52e36eade12590c9f6888c10053b54305d3dfe26970c41d5e806456d73d6c8dd6b8d355bbf5bdf90b057288a157aae7126bd3d3698dcd028e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5c670f6bc05f6306089591d5b4d23e27

SHA1
5e4e08c298770375e8c1e5a2f6f18ed98f233493

SHA256
100225856d00764861e33719cca2e611e2aa8b707191985ae0bc2c589839fe88

SHA512
d8c1c479075a3cfe5a127d8af11c710af7ad798b26550db7c51988ec4bb267ff75204270280ea553d403cc8ef115198c8f13c5c1a049be26251eea7a6c893f64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6039f86e67abfa799ac42956a9146140

SHA1
60ed85e1e43e67387887fde5fd03c34872ffd264

SHA256
de994ef43164c62fe8a5053bc46e239726d6f1456fd9e931e702952907656b7f

SHA512
177a014ffe3470057be22ab41b64762a188ce94a1d1572a8d432ce374de18ffab43f507ced402e788f663519fd18976a657d1954a4fc6371e1825cf9b8245806

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6d45091f36026ac4a9a6f1cc2561bce2

SHA1
9b9434513881f83534cb735076f67257cdbd07da

SHA256
bd88ce0a2774edd8fdfd28151888fc9eb69514299bf01f88380406c78df1545c

SHA512
94c454170a930ae8a4c5c07a392160ffb8d5de6fa279b8a0b88edecd10075b2d67f745c388e3a8c8da177c52a6595e6d27ec98270aa313b86845794ff65c2a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
6dcb90ba1ba8e06c1d4f27ec78f6911a

SHA1
71e7834c7952aeb9f1aa6eb88e1959a1ae4985d9

SHA256
30d89e5026668c5a58bef231930a8bfb27ca099b24399a2615b210210d418416

SHA512
dc31807eaeb5221ac60d598035ca3ccab1dbeecc95caaff5e1f5a2a89ba1c83ef0a708ee0b8ed05b588ea5d50e360032a534356f84c89d3791df91d419daeff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a47e1342cc94dbe1a69a8d5856f2f074

SHA1
0960693906053a8fcd3c38007086abe617b9a217

SHA256
2360d62556a7f8ac48ce914d580230025365e07e2ec36fa809d09cc7d30c78ab

SHA512
9a647ccdc317809c4abea557f67ff9a6da364b0aa58154b6c35a022ef48987ba4a5f2eb9f14b811f9d1a1db73682dd11453e2d9f6e87cf69c020926ec23b626a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
5b8e50b96c229926a1c619a38ba12a29

SHA1
1aa723edfd1b340602e30072df077addd7a2b664

SHA256
9b31afcf699feb870895182f3076ad405c67111a5a8c4595048bc7aef42e0381

SHA512
651bd4b5ae03b2940ca06b69e803d3300e838cd38cb1717a0acd3f06ec22f12fd3fcd370a4ae353297f372d422192feab20aa7fcc17a95c1895a93bad7ec16d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
11913c4282f68a7abfe46288770fe204

SHA1
2699b5c3906ac502103925034e006b3f4aae64db

SHA256
2a51cf89605f80ddd52a18f5fdbfb27ab08aa61715c4ed0a84465701e8d53a8a

SHA512
1eebf0464717d505cd41ee8d2ce52479c20542379dfacd4513dc212e83940cbf6ea78a0e66e5546668be57ed7cd890abc7600f4448108f8c5320d885b2adfbf3

Download Submit