hxxp://rodeosemillas[.]com/a/o261835

Analysis

max time kernel
43s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 07:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://rodeosemillas.com/a/o261835

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4832	msedge.exe
4832	msedge.exe
3364	msedge.exe
3364	msedge.exe
4756	identity_helper.exe
4756	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 1064	3364	msedge.exe	24
PID 3364 wrote to memory of 1064	3364	msedge.exe	24
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 216	3364	msedge.exe	84
PID 3364 wrote to memory of 4832	3364	msedge.exe	85
PID 3364 wrote to memory of 4832	3364	msedge.exe	85
PID 3364 wrote to memory of 4928	3364	msedge.exe	88
PID 3364 wrote to memory of 4928	3364	msedge.exe	88
PID 3364 wrote to memory of 4928	3364	msedge.exe	88
PID 3364 wrote to memory of 4928	3364	msedge.exe	88
PID 3364 wrote to memory of 4928	3364	msedge.exe	88
PID 3364 wrote to memory of 4928	3364	msedge.exe	88
PID 3364 wrote to memory of 4928	3364	msedge.exe	88
PID 3364 wrote to memory of 4928	3364	msedge.exe	88
PID 3364 wrote to memory of 4928	3364	msedge.exe	88
PID 3364 wrote to memory of 4928	3364	msedge.exe	88
PID 3364 wrote to memory of 4928	3364	msedge.exe	88
PID 3364 wrote to memory of 4928	3364	msedge.exe	88
PID 3364 wrote to memory of 4928	3364	msedge.exe	88
PID 3364 wrote to memory of 4928	3364	msedge.exe	88
PID 3364 wrote to memory of 4928	3364	msedge.exe	88
PID 3364 wrote to memory of 4928	3364	msedge.exe	88
PID 3364 wrote to memory of 4928	3364	msedge.exe	88
PID 3364 wrote to memory of 4928	3364	msedge.exe	88
PID 3364 wrote to memory of 4928	3364	msedge.exe	88
PID 3364 wrote to memory of 4928	3364	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://rodeosemillas.com/a/o261835
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb900746f8,0x7ffb90074708,0x7ffb90074718
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,12564039360918845125,5463585498717932194,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,12564039360918845125,5463585498717932194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,12564039360918845125,5463585498717932194,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12564039360918845125,5463585498717932194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12564039360918845125,5463585498717932194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,12564039360918845125,5463585498717932194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,12564039360918845125,5463585498717932194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12564039360918845125,5463585498717932194,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12564039360918845125,5463585498717932194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12564039360918845125,5463585498717932194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12564039360918845125,5463585498717932194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4280 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12564039360918845125,5463585498717932194,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:1
  2⤵
  PID:4284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d25fc6e43a16159ebfd161f28e16ef7

SHA1
49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4

SHA256
cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5

SHA512
ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
23KB

MD5
31cea899dc7182d6dece3972c99a6af5

SHA1
893901330aad224502a30b3af47e0a29568f1c83

SHA256
df95d5ee23d8913632f7ef8292613a0e782ef959c3c5674749427994e63ab679

SHA512
f872bc6c1740c707c8a1c6e3263e6f5b725755e06c8fd952a115e77ebb6632c57538b95f7d9d96e1dd2f351264e63edfeb7e8897b320a71902af16ff2e1bb81a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3998be5e2b40c28dfaa2e29efdf5d8ee

SHA1
19763aae11bc0babe1781bb1083d40fd994bf1c7

SHA256
b6f4be3bd787f693caada07f63d8de803818e9b97e69ce0696486c813dd7a4a4

SHA512
88478cd5446cad31ed60355fb1c0a45248134c5179f24f406a528f6603979bff41a7c104e9ab9b88db6018b30aa345ec13daf6f08909bf0c5bb92a58b18c1df8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d3c26589fe81c734d0e563f1ca543e96

SHA1
157b7ed0641c345a76b66cf688d14364b3402150

SHA256
8e651d3e49ae950f81a8c1368135796398ac992eb2fb23cedc9bf0ee6a6fdcc3

SHA512
fc4e94ff22af280ab94a3d17721e79cf1c441e41b7f566a4b8a46f4926e0f8496b57edd63ffc14d3e2e4ce017b3f3e5e9e690d03a6cd5af95ee1b2b5ecb4ab2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b782065e7dad252b228535724e492392

SHA1
f4a5e1582f23e8fb0bfe30ff28572aa3bc8ff07f

SHA256
2ee3e15d23dcc58c0999953d3c21bdef63ab674ec264230026aaf0be8c1d4348

SHA512
5a68b14ec2629b8667cc044e3fe26156750210a11f0e3ac783cf75808bf1b6877d10137a817da0ee4cd532ea2ffeabf83d08626d80ecb31ba02f44bbbaacada8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4f3360c7c8ed4625ad894b790748cb80

SHA1
11d118e61cbf59cd8ab8b28ad3435b59d14d3c8a

SHA256
05f57622debd00db5788cc9a63a841079ea570f624fd1a43538bb6f8dcd6f3b3

SHA512
89a3dfd855305f8fd953cb25a4426cecf0389a0e85fab53dd6ba200e60801a2bdae4f705f8e1be6b46d51ec6f8a17a0b1a1e5b917af0682d63f5ca7769feafb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d555d038867542dfb2fb0575a0d3174e

SHA1
1a5868d6df0b5de26cf3fc7310b628ce0a3726f0

SHA256
044cac379dddf0c21b8e7ee4079d21c67e28795d14e678dbf3e35900f25a1e2e

SHA512
d8220966fe6c3ae4499bc95ab3aead087a3dd915853320648849d2fc123a4acd157b7dba64af0108802522575a822651ecc005523c731423d9131ee679c2712f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
b72ff7e9fea1a359aba6f059d01294da

SHA1
aea41a0f6b70a763461a12c99ef0370aec942eda

SHA256
b8e120d4ee0802748162601d16140e8e10dfde94b81abd3d2a06f68b5109b297

SHA512
8d9504a01a71f667c601d03351f8e6dd8ce847fa3c5a4ec1aec6feb0da008cd106531f3a41afb299d2e54bc5458ae70b49fac380d21fd41d0b17bcc3b7a91506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58b9a6.TMP

Filesize
538B

MD5
41f4bae4fbb89009e97c95375e37addc

SHA1
e8b4236bd075b628e4046fd2b4c383660a1c100d

SHA256
d6c92e129f1782e72980e808868b285c5bf9ae12ecfa5fbb906117e8059796f2

SHA512
53f7cd74c4d30e4cebb5b04d3ed1ae81bec2b8e41ff4c61418fb41626be91531d7d0d66d3dc9172a980706f50accb25944bae83a1731fa72e9e9b78f689b4e2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
dd16146d8fde153dc2f1f1520df23c93

SHA1
ef225ec755d8a62b53b0ed8e163d9755aea68974

SHA256
4939fe2a65c807535393909d60da68f6cc3b726d791eb4836a16b119da00afac

SHA512
a612a0977e9ebe917534a343eddef9eb0930aaca23c76ceae141920fede74e7e03ca043df2fae41be2be043dd0acd4364dbfdc98b6a7fd73fb15774b3635bb3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
64037d11de96dd2cc6176cd102b6be2b

SHA1
3eeb28f363de971745448f63aa011ae6ff2eb8f0

SHA256
53164b1923b0ad85875c3bc121249ea99ab6a80e6c0ec98c3364238577841042

SHA512
6b8a557db08a9b0150957f8292afaaa6978faecc6774dd82c55cbda4289a3c743bce44004b4f798ddcca09a3f1bb4ab96ece89d97baeeedf562aa39a020b6355

Download Submit