hxxp://itc[.]gov[.]ae

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2023, 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://itc.gov.ae

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1348	msedge.exe
1348	msedge.exe
1064	msedge.exe
1064	msedge.exe
5016	identity_helper.exe
5016	identity_helper.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 376	1064	msedge.exe	26
PID 1064 wrote to memory of 376	1064	msedge.exe	26
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 3508	1064	msedge.exe	88
PID 1064 wrote to memory of 1348	1064	msedge.exe	87
PID 1064 wrote to memory of 1348	1064	msedge.exe	87
PID 1064 wrote to memory of 1908	1064	msedge.exe	89
PID 1064 wrote to memory of 1908	1064	msedge.exe	89
PID 1064 wrote to memory of 1908	1064	msedge.exe	89
PID 1064 wrote to memory of 1908	1064	msedge.exe	89
PID 1064 wrote to memory of 1908	1064	msedge.exe	89
PID 1064 wrote to memory of 1908	1064	msedge.exe	89
PID 1064 wrote to memory of 1908	1064	msedge.exe	89
PID 1064 wrote to memory of 1908	1064	msedge.exe	89
PID 1064 wrote to memory of 1908	1064	msedge.exe	89
PID 1064 wrote to memory of 1908	1064	msedge.exe	89
PID 1064 wrote to memory of 1908	1064	msedge.exe	89
PID 1064 wrote to memory of 1908	1064	msedge.exe	89
PID 1064 wrote to memory of 1908	1064	msedge.exe	89
PID 1064 wrote to memory of 1908	1064	msedge.exe	89
PID 1064 wrote to memory of 1908	1064	msedge.exe	89
PID 1064 wrote to memory of 1908	1064	msedge.exe	89
PID 1064 wrote to memory of 1908	1064	msedge.exe	89
PID 1064 wrote to memory of 1908	1064	msedge.exe	89
PID 1064 wrote to memory of 1908	1064	msedge.exe	89
PID 1064 wrote to memory of 1908	1064	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://itc.gov.ae
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff363b46f8,0x7fff363b4708,0x7fff363b4718
  2⤵
  PID:376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,15894022949328810749,17622210564545664427,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,15894022949328810749,17622210564545664427,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,15894022949328810749,17622210564545664427,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15894022949328810749,17622210564545664427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15894022949328810749,17622210564545664427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15894022949328810749,17622210564545664427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,15894022949328810749,17622210564545664427,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,15894022949328810749,17622210564545664427,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15894022949328810749,17622210564545664427,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15894022949328810749,17622210564545664427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15894022949328810749,17622210564545664427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
  2⤵
  PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15894022949328810749,17622210564545664427,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
  2⤵
  PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,15894022949328810749,17622210564545664427,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
483924abaaa7ce1345acd8547cfe77f4

SHA1
4190d880b95d9506385087d6c2f5434f0e9f63e8

SHA256
9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684

SHA512
e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
984B

MD5
8b47ed7f0848273f79f3da0153c61794

SHA1
854da035d31a371d964cb53f2e586d27d71cd5f7

SHA256
d4a563ae83538a54639db4e04e97f076d6049db5962b95a331f6b479d7c9a30b

SHA512
00d629b56d9daf3fabcc3b1d84f8c0612b7a4fbabd5f4cc9824c79b2a6f7973af7628708645c398b768324471d633639c58595524d1fc04feeed37684edc97e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
249B

MD5
949d24843e0f29aba9a1254a47b56683

SHA1
7858992cc17ef5bba018750e8e9b81eb177d88ae

SHA256
9828f22c739a41f932caba515aa5169fca49cda7aa961d162f72a019a0d63131

SHA512
52e3f4c95baa81c83d9e51455ba8357ac7526710c1c40313a145b792bf97b50a734b33620a8a0d612deccb2d9c32708974250c4b80401a418f21abad823e487f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4ba4e4060fe00542d5b027ca4d1619f8

SHA1
65c71e948282e6f3081d3734ac05d79c4718f3df

SHA256
b4be7c8c60c3af7bc6f429a10e0a05bf3439c326569f0e7b28e3c6b416beab87

SHA512
45a6db73240b09daebbe89dbcc52cbb9742268166b8d595097534a9496350f82e4f4aac69e68ca539ed607074619e00b8c088aa227abac7e3c9d25072443ed12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
514a328c15f288e11e3f1cff23cbee24

SHA1
bc9c83168d79dc74167dbfda08690e89ed28fca5

SHA256
f66813e5f8ef2d74b5207a59a69b28056b86e81c780d326a8d8592826edde0db

SHA512
908d858dd4a27cbb234e81505fe781a1bc00c1dec67e1e0f3af92cd0441f64dbf20e4fa64b7de050af6e9e06fb4a2e96e33be38a7fcdcb80279d46be8dd03412

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1c706d53e85fb5321a8396d197051531

SHA1
0d92aa8524fb1d47e7ee5d614e58a398c06141a4

SHA256
80c44553381f37e930f1c82a1dc2e77acd7b955ec0dc99d090d5bd6b32c3c932

SHA512
d43867392c553d4afffa45a1b87a74e819964011fb1226ee54e23a98fc63ca80e266730cec6796a2afa435b1ea28aed72c55eae1ae5d31ec778f53be3e2162fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
dc6831f5513e161701c5069406ad161a

SHA1
0ca6103836c7b93daa6d46bbbbb72b19ffedc7ce

SHA256
8c9b6614e1ae17b9ff4129e13d885dc51daadddb05246dda0ac21da8f3653940

SHA512
f8ceb2707e422ef0f12ce3996d124b070766e1dc9673792b837284d67e2276a7587a0b1fd2cddce25a4f0bb8b44dc9ee7e2b98194ada1766813e97815adf3054

Download Submit