hxxps://www[.]reddit[.]com/r/wildrose/

Analysis

max time kernel
146s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2023, 13:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://www.reddit.com/r/wildrose/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1640	msedge.exe
1640	msedge.exe
1740	msedge.exe
1740	msedge.exe
4972	identity_helper.exe
4972	identity_helper.exe
4356	msedge.exe
4356	msedge.exe
4356	msedge.exe
4356	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 3996	1740	msedge.exe	86
PID 1740 wrote to memory of 3996	1740	msedge.exe	86
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 4764	1740	msedge.exe	87
PID 1740 wrote to memory of 1640	1740	msedge.exe	88
PID 1740 wrote to memory of 1640	1740	msedge.exe	88
PID 1740 wrote to memory of 1292	1740	msedge.exe	89
PID 1740 wrote to memory of 1292	1740	msedge.exe	89
PID 1740 wrote to memory of 1292	1740	msedge.exe	89
PID 1740 wrote to memory of 1292	1740	msedge.exe	89
PID 1740 wrote to memory of 1292	1740	msedge.exe	89
PID 1740 wrote to memory of 1292	1740	msedge.exe	89
PID 1740 wrote to memory of 1292	1740	msedge.exe	89
PID 1740 wrote to memory of 1292	1740	msedge.exe	89
PID 1740 wrote to memory of 1292	1740	msedge.exe	89
PID 1740 wrote to memory of 1292	1740	msedge.exe	89
PID 1740 wrote to memory of 1292	1740	msedge.exe	89
PID 1740 wrote to memory of 1292	1740	msedge.exe	89
PID 1740 wrote to memory of 1292	1740	msedge.exe	89
PID 1740 wrote to memory of 1292	1740	msedge.exe	89
PID 1740 wrote to memory of 1292	1740	msedge.exe	89
PID 1740 wrote to memory of 1292	1740	msedge.exe	89
PID 1740 wrote to memory of 1292	1740	msedge.exe	89
PID 1740 wrote to memory of 1292	1740	msedge.exe	89
PID 1740 wrote to memory of 1292	1740	msedge.exe	89
PID 1740 wrote to memory of 1292	1740	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.reddit.com/r/wildrose/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa9a2146f8,0x7ffa9a214708,0x7ffa9a214718
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,17658261130001036964,4261137468899220465,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,17658261130001036964,4261137468899220465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,17658261130001036964,4261137468899220465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17658261130001036964,4261137468899220465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17658261130001036964,4261137468899220465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:988
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,17658261130001036964,4261137468899220465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,17658261130001036964,4261137468899220465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17658261130001036964,4261137468899220465,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17658261130001036964,4261137468899220465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17658261130001036964,4261137468899220465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17658261130001036964,4261137468899220465,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,17658261130001036964,4261137468899220465,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1832 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
19681920c39d3c746c958a951d130946

SHA1
78ab7f0b2a182a8bd855dc6cbd76c366747957db

SHA256
9586ed869a29d8853a36c3c409ac46f66a287620c4f652e804f552712b3e229e

SHA512
1bc95847a76084075e111f56551724377520f9b91dbc17c841e8f90778c11ea0f3ab994526ece11ca8660b0ad6d12898826505b1edcbb7cadb5965a4cf4bbb27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
716B

MD5
f7454cb4074224e77ecbaea267c45cd5

SHA1
fc106cf96161edca57e8bd65ce6a3649b815707a

SHA256
d9e0e5ce815f45190c368347a3f7756ccdff2e16aba49d32fef0aea972d1c806

SHA512
496a9ba8ed5f09ba25cdb7ac48a5cefcd36b68dab6cb1ac25f8969b1d84663c38415ceb5abd57a41473bada99ff72c0a7e45dc9a3c15c7305d83db384fd7fadb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e5052177ed02d284104868bf18e4e3bb

SHA1
8ca7b3b5800afa0c5106c8b17d5ac981cd04c47d

SHA256
0d7a4cb88bf8bc8ec473783195fa7e321f9dcdefdaaea026d9646babb71fe4db

SHA512
2fbd3f67a2f25dba7ada2930649691b7e6a02205edb0398edf0ebab114bcb43db7d605d9aa359acf202bcc51938fc17d7601fc41dc3f5710c2abbc03c1b305da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6a23fc24e5e36223bfe82aaf39f69d8f

SHA1
3a5bbcddb2df6a9693134d4975708a079cccc6f0

SHA256
a6119bbac5fcc3bd3442c97b8a2634af8d74de1d7796b497190ae2a548355988

SHA512
db383fcd53332356c4c04c768cfa6b886d05be12535952e156b0e7d6a261e55e3298278d5d5ab81ab3f515554609d43e9e5868bc0e6263c1a376ca796c4e7820

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e05436aebb117e9919978ca32bbcefd9

SHA1
97b2af055317952ce42308ea69b82301320eb962

SHA256
cc9bd0953e70356e31a957ad9a9b1926f5e2a9f6a297cdef303ac693a2a86b7f

SHA512
11328e9514ffaa3c1eab84fae06595d75c8503bd5601adfd806182d46065752885a871b738439b356d1bb2c1ac71fc81e9d46bd2d0daa1b2ba0f40543bf952b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
537B

MD5
96c6a9790462917f3aa68d3d9727bb5e

SHA1
4c4a2c7a89834daec03d8b9b4b685854022152de

SHA256
a7b58815a515d915a5bfe0bc829688baefe1441b5755e131a24ff6aa0c5e4488

SHA512
812c43c210f709fa22735e1170bae99071815614454b2d46c49bece3103404646e2a76745adc965647d7753f880845af78082f232497e8f7a5822782a065860f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58b4c4.TMP

Filesize
537B

MD5
55bf69f6576b43b90031d11746f28d30

SHA1
bdf10fda93e9d4fa221f22bf90a5f36aa4e681ee

SHA256
be1dd6172453776e50e6e2370732943291022b50a3cefc3ecd0e622b67057c17

SHA512
e9d77144758e47e2bfa588c42566c6b0c2c7947571f98b8e81680ece2eb10f29f873414395a1fdbb2b241abb38bcd576e1f7e1f6bf9fb025559ec004cf4d5894

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f00f90b02d32e02c45a878b4f6fe3f60

SHA1
d0baa7617373742ca4c81481429137e93e9a04af

SHA256
3ff3d7d32e87e926accde60dd01fa643e6d915959f72b4cd7a2455890cb3c38b

SHA512
1d078399a2d162d8e8f825ef4faebb8281a2f09ea68281522eeff63ed0df8e03611bb844161f452b6de601f3f48d5215c021794bd76469f8a2fea8735f80c61f

Download Submit