hxxps://discord[.]com/servers/the-genesis-project-207045717687009280

Analysis

max time kernel
146s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2023 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://discord.com/servers/the-genesis-project-207045717687009280

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4388	msedge.exe
4388	msedge.exe
4668	msedge.exe
4668	msedge.exe
3912	identity_helper.exe
3912	identity_helper.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 2112	4668	msedge.exe	85
PID 4668 wrote to memory of 2112	4668	msedge.exe	85
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4132	4668	msedge.exe	86
PID 4668 wrote to memory of 4388	4668	msedge.exe	87
PID 4668 wrote to memory of 4388	4668	msedge.exe	87
PID 4668 wrote to memory of 4976	4668	msedge.exe	88
PID 4668 wrote to memory of 4976	4668	msedge.exe	88
PID 4668 wrote to memory of 4976	4668	msedge.exe	88
PID 4668 wrote to memory of 4976	4668	msedge.exe	88
PID 4668 wrote to memory of 4976	4668	msedge.exe	88
PID 4668 wrote to memory of 4976	4668	msedge.exe	88
PID 4668 wrote to memory of 4976	4668	msedge.exe	88
PID 4668 wrote to memory of 4976	4668	msedge.exe	88
PID 4668 wrote to memory of 4976	4668	msedge.exe	88
PID 4668 wrote to memory of 4976	4668	msedge.exe	88
PID 4668 wrote to memory of 4976	4668	msedge.exe	88
PID 4668 wrote to memory of 4976	4668	msedge.exe	88
PID 4668 wrote to memory of 4976	4668	msedge.exe	88
PID 4668 wrote to memory of 4976	4668	msedge.exe	88
PID 4668 wrote to memory of 4976	4668	msedge.exe	88
PID 4668 wrote to memory of 4976	4668	msedge.exe	88
PID 4668 wrote to memory of 4976	4668	msedge.exe	88
PID 4668 wrote to memory of 4976	4668	msedge.exe	88
PID 4668 wrote to memory of 4976	4668	msedge.exe	88
PID 4668 wrote to memory of 4976	4668	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.com/servers/the-genesis-project-207045717687009280
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb4c0246f8,0x7ffb4c024708,0x7ffb4c024718
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,4544498311798044270,14346567580019618509,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,4544498311798044270,14346567580019618509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,4544498311798044270,14346567580019618509,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4544498311798044270,14346567580019618509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4544498311798044270,14346567580019618509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,4544498311798044270,14346567580019618509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,4544498311798044270,14346567580019618509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4544498311798044270,14346567580019618509,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4544498311798044270,14346567580019618509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4544498311798044270,14346567580019618509,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:5480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4544498311798044270,14346567580019618509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,4544498311798044270,14346567580019618509,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
483924abaaa7ce1345acd8547cfe77f4

SHA1
4190d880b95d9506385087d6c2f5434f0e9f63e8

SHA256
9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684

SHA512
e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
2b7e7bbb504e863a2a10571f369fde74

SHA1
d81ccbda5402ac2576d843642c2cd290110b1a19

SHA256
83a4ae28198e618c49b2217d0055e6f230ffc5539f8b5effa617f1ed9ae93a86

SHA512
651f768f7ebc3e1e0d7963b713a22b8e645159245fb280433da59b3211d7a56f9ddf0e5f93b48e621f8ce33794b3114052772fc4689084ab98c89446d73c6782

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
479B

MD5
2e8e59ec5b3ed5e816143b392bc98ab5

SHA1
091cca026b9350209dbc74fb2ec076079e1f277f

SHA256
f9c5cc47c0ba03ec36b7fb6ccfc481edab30888c5da729ea8258f59437471380

SHA512
8c3e250f1ad5552d5419416a36e57ef5747fb3b7cb08f217568a8fd195e25f5e781f969f68dfac63a5d895605806630c22fe47a943ce8cac215d7c658b82d82a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3903afb3a8eb0ec73826c6f400872776

SHA1
d66419f4f2ba51e8d48ec0363ebe71b996ac7aeb

SHA256
840073106415acf048f50d1ff7c1f54c86f810ee60ddf692a62f29440ed177bb

SHA512
143dc170bcc7f8394e5c23045396cbfd34c098332129d54d41f07582be2df927af4e69f577a4985421554c01a2d451e4dde5f7e767a0616c29ac1994e65f8ac5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cbb95543c8ccbbc080d54c4b3ee31249

SHA1
fe4c221144e731574b97986953b6d2fb5021f69f

SHA256
501f8a7550c4aa17832a86599eea052638642882ab060208984ebc060fcdcbb4

SHA512
a87a4479b16ad03020c35a5af9463e47fd726b0b1153114cec35b3a7fa67e775578397f87d245530b012912ebd620229d71f1ce4361bf720ecc05df627319ff4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1c706d53e85fb5321a8396d197051531

SHA1
0d92aa8524fb1d47e7ee5d614e58a398c06141a4

SHA256
80c44553381f37e930f1c82a1dc2e77acd7b955ec0dc99d090d5bd6b32c3c932

SHA512
d43867392c553d4afffa45a1b87a74e819964011fb1226ee54e23a98fc63ca80e266730cec6796a2afa435b1ea28aed72c55eae1ae5d31ec778f53be3e2162fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
28ebb2c4a9f24556f5bb940d6673285d

SHA1
9c7cc5d4507176fb7bf16f70034e05840fd9b0c6

SHA256
667d64c703413ddfc101c5d392c09ab6ed077153eefbe8e5283cafa72da080d1

SHA512
b85c394f660d0f909197b7893e5701058d52822e2985d1d84b1be23a196dcb5b5bb2a63ae191b9349ad4d9478c27d973e3e4ccea35f16c37ce2ca36dda44fb31

Download Submit