hxxps://production3[.]de/invite/i=3388

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2023, 05:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://production3.de/invite/i=3388

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3156	msedge.exe
3156	msedge.exe
1816	msedge.exe
1816	msedge.exe
4236	identity_helper.exe
4236	identity_helper.exe
5660	msedge.exe
5660	msedge.exe
5660	msedge.exe
5660	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 2860	1816	msedge.exe	88
PID 1816 wrote to memory of 2860	1816	msedge.exe	88
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 4828	1816	msedge.exe	90
PID 1816 wrote to memory of 3156	1816	msedge.exe	89
PID 1816 wrote to memory of 3156	1816	msedge.exe	89
PID 1816 wrote to memory of 1384	1816	msedge.exe	91
PID 1816 wrote to memory of 1384	1816	msedge.exe	91
PID 1816 wrote to memory of 1384	1816	msedge.exe	91
PID 1816 wrote to memory of 1384	1816	msedge.exe	91
PID 1816 wrote to memory of 1384	1816	msedge.exe	91
PID 1816 wrote to memory of 1384	1816	msedge.exe	91
PID 1816 wrote to memory of 1384	1816	msedge.exe	91
PID 1816 wrote to memory of 1384	1816	msedge.exe	91
PID 1816 wrote to memory of 1384	1816	msedge.exe	91
PID 1816 wrote to memory of 1384	1816	msedge.exe	91
PID 1816 wrote to memory of 1384	1816	msedge.exe	91
PID 1816 wrote to memory of 1384	1816	msedge.exe	91
PID 1816 wrote to memory of 1384	1816	msedge.exe	91
PID 1816 wrote to memory of 1384	1816	msedge.exe	91
PID 1816 wrote to memory of 1384	1816	msedge.exe	91
PID 1816 wrote to memory of 1384	1816	msedge.exe	91
PID 1816 wrote to memory of 1384	1816	msedge.exe	91
PID 1816 wrote to memory of 1384	1816	msedge.exe	91
PID 1816 wrote to memory of 1384	1816	msedge.exe	91
PID 1816 wrote to memory of 1384	1816	msedge.exe	91

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://production3.de/invite/i=3388
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa92846f8,0x7ffaa9284708,0x7ffaa9284718
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,5566836667564791934,5058728280245587570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,5566836667564791934,5058728280245587570,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,5566836667564791934,5058728280245587570,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5566836667564791934,5058728280245587570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5566836667564791934,5058728280245587570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2160,5566836667564791934,5058728280245587570,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5566836667564791934,5058728280245587570,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5566836667564791934,5058728280245587570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,5566836667564791934,5058728280245587570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5876 /prefetch:8
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,5566836667564791934,5058728280245587570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5876 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5566836667564791934,5058728280245587570,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5566836667564791934,5058728280245587570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,5566836667564791934,5058728280245587570,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4140 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:312

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e8 0x33c
1⤵
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\461d05d9-16df-43d5-a6e5-ce9eaeafd430.tmp

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
1024KB

MD5
81346793f8f08976731750d9161c0753

SHA1
5f3546087480db22ee14878aae78008abec3a3c0

SHA256
d4a75b002d0eb11bb1e76d2981fee30c5769d4dcb8d303e65ee9c4cc0124dbe3

SHA512
721af6a1feb5ea54e519abb4c58490c59ce0053bda850c4245e8bbfbb03b76ad49a154dd27ae977046d2435c88c8b57af31868845ee526501e80d9041b755bc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
56e841be21871c84fda2fab76f9bcfe0

SHA1
204d8fb669140efeae059e9005bb37d1b731b520

SHA256
0e1120590e2ed447b4303f1548720b67b129e6642f5cfc577e108f649eaf6ff4

SHA512
7f0a881f619f73f833896860cd0c839aa2567684caac60cffca2d966eef8c0e20efb7f2b890b19c96b7f46b0d216af6d068089c8e5b110736a07f7d04503deee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
615B

MD5
33ffef5069634b0cce395423a4ab76c3

SHA1
5e6a1907d4cb266d894fd9a5eae8afca5ac717dd

SHA256
cc393bf3ce4e5b434fd79b8f6ea4bf33deb4c2415fddd1e6c32d927d5f1205fc

SHA512
00d12250e16cb81fd29a6c823504b312d61fc618466dfde00f68efa1babd82243bf8be60d62c2cc90f3c59192199db1a6c93d2e77a04c904ed356762e98472a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
72d3eaf544e083f162ca14fa1f4efe20

SHA1
bd8d7a0d9108d0bf8aa148683943873f06bd10aa

SHA256
9d1203bc5df1761298df8b600a13fb0cc5e17721baa4d96da32aad857b57c3b0

SHA512
08bea03137ad732ed09b08ab7ec93d07ea09fb97e09b196ff6f0cd97c2795d4c9eefbba806f891330264ae8320cdbbac77d6754005a8b17c1dd8515444b45654

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6170f419adcb7537bfb6be872b75119a

SHA1
77a4d89ddd7247db03fb4f8caf4ea5f85a43fef7

SHA256
195bad4128e7a9ae92f61a4e5245bacd6bb54a7539f60f1da256308855d28242

SHA512
94c8ec51f114d5d060be7c12ae01f8e004becbdf958739b30cb859cc6668b58d1834a7afc0eeb2844718b1839a1eac454cc7aff509904f83fae206d7d19cf403

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
882f5a29a18f1a650159975cfc879568

SHA1
89be6de02bdf5b2ce299edb5e8544a45a077f5a5

SHA256
c974a90119f65b2ac75efcb26a6e2fb8c56abee3ae1b9291aa52c2724a19ff11

SHA512
c0d59499d32b82d39ec2b4744a0fe3e6924e42c31254b29e7c498c64e148435da359d3c8a84c79c615947f9c3f4bf5ae30f43d4bb8429777a90b8c624353e35c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3a748249c8b0e04e77ad0d6723e564ff

SHA1
5c4cc0e5453c13ffc91f259ccb36acfb3d3fa729

SHA256
f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed

SHA512
53254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3cdf786e0ee06aba6e07fb020efab42a

SHA1
1b7620d100f57113ffdd6bbdc6187575dc2570a0

SHA256
6eac3f02937adaab176e9efc6e3d668a2d47e3bf37a2ef702bb0959968443eff

SHA512
86b24b74f7bfb03c832311ba14c535632d6feff8ec13e89e81503db6e3eeab733afc27ea82366cec633e37e2ddc6531150c3df291ecca705c55e40a7a9c77f5f

Download Submit