hxxps://clt198236[.]benchurl[.]com/c/v?e=171E3AE&c=3065C&t=0&l=17DC08B&email=gZ5vGCVXSDL3rtoQEyG1cbXcX7StzMuI

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2023, 10:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://clt198236.benchurl.com/c/v?e=171E3AE&c=3065C&t=0&l=17DC08B&email=gZ5vGCVXSDL3rtoQEyG1cbXcX7StzMuI

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2060	msedge.exe
2060	msedge.exe
3048	msedge.exe
3048	msedge.exe
4488	identity_helper.exe
4488	identity_helper.exe
5864	msedge.exe
5864	msedge.exe
5864	msedge.exe
5864	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 3452	3048	msedge.exe	30
PID 3048 wrote to memory of 3452	3048	msedge.exe	30
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 5044	3048	msedge.exe	89
PID 3048 wrote to memory of 2060	3048	msedge.exe	87
PID 3048 wrote to memory of 2060	3048	msedge.exe	87
PID 3048 wrote to memory of 2356	3048	msedge.exe	88
PID 3048 wrote to memory of 2356	3048	msedge.exe	88
PID 3048 wrote to memory of 2356	3048	msedge.exe	88
PID 3048 wrote to memory of 2356	3048	msedge.exe	88
PID 3048 wrote to memory of 2356	3048	msedge.exe	88
PID 3048 wrote to memory of 2356	3048	msedge.exe	88
PID 3048 wrote to memory of 2356	3048	msedge.exe	88
PID 3048 wrote to memory of 2356	3048	msedge.exe	88
PID 3048 wrote to memory of 2356	3048	msedge.exe	88
PID 3048 wrote to memory of 2356	3048	msedge.exe	88
PID 3048 wrote to memory of 2356	3048	msedge.exe	88
PID 3048 wrote to memory of 2356	3048	msedge.exe	88
PID 3048 wrote to memory of 2356	3048	msedge.exe	88
PID 3048 wrote to memory of 2356	3048	msedge.exe	88
PID 3048 wrote to memory of 2356	3048	msedge.exe	88
PID 3048 wrote to memory of 2356	3048	msedge.exe	88
PID 3048 wrote to memory of 2356	3048	msedge.exe	88
PID 3048 wrote to memory of 2356	3048	msedge.exe	88
PID 3048 wrote to memory of 2356	3048	msedge.exe	88
PID 3048 wrote to memory of 2356	3048	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://clt198236.benchurl.com/c/v?e=171E3AE&c=3065C&t=0&l=17DC08B&email=gZ5vGCVXSDL3rtoQEyG1cbXcX7StzMuI
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd57146f8,0x7ffcd5714708,0x7ffcd5714718
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,8845066787108270726,15700732242971106961,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,8845066787108270726,15700732242971106961,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2488 /prefetch:8
  2⤵
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,8845066787108270726,15700732242971106961,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8845066787108270726,15700732242971106961,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8845066787108270726,15700732242971106961,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,8845066787108270726,15700732242971106961,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,8845066787108270726,15700732242971106961,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8845066787108270726,15700732242971106961,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8845066787108270726,15700732242971106961,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8845066787108270726,15700732242971106961,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8845066787108270726,15700732242971106961,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,8845066787108270726,15700732242971106961,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3128 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
d97e4fa104078579b02097ea3cfceef5

SHA1
c21aae8ea00764cf3cca7057e66c00efeba05466

SHA256
160a3c662bed17aa6134bfa5e9a22c6f548f64a580f0ed2f278a0e4b9a3decc4

SHA512
576ab86dca825a63c70499a11d0cab570c4c158d837dac99cd03c0a37716cd6f00e38ed3c1f5bb4b0779181470d3d68f5a009885a140c0abf9d98adb2cba5ae7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
535B

MD5
5fed81b3939d23874bd3f832d4b31b4c

SHA1
d654c33b13458bc476c39d307e681ac8b853fcb2

SHA256
b0474316f833c204d8fe942f716f64c0cee94e3af69efa8e8efd23eb6618ab68

SHA512
6689fede1bece832aebb89d2839a5b1101f870a94264844ada6af51dda6c98aa861bc9f154f4a4afb1a39a77f41c2a9047c6a0d4bc48805aa2078d600cdd4982

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ed3b1543206163277de49f212c7930e2

SHA1
dbb02ee2b8f0659b44e5449306e2f7219d509e18

SHA256
29b9296338a3d272d6000c9f6009081b5d7e1528ebcab4d1f32b5dba76bdf40c

SHA512
8bf68804c68d48dad81abd5910254ced95767807dd6c13c7d277fa14e735163d495ad153a32fea76d27d03b9e187403def9acf55ef1e1068a9b6b3f1e1764e03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2b6e1949879bcc22e22e24bf12cfc5d7

SHA1
3c9650b2c53468a40994e5f182cded8325413d54

SHA256
81cde0641962bf2e7982b7f860f9b8e6b738f8ddbd3ebc2db61e9b6216c91000

SHA512
3c4a57b73abbd153e4596975d530b8463250ebe754640f4435806a807bc2f992d3d84d1738c8b06a5349a798304409f45f73e60d4a8d111317202cef8abfcfb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9b3a1215264ef48f175b9aa4369eccc9

SHA1
1343da7932365675e7cb91fac2c41e65aa770a86

SHA256
ad1e55494ebe6ff9c88151fd917c5e478a133fed2ab1b27ce59f123d1c40dbd3

SHA512
5e3dbd4d12bc7bcefbb2dc0dedcdbec9e53c31e8bec7372d70fb13bfef96615ef6c46107fa372092048d6d63d215c1bc4756a7f525c4600d01adfee9cd987e4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
0b8abe9b2d273da395ec7c5c0f376f32

SHA1
d7b266fb7310cc71ab5fdb0ef68f5788e702f2ec

SHA256
3751deeb9ad3db03e6b42dedcac68c1c9c7926a2beeaaa0820397b6ddb734a99

SHA512
3dd503ddf2585038aa2fedc53d20bb9576f4619c3dc18089d7aba2c12dc0288447b2a481327c291456d7958488ba2e2d4028af4ca2d30e92807c8b1cdcffc404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2039c6d0f8de74a17dcfb5a0cc895afd

SHA1
fbfe79b65fc953860de3dbc71c7f9ef162777834

SHA256
565562906b652f2134a2e928b39b748fa18fb2c5837ece066ab6c74cc3314848

SHA512
ab844f9d0d4c7a0622a09c96cd2ac5d4849adbd7e28dba0bf8ed7d79b15ebd9ebc05d15dc295e2b2d1f45f8c446aaa4107d4c43055edee24b90d7cb63f8cc784

Download Submit