Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2023, 14:20
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://banruralgt--erick-olaf.repl.co/
Resource
win10v2004-20231025-en
General
-
Target
https://banruralgt--erick-olaf.repl.co/
Malware Config
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 23 api.ipify.org 24 api.ipify.org -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 5092 msedge.exe 5092 msedge.exe 3724 msedge.exe 3724 msedge.exe 1292 identity_helper.exe 1292 identity_helper.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3724 wrote to memory of 2924 3724 msedge.exe 86 PID 3724 wrote to memory of 2924 3724 msedge.exe 86 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 4428 3724 msedge.exe 87 PID 3724 wrote to memory of 5092 3724 msedge.exe 88 PID 3724 wrote to memory of 5092 3724 msedge.exe 88 PID 3724 wrote to memory of 1932 3724 msedge.exe 89 PID 3724 wrote to memory of 1932 3724 msedge.exe 89 PID 3724 wrote to memory of 1932 3724 msedge.exe 89 PID 3724 wrote to memory of 1932 3724 msedge.exe 89 PID 3724 wrote to memory of 1932 3724 msedge.exe 89 PID 3724 wrote to memory of 1932 3724 msedge.exe 89 PID 3724 wrote to memory of 1932 3724 msedge.exe 89 PID 3724 wrote to memory of 1932 3724 msedge.exe 89 PID 3724 wrote to memory of 1932 3724 msedge.exe 89 PID 3724 wrote to memory of 1932 3724 msedge.exe 89 PID 3724 wrote to memory of 1932 3724 msedge.exe 89 PID 3724 wrote to memory of 1932 3724 msedge.exe 89 PID 3724 wrote to memory of 1932 3724 msedge.exe 89 PID 3724 wrote to memory of 1932 3724 msedge.exe 89 PID 3724 wrote to memory of 1932 3724 msedge.exe 89 PID 3724 wrote to memory of 1932 3724 msedge.exe 89 PID 3724 wrote to memory of 1932 3724 msedge.exe 89 PID 3724 wrote to memory of 1932 3724 msedge.exe 89 PID 3724 wrote to memory of 1932 3724 msedge.exe 89 PID 3724 wrote to memory of 1932 3724 msedge.exe 89
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://banruralgt--erick-olaf.repl.co/1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fff2eb546f8,0x7fff2eb54708,0x7fff2eb547182⤵PID:2924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,10163867804350325672,10190636601491366932,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:22⤵PID:4428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,10163867804350325672,10190636601491366932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,10163867804350325672,10190636601491366932,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:82⤵PID:1932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10163867804350325672,10190636601491366932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:12⤵PID:2300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10163867804350325672,10190636601491366932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:2680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,10163867804350325672,10190636601491366932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:82⤵PID:2148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,10163867804350325672,10190636601491366932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10163867804350325672,10190636601491366932,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:12⤵PID:2424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10163867804350325672,10190636601491366932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:12⤵PID:1716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10163867804350325672,10190636601491366932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:12⤵PID:4512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10163867804350325672,10190636601491366932,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:5064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,10163867804350325672,10190636601491366932,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4608 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:6028
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4152
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5aed593b08b94f34dd8f68fd369652ac2
SHA13ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA2565c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA51216b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\526ecfa5-a80a-4fed-92ab-87137899dea3.tmp
Filesize5KB
MD593dd5224e3abe7283b63210eeed819aa
SHA1b81e11435c1dd9389f25cad7d10d5e5a0229efab
SHA2564fd43386a35034373c3de959d2aa9c966d64f899013e276a2c05a00e7a5cda11
SHA512a1a12b6f732e043f042ebe5f2ee72ad306ed78e2485dfb400823bbda7d031f9cc296d6660e529d15dab858b3e1086b352f9086b220e6da0983c6ea8a855f87b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD5e67fdeedc38b66fb3c03d707d9ed97b1
SHA1449542f3105eb678faa11ba3ff4cfad6310409fe
SHA25640d7293152faa6a8a07aca45a24684f7d544abc65027ab06bc9088c709f56c97
SHA5120839ba45686e85158d19efd22c7a173102af6d16032f90405cfba81fd94339f154f1ff42e11fd1ac8df4a025f29c9cd954e717b5bdb0aac4e2f56143499da4d8
-
Filesize
393B
MD5130b11408078c89d167a37daf35ae53c
SHA1da83138127a608ff897604d1a170ad351785d5d9
SHA25696884d417ab405c20fb8afd5f9a4fcf167a7dfb562af05816ea2e5acc53f40a0
SHA512e41bf2e43da1e340f1b6d9f9496f6add566bf7f2ec7065058cd6f00c784d2e5b677d18dca7032e0164473835b9b365a891accc8f891dedf8277af1b95586642b
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD576fcb322327db5e97780dbd2eb45a059
SHA146c21b6e6babccc617aab74c58f557e3ee9895fe
SHA256e9b914203938f359538800b9d04a4a7cf0a8e7c21ee67cc22a95b6977600d301
SHA512f193e91ec6797b38344f7e1f8c27c7bbead6c77833c123e8e06041b459d5fa188181f263d570a9d9ca172eef3af97b5029cc282f9bc79d6ffa847e5316afb287
-
Filesize
5KB
MD538c8584c90a924aa25a1d38f9c91303c
SHA121b5d2e369189cbc610c8a94247e3cf873af2487
SHA256be6d8642885a222a601c1c6b81dfcab5a4cd536de26264d7f32054720f477c60
SHA5120d2b685b1066c91fd3302b4ebc8dd4ae243bb60ff7f53734acfc753ae79eb5d4708c2015272ff73c62a451822454f006a89c7e1dce0e05950994437228f2a8a4
-
Filesize
24KB
MD5e2565e589c9c038c551766400aefc665
SHA177893bb0d295c2737e31a3f539572367c946ab27
SHA256172017da29bce2bfe0c8b4577a9b8e7a97a0585fd85697f51261f39b28877e80
SHA5125a33ce3d048f2443c5d1aee3922693decc19c4d172aff0b059b31af3b56aa5e413902f9a9634e5ee874b046ae63a0531985b0361467b62e977dcff7fc9913c4d
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD513a81abf69265d8b51dba1e0f934dae3
SHA10499b075f3b6cb3aa67dba4d524913c6f4e1883f
SHA256e5dcade4ee5a75e71ddfd6d6cdbcaa6db127f2662b40ec601f85fd76ad043a5f
SHA512c189500e15f1aa00d22f995061265c6be9bab573e0c81ae8529d2983f7d7fb75f9f594edeb9866a6cb506a9961ab7203553a3ea2d1ae8ca41c94f0cf624108f3
-
Filesize
10KB
MD5abd67b4638c283f105839a59db55191a
SHA13a68a5cba158fdc1f2bce00e9db886b9d1308b71
SHA256869c681c4fdbc739a2e144eff8e0e65744ab0827d2dde1bd065e76f4170c142e
SHA512502cc199ca01c66713d64d3d3c96d800a9ceec6e1229c39be332aa95a6aeb0120b4bb914db52c8ba3fa17967ed458797772151631ae23605884e386027f9b5b5