hxxps://tubelike-stack-759313518224[.]herokuapp[.]com/+?y=49ii4eh26oqj6pj261hm2p9jcgrjao9g60o32d1jchj66op2

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2023, 15:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://tubelike-stack-759313518224.herokuapp.com/+?y=49ii4eh26oqj6pj261hm2p9jcgrjao9g60o32d1jchj66op2

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2980	msedge.exe
2980	msedge.exe
2508	msedge.exe
2508	msedge.exe
3724	identity_helper.exe
3724	identity_helper.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 4148	2508	msedge.exe	72
PID 2508 wrote to memory of 4148	2508	msedge.exe	72
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 4596	2508	msedge.exe	88
PID 2508 wrote to memory of 2980	2508	msedge.exe	89
PID 2508 wrote to memory of 2980	2508	msedge.exe	89
PID 2508 wrote to memory of 3624	2508	msedge.exe	90
PID 2508 wrote to memory of 3624	2508	msedge.exe	90
PID 2508 wrote to memory of 3624	2508	msedge.exe	90
PID 2508 wrote to memory of 3624	2508	msedge.exe	90
PID 2508 wrote to memory of 3624	2508	msedge.exe	90
PID 2508 wrote to memory of 3624	2508	msedge.exe	90
PID 2508 wrote to memory of 3624	2508	msedge.exe	90
PID 2508 wrote to memory of 3624	2508	msedge.exe	90
PID 2508 wrote to memory of 3624	2508	msedge.exe	90
PID 2508 wrote to memory of 3624	2508	msedge.exe	90
PID 2508 wrote to memory of 3624	2508	msedge.exe	90
PID 2508 wrote to memory of 3624	2508	msedge.exe	90
PID 2508 wrote to memory of 3624	2508	msedge.exe	90
PID 2508 wrote to memory of 3624	2508	msedge.exe	90
PID 2508 wrote to memory of 3624	2508	msedge.exe	90
PID 2508 wrote to memory of 3624	2508	msedge.exe	90
PID 2508 wrote to memory of 3624	2508	msedge.exe	90
PID 2508 wrote to memory of 3624	2508	msedge.exe	90
PID 2508 wrote to memory of 3624	2508	msedge.exe	90
PID 2508 wrote to memory of 3624	2508	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://tubelike-stack-759313518224.herokuapp.com/+?y=49ii4eh26oqj6pj261hm2p9jcgrjao9g60o32d1jchj66op2
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffacf6d46f8,0x7ffacf6d4708,0x7ffacf6d4718
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,3068058766495834508,3112801193078538506,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,3068058766495834508,3112801193078538506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,3068058766495834508,3112801193078538506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,3068058766495834508,3112801193078538506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,3068058766495834508,3112801193078538506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,3068058766495834508,3112801193078538506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,3068058766495834508,3112801193078538506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,3068058766495834508,3112801193078538506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,3068058766495834508,3112801193078538506,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,3068058766495834508,3112801193078538506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,3068058766495834508,3112801193078538506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,3068058766495834508,3112801193078538506,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,3068058766495834508,3112801193078538506,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2796 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
308B

MD5
e9aac774e1a881e76325083ae7f81cfa

SHA1
06c51021baf77da36e49d8027f9b09531dd79284

SHA256
8363af717321829a5c9b49629258860a1bb1c31e73bcebe57ee0a7c06992d47f

SHA512
01f330418bf1c3e5d78319cf90e85eb00a11a7a7fc097e934e14b9a5a68101a27d8db43c1fc87b98a1ba841297b3f33f622d3c8feac3da47a4daa0a1677b7afb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1420efb705c56c8d91e89b2833818634

SHA1
847357bde29fe7cb3bcbd6123d902f1689bf3253

SHA256
c2fc0a7a48697e7de687a2cd51d4be364fe945b6ef14ea95de444ceddeb87ab9

SHA512
fcda09b4ce8385a53570130595d724e3e4460cc9650e5fadc5ed908b03a2213dc67a55ea82e7b9a865c3b67e89ddad8326c4c45883cf6a3c56d68f4b25a41f78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2af75c811be175f74639307ae5bf1fed

SHA1
2a419f95cefdb64a6c32987c87c22ed70f3446da

SHA256
e415755a8ae450af8795e28dbbd273b9e0e7517b71078f44d169cf6cd9a30388

SHA512
14a919bb3c8369381aa6b69ed2353ea6cbb6dec51616c0be59ce610963fd62bd1b8cfd6a8ad4f0aa92456df314bccf8996040b17a1846dde88325d06b3e12215

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e2565e589c9c038c551766400aefc665

SHA1
77893bb0d295c2737e31a3f539572367c946ab27

SHA256
172017da29bce2bfe0c8b4577a9b8e7a97a0585fd85697f51261f39b28877e80

SHA512
5a33ce3d048f2443c5d1aee3922693decc19c4d172aff0b059b31af3b56aa5e413902f9a9634e5ee874b046ae63a0531985b0361467b62e977dcff7fc9913c4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cc11b6e6308ab4003a103918bf4bc68c

SHA1
7106d183769b95558c99d469cab89cebe6d1af32

SHA256
0a94ec2c50b959599202587e914a0daa57594b3051f5cc1761bfbc59caa6a4a7

SHA512
bda5b874c15f7f468cfa30baed2f13c1b9febddf1575b9a4b7a18caa3c20c4b1cea21496408b1fbe781e503c07e3f07ba9f20834412ff1e7cde4865148e90b83

Download Submit