3dfe4a942287b47f1eb29225788c1b0fc69eb1c1d5acbabd4c10788a2b7d3e52

Analysis

max time kernel
151s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2023 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

blackhatrussia.url
Size

187B
MD5

ef657464ae10c35ee89c6bfb900d83af
SHA1

1c68b493f87316260e99e3b5b1983fdec0c701b8
SHA256

cfd230d01d6c362a1005d5a530f1807a65ef8497a1246c43c0dfcd5a62022cbf
SHA512

80964f8716653eadf15fcea9bfec0800c4beeee6bc1155b421d51fde813d7752f33a6b33622c1f9f4b5c576c168c6f173349caf03f8e76525aa32251c0d340de

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
804	msedge.exe
804	msedge.exe
2980	msedge.exe
2980	msedge.exe
1296	identity_helper.exe
1296	identity_helper.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2980	2216	rundll32.exe	19
PID 2216 wrote to memory of 2980	2216	rundll32.exe	19
PID 2980 wrote to memory of 4248	2980	msedge.exe	30
PID 2980 wrote to memory of 4248	2980	msedge.exe	30
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 3308	2980	msedge.exe	90
PID 2980 wrote to memory of 804	2980	msedge.exe	89
PID 2980 wrote to memory of 804	2980	msedge.exe	89
PID 2980 wrote to memory of 4916	2980	msedge.exe	91
PID 2980 wrote to memory of 4916	2980	msedge.exe	91
PID 2980 wrote to memory of 4916	2980	msedge.exe	91
PID 2980 wrote to memory of 4916	2980	msedge.exe	91
PID 2980 wrote to memory of 4916	2980	msedge.exe	91
PID 2980 wrote to memory of 4916	2980	msedge.exe	91
PID 2980 wrote to memory of 4916	2980	msedge.exe	91
PID 2980 wrote to memory of 4916	2980	msedge.exe	91
PID 2980 wrote to memory of 4916	2980	msedge.exe	91
PID 2980 wrote to memory of 4916	2980	msedge.exe	91
PID 2980 wrote to memory of 4916	2980	msedge.exe	91
PID 2980 wrote to memory of 4916	2980	msedge.exe	91
PID 2980 wrote to memory of 4916	2980	msedge.exe	91
PID 2980 wrote to memory of 4916	2980	msedge.exe	91
PID 2980 wrote to memory of 4916	2980	msedge.exe	91
PID 2980 wrote to memory of 4916	2980	msedge.exe	91
PID 2980 wrote to memory of 4916	2980	msedge.exe	91
PID 2980 wrote to memory of 4916	2980	msedge.exe	91

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\blackhatrussia.url
1⤵
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.blackhatrussia.xyz/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff82f0146f8,0x7ff82f014708,0x7ff82f014718
    3⤵
    PID:4248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,12142820448567599184,4647150872628024926,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,12142820448567599184,4647150872628024926,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
    3⤵
    PID:3308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,12142820448567599184,4647150872628024926,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
    3⤵
    PID:4916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12142820448567599184,4647150872628024926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
    3⤵
    PID:4864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12142820448567599184,4647150872628024926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
    3⤵
    PID:2736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12142820448567599184,4647150872628024926,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
    3⤵
    PID:4280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12142820448567599184,4647150872628024926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
    3⤵
    PID:5100
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,12142820448567599184,4647150872628024926,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5904 /prefetch:8
    3⤵
    PID:3160
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,12142820448567599184,4647150872628024926,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5904 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12142820448567599184,4647150872628024926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
    3⤵
    PID:3080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12142820448567599184,4647150872628024926,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
    3⤵
    PID:3864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,12142820448567599184,4647150872628024926,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5048 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
4bc6c41c77d53f8e57a82d7f1cc5a8b7

SHA1
f4720dadc8be705d4e325c9d277a1db2a0157059

SHA256
e45dbec2f940928b9ee605aa744d7551da9ca86240fdd9deb529f66b6d9f2ed6

SHA512
c8e094a08c9dcae00499d4d1613817c304075620f81719e0b2034e10faea95fa0476f1cf8071513332e530b20c40c0d5ea8d18e5dcf9862af38eb4356714472e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
76c92a92f999dfac26a923d430ff8edb

SHA1
f114c2a7b7e8ff3b96e167696a430ba2267f4523

SHA256
3f004687898975f637e13b42dcf092229c0795f056f87054d6fc81a8ecf2895f

SHA512
f552e0519eef21881c36a357848b04f45bec08662e9780905fffd7c1ca4602386e642f55d4217fee3686f6b069c08f71df177c2da4fcb6356883248141e659da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2a0cf1300e7920aa10938b3673501bd1

SHA1
456fa6eecc59375cb52e277fa67aa3e90c931be1

SHA256
26159995b8b00866fa0c3ac74511afedc636da7a872a128037dc1107a648fff0

SHA512
1fcacd92f77b9bc82d7812d395510c3bb41c75dbc6f9021ddbc13d7c46a003cdb882ceec252ec1275e99203fde7b28c8918421281cb7ec0e49714d2adcc72035

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4875c4b21887dae473193f3c50196bf1

SHA1
b7cdad5779f3f1aff8bcf3499e4f6500b0201843

SHA256
34f471331bd5468aafa8be346d69039f1b348c4c71c12ebe9b59e0b1fb71a811

SHA512
01779b40e547e97dc110025351016cbaa08e4689d2435cc3b1319f62dac3622fc95088386fc8cb4b1635d8db3b4f8b1eee983560c699548fd565a8c0ec6594b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
f1881400134252667af6731236741098

SHA1
6fbc4f34542d449afdb74c9cfd4a6d20e6cdc458

SHA256
d6fcec1880d69aaa0229f515403c1a5ac82787f442c37f1c0c96c82ec6c15b75

SHA512
18b9ac92c396a01b6662a4a8a21b995d456716b70144a136fced761fd0a84c99e8bd0afb9585625809b87332da75727b82a07b151560ea253a3b8c241b799450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
484044b24431e2d5cfa0b0f0fe252b9a

SHA1
63fb9cf3f711d61728986acae0d4bb43e9a54ca6

SHA256
17a101711e4ed57ebc5d2bee9614c82350fd3724d45ec23c723f84eb05923d2e

SHA512
127cd8516d270343c7ca025852c3060c8c8c5bf78bdf883dd20c5fb77ff4a9550a881ad55096b27013bfeee2144229d896dd887e477ca274caf73c7454ae98a3

Download Submit