Analysis
-
max time kernel
68s -
max time network
73s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2023 11:00
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://hopplawfirm-1322273052.cos.ap-singapore.myqcloud.com/hopplawfirm.html
Resource
win10v2004-20231025-en
General
-
Target
https://hopplawfirm-1322273052.cos.ap-singapore.myqcloud.com/hopplawfirm.html
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid process 3672 msedge.exe 3672 msedge.exe 2616 msedge.exe 2616 msedge.exe 4340 identity_helper.exe 4340 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe 2616 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2616 wrote to memory of 3508 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 3508 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2908 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 3672 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 3672 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2644 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2644 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2644 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2644 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2644 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2644 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2644 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2644 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2644 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2644 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2644 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2644 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2644 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2644 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2644 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2644 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2644 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2644 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2644 2616 msedge.exe msedge.exe PID 2616 wrote to memory of 2644 2616 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://hopplawfirm-1322273052.cos.ap-singapore.myqcloud.com/hopplawfirm.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe434146f8,0x7ffe43414708,0x7ffe434147182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,7858024809498257150,6250339433989148015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,7858024809498257150,6250339433989148015,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,7858024809498257150,6250339433989148015,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7858024809498257150,6250339433989148015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7858024809498257150,6250339433989148015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,7858024809498257150,6250339433989148015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,7858024809498257150,6250339433989148015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7858024809498257150,6250339433989148015,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7858024809498257150,6250339433989148015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7858024809498257150,6250339433989148015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7858024809498257150,6250339433989148015,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5aed593b08b94f34dd8f68fd369652ac2
SHA13ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA2565c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA51216b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
240B
MD5d055bd60e3ce30bf07d8e2ce7e2ca9bf
SHA193c8caeb63b57d26dbc0c9c7cedf873c943ef08c
SHA2568c1dc8a599dc22e0afab1b44c8ec3a59db6beb48cf54df121439a5e2717e7454
SHA512fd5847ff9ac7d5ee7d1340cdc766d6a468732a3085e6bb53f8645a44bc0fa2ec83126d127e24f204fe86388ea474455741c406065ceffd6c7fa50d49ba6a4049
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5996c938bc21ee3e011064e69797b94c6
SHA164febdfd379926ef3cd030d1a83346dc15830c86
SHA256ca2450056ee1a558e6510f6ba8d5364dc168e5f28bc000e800f41db0637e4083
SHA51275d62464222971ffad8387b5c5f71dff95a93185c8b8b76589eeec972faa7ad96fb0ea2bdc3ffa293610505a892100ac513dd93e888afe0ddc267ea578f33b98
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD54f75dc2605f7c812c43d799dba7cd593
SHA1c97303027b5aa0211680330e6dc3ada43ea9fc39
SHA2562b6ace2a9fc905bda2afacefc01d60d188bff183bed84a370ed23620d3c144cf
SHA5126354adb3865d114d2a3e52343ddbcc5b9739f9aa9a355db496ea0315f78d53751b56ca1eb87e979350d57513da08a09c26e4d5ec96e86baeaf41c6dc8b26768d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5054487e1c04e43b64471710cf2f6978b
SHA1b668bbda5ddc663025b0052b0ec0f9c1ae9ec1ee
SHA256d52e94092fed0fb690c04d6fec78d7c774485f1505acdb394bdccb842659771f
SHA512fb8246e3b1296c00f25572b67abba7c9df002a57c93c594c0eea183ba6d2ef78b29bd87dec9479e39ddda2cf148c3ca5f3ff074afca05858970f7571c01682ea
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD5e2565e589c9c038c551766400aefc665
SHA177893bb0d295c2737e31a3f539572367c946ab27
SHA256172017da29bce2bfe0c8b4577a9b8e7a97a0585fd85697f51261f39b28877e80
SHA5125a33ce3d048f2443c5d1aee3922693decc19c4d172aff0b059b31af3b56aa5e413902f9a9634e5ee874b046ae63a0531985b0361467b62e977dcff7fc9913c4d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a9e73a93-8163-4922-9816-8aeb2bfa239f.tmpFilesize
5KB
MD517aecf652c5315827d367751ff0012b7
SHA1afc5cf978ca45c64529cfec94c577f095ff732c2
SHA256d720104f271671642da07e84bc481185ec7242a67da8c9dd6dd6d48a0826f1d8
SHA512c9b5b270872693cc4118eaf63d257c9052be61531bcb14a11f5cc4fc43a92ca4197414a92c1310f67c0762f25b8c555002f604d88b9eb809cefc2d2bcf355ed9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD50c43b138e252ad98704525bd162855c6
SHA13bc82c797e3ed495498a7c2e15e7ab6a6004ad4f
SHA2568a4c24c479d800f660a95ae64ae52e99bd3857f4b83962e9f85f129929a34e38
SHA51256e1b7a09bbe52278dbc228554d4316c68843e04b4df81f4dd84d8002f794f5ff32dc08913bd77ae37bf172c5ccb6669a271e721851f037cfee7ac99cd8d12da
-
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dicFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
\??\pipe\LOCAL\crashpad_2616_RXDCOVNJCNWPKBBBMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e