hxxp://GitHub[.]com/feather

Analysis

max time kernel
1046s
max time network
974s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2023, 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://GitHub.com/feather

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3848	msedge.exe
3848	msedge.exe
5028	msedge.exe
5028	msedge.exe
1676	identity_helper.exe
1676	identity_helper.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 1756	5028	msedge.exe	86
PID 5028 wrote to memory of 1756	5028	msedge.exe	86
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 2352	5028	msedge.exe	87
PID 5028 wrote to memory of 3848	5028	msedge.exe	88
PID 5028 wrote to memory of 3848	5028	msedge.exe	88
PID 5028 wrote to memory of 2428	5028	msedge.exe	89
PID 5028 wrote to memory of 2428	5028	msedge.exe	89
PID 5028 wrote to memory of 2428	5028	msedge.exe	89
PID 5028 wrote to memory of 2428	5028	msedge.exe	89
PID 5028 wrote to memory of 2428	5028	msedge.exe	89
PID 5028 wrote to memory of 2428	5028	msedge.exe	89
PID 5028 wrote to memory of 2428	5028	msedge.exe	89
PID 5028 wrote to memory of 2428	5028	msedge.exe	89
PID 5028 wrote to memory of 2428	5028	msedge.exe	89
PID 5028 wrote to memory of 2428	5028	msedge.exe	89
PID 5028 wrote to memory of 2428	5028	msedge.exe	89
PID 5028 wrote to memory of 2428	5028	msedge.exe	89
PID 5028 wrote to memory of 2428	5028	msedge.exe	89
PID 5028 wrote to memory of 2428	5028	msedge.exe	89
PID 5028 wrote to memory of 2428	5028	msedge.exe	89
PID 5028 wrote to memory of 2428	5028	msedge.exe	89
PID 5028 wrote to memory of 2428	5028	msedge.exe	89
PID 5028 wrote to memory of 2428	5028	msedge.exe	89
PID 5028 wrote to memory of 2428	5028	msedge.exe	89
PID 5028 wrote to memory of 2428	5028	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://GitHub.com/feather
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0x100,0x104,0xe4,0x108,0x7ff85f3046f8,0x7ff85f304708,0x7ff85f304718
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,9968547129689301813,15607682663015879152,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,9968547129689301813,15607682663015879152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,9968547129689301813,15607682663015879152,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9968547129689301813,15607682663015879152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9968547129689301813,15607682663015879152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9968547129689301813,15607682663015879152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9968547129689301813,15607682663015879152,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9968547129689301813,15607682663015879152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,9968547129689301813,15607682663015879152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:8
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,9968547129689301813,15607682663015879152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9968547129689301813,15607682663015879152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9968547129689301813,15607682663015879152,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,9968547129689301813,15607682663015879152,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2980 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3ff6729f8319e91616c1300b3cddd782

SHA1
dce6a5f53eaaf7cf556bd3d49385a6a8c6d9df37

SHA256
bbd393992b967dee5593a387547f4d6159a98910fdc136a45cf571452ec33178

SHA512
db1e8ea8fa620d0d8ce3b624a9470fd08ef6819e7c09facdf20ce8ebdf88973bdf94c2c48a4b3efabc08171b661247654e749c72cd32625c3cceb4ffd25dc333

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
d22266ba3d8db30279b96944f0cec985

SHA1
44e288cdfe75a5e8299ce32e75dd9e0705cdbac9

SHA256
77873629fa695e434160c86ae9116906ff65a97666d7d35a3ed63221b627c0bf

SHA512
d463aecbdac835dace5544b4267c86c2ed7d3165ba95095db6dfc3a25655f2391fa202a81d37b4a76a36f04456ed86df137302ad0e456fd59ecdfee3c69c6c1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2319d819158f2e0c61285521edd6e8db

SHA1
951bb8435e553f26af88aec306553de50e50b196

SHA256
f52ae748b89a85951a786756075b21d081c46bf688994570afea501673cc88ff

SHA512
9fa7e0f45f41616ee259db38c089d7dfe72c5c58d0f0a036c5d68d65a2e411a47b169e1e50345573fc4bec856815765b398e659e021ef94a259eaee23a29f785

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
32b8152cf373755be9a9057b45f51192

SHA1
2805e0a1cc345c302b7724b2d7a5cee2b5fc51ad

SHA256
ff4927cdaebb4407a01b274b4e4c142ece3f4da63dced72a16b53b441a98a0eb

SHA512
b2a301a472c1a4821a837d6ae7537b9b47fe9fda54fd28ab7bf043f413173f3b0839056329653a6eec883e34d85b80215f32bf93b97291f2d627561fa36de84b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
f1881400134252667af6731236741098

SHA1
6fbc4f34542d449afdb74c9cfd4a6d20e6cdc458

SHA256
d6fcec1880d69aaa0229f515403c1a5ac82787f442c37f1c0c96c82ec6c15b75

SHA512
18b9ac92c396a01b6662a4a8a21b995d456716b70144a136fced761fd0a84c99e8bd0afb9585625809b87332da75727b82a07b151560ea253a3b8c241b799450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fb71e30d9020cf0f35ba14e554470f6d

SHA1
e5b60a47eb144863d013cc2415ec51e18c654f04

SHA256
06ff7f0c38b3af3b0489276e9c1339a2e6da7c6be21c5b57f2d2d5bf9d9b158b

SHA512
ebb1fe76fda2ad19504fe9a4a8f68ff610650dce6e4853ad22b149ccac87a9cd599de00d00f410d2ac999eb0360958e84410e0abcbc9ca48a7ae6e953a8d5200

Download Submit