hxxps://authsecured[.]info/pay/

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2023 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://authsecured.info/pay/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4180	msedge.exe
4180	msedge.exe
1884	msedge.exe
1884	msedge.exe
1896	identity_helper.exe
1896	identity_helper.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1548	1884	msedge.exe	86
PID 1884 wrote to memory of 1548	1884	msedge.exe	86
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 556	1884	msedge.exe	88
PID 1884 wrote to memory of 4180	1884	msedge.exe	89
PID 1884 wrote to memory of 4180	1884	msedge.exe	89
PID 1884 wrote to memory of 1772	1884	msedge.exe	90
PID 1884 wrote to memory of 1772	1884	msedge.exe	90
PID 1884 wrote to memory of 1772	1884	msedge.exe	90
PID 1884 wrote to memory of 1772	1884	msedge.exe	90
PID 1884 wrote to memory of 1772	1884	msedge.exe	90
PID 1884 wrote to memory of 1772	1884	msedge.exe	90
PID 1884 wrote to memory of 1772	1884	msedge.exe	90
PID 1884 wrote to memory of 1772	1884	msedge.exe	90
PID 1884 wrote to memory of 1772	1884	msedge.exe	90
PID 1884 wrote to memory of 1772	1884	msedge.exe	90
PID 1884 wrote to memory of 1772	1884	msedge.exe	90
PID 1884 wrote to memory of 1772	1884	msedge.exe	90
PID 1884 wrote to memory of 1772	1884	msedge.exe	90
PID 1884 wrote to memory of 1772	1884	msedge.exe	90
PID 1884 wrote to memory of 1772	1884	msedge.exe	90
PID 1884 wrote to memory of 1772	1884	msedge.exe	90
PID 1884 wrote to memory of 1772	1884	msedge.exe	90
PID 1884 wrote to memory of 1772	1884	msedge.exe	90
PID 1884 wrote to memory of 1772	1884	msedge.exe	90
PID 1884 wrote to memory of 1772	1884	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://authsecured.info/pay/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffedcfb46f8,0x7ffedcfb4708,0x7ffedcfb4718
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,11639313975984800458,2635556369392291159,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2284 /prefetch:2
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,11639313975984800458,2635556369392291159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,11639313975984800458,2635556369392291159,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11639313975984800458,2635556369392291159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11639313975984800458,2635556369392291159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,11639313975984800458,2635556369392291159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,11639313975984800458,2635556369392291159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11639313975984800458,2635556369392291159,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11639313975984800458,2635556369392291159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11639313975984800458,2635556369392291159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11639313975984800458,2635556369392291159,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,11639313975984800458,2635556369392291159,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4148 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
931c624c35fe080c5b960210e85387d3

SHA1
6f68843af7240c23bdb342f1fa506d4fbea8553c

SHA256
5e9433afe15329777c0740a6254d40cedcf94093225b0fbaed66cb70fedbbf74

SHA512
3b740b55e6ac474a9c4f970a2d25e1e44f2654dadb8ab9f8b04ed1461c30ff7e616f79e7c84d20e91641e96879d401fe54b839e609f6c922fb715f8763179217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
897B

MD5
6c0f5f061b8e2bac77610b5b8a1419ed

SHA1
ad3e02b26798539fa0dfef7808d0e1c31dd3c2e5

SHA256
59d2909cb74987453ac679ebfb0d2b2be1cc5606bc8cd177f2aab0310dc36409

SHA512
8596e86d38ed6f2bd7d56cd590604312090ff6aafd1969b6a6884bd09f9450f7ba95014bb47042b3826d911d552990cbcad25280d15523fb624de2662b97720f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3b6ca7f65268a9440b4446356d9cb4bd

SHA1
8d18d4a3d8773f2f5199a86b29f8f6ccda6b44af

SHA256
a91f0ab91e2a1435a7c70c2375c56f78f1103f6e65099bfb49e6f88b27168730

SHA512
35a34598ef7dd4b6533d03a4833cc483478b2e0f57c1f48708c31f338fcdb1e5c77af4afdf00c5b196bdce160b7f162f92b9b545ce6e6c88e444691d5eb1b2d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b63d5c24f3f3ec25c9d32659db4f845b

SHA1
b8cc0893f72b2da67b4950c731bce4742af0e770

SHA256
ffc8b48595717595ca75fae8d425493bf8a5d7abdd300510209c1aaa606dff6d

SHA512
d5afbc63d856ab732599d0dbd77ed36c56e04e2d496ad2a436bc13d197250f8c4e903acf4d048514ed4c0a0db32e02ef798ebe1e9fdb130ee5f0a085625f2209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3a748249c8b0e04e77ad0d6723e564ff

SHA1
5c4cc0e5453c13ffc91f259ccb36acfb3d3fa729

SHA256
f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed

SHA512
53254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4cc54477ab8ddc0eb1df07621ded9046

SHA1
e6a8dc6ce2206f65ec0c602366bc1109731ed82f

SHA256
9f4f43ee802203df2860a0e3e40b6fbaa3b87027963603e2df8ffa3e1953793e

SHA512
d411136f76ae9d1e704cceb4385daec32f5fb0e163efd069555144c908a0cb25220336479769e38b68d3312954bd03118c2c56640b25bf416671ae2afb51756c

Download Submit