hxxp://vmo2communications[.]newsweaver[.]com

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2023, 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://vmo2communications.newsweaver.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3268	msedge.exe
3268	msedge.exe
3792	msedge.exe
3792	msedge.exe
4388	identity_helper.exe
4388	identity_helper.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 1924	3792	msedge.exe	52
PID 3792 wrote to memory of 1924	3792	msedge.exe	52
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 956	3792	msedge.exe	86
PID 3792 wrote to memory of 3268	3792	msedge.exe	84
PID 3792 wrote to memory of 3268	3792	msedge.exe	84
PID 3792 wrote to memory of 4372	3792	msedge.exe	85
PID 3792 wrote to memory of 4372	3792	msedge.exe	85
PID 3792 wrote to memory of 4372	3792	msedge.exe	85
PID 3792 wrote to memory of 4372	3792	msedge.exe	85
PID 3792 wrote to memory of 4372	3792	msedge.exe	85
PID 3792 wrote to memory of 4372	3792	msedge.exe	85
PID 3792 wrote to memory of 4372	3792	msedge.exe	85
PID 3792 wrote to memory of 4372	3792	msedge.exe	85
PID 3792 wrote to memory of 4372	3792	msedge.exe	85
PID 3792 wrote to memory of 4372	3792	msedge.exe	85
PID 3792 wrote to memory of 4372	3792	msedge.exe	85
PID 3792 wrote to memory of 4372	3792	msedge.exe	85
PID 3792 wrote to memory of 4372	3792	msedge.exe	85
PID 3792 wrote to memory of 4372	3792	msedge.exe	85
PID 3792 wrote to memory of 4372	3792	msedge.exe	85
PID 3792 wrote to memory of 4372	3792	msedge.exe	85
PID 3792 wrote to memory of 4372	3792	msedge.exe	85
PID 3792 wrote to memory of 4372	3792	msedge.exe	85
PID 3792 wrote to memory of 4372	3792	msedge.exe	85
PID 3792 wrote to memory of 4372	3792	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vmo2communications.newsweaver.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8a59346f8,0x7ff8a5934708,0x7ff8a5934718
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,8299454121153842029,11594485663743593605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,8299454121153842029,11594485663743593605,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,8299454121153842029,11594485663743593605,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
  2⤵
  PID:956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,8299454121153842029,11594485663743593605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,8299454121153842029,11594485663743593605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,8299454121153842029,11594485663743593605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,8299454121153842029,11594485663743593605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,8299454121153842029,11594485663743593605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,8299454121153842029,11594485663743593605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,8299454121153842029,11594485663743593605,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,8299454121153842029,11594485663743593605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,8299454121153842029,11594485663743593605,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,8299454121153842029,11594485663743593605,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4560 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0629525c94f6548880f5f3a67846755e

SHA1
40ef667fc04bb1c0ae4bf2c17ded88594f0f4423

SHA256
812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee

SHA512
f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
201B

MD5
8997a4056d6b843d6b884943520e90a0

SHA1
e6ce4bc422831c3bfeef65f6c3339a56b9c20e1b

SHA256
b3ea9af31c48deb71adebd23dc84f6b856ec8067a8e11a47cb5467d6bf35646f

SHA512
35e4f181e24194f37c32451a1e0ef11139f54e6272269e83fb0b94b93b2ad42e70b8beead9e4e40d6c826fbf6fb41711d1c981e55336c55f21712ca43f77b8bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
41a420f55a4de4064848ec509b18a93d

SHA1
b23db3ae5d257d97de846eabd9f5ce62755a05f6

SHA256
4f4656d29a431d4c3dddf6ddfeeadee13f619a5726e3c3dda9ffc1a5b4ecaf65

SHA512
7649c09c1ce3d60d734fb9eebd686367d8462aa5287af35fef29777f845a07c6f198d32cbd84a711143c13f640c0ed81ac8f1da109b21a6a4f64caa4f6e17627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
21d89eb7257ee85cfe9a44a149595787

SHA1
65187befaa2ab0cc4f96b6578790a020b1be797d

SHA256
a7fc63a96545f8b5d071916cdd63565e498a03985c75dc8042bc3777ffbd1241

SHA512
c37f7f55b2e6a73c1b55e5b36fd94cc153d7abafb6fff4c04067b98d1b06064e4cafea45d0628f205dc27127ca72f52b7776d8f2a7510fb99c5af96ccd0fa9d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
fd20981c7184673929dfcab50885629b

SHA1
14c2437aad662b119689008273844bac535f946c

SHA256
28b7a1e7b492fff3e5268a6cd480721f211ceb6f2f999f3698b3b8cbd304bb22

SHA512
b99520bbca4d2b39f8bedb59944ad97714a3c9b8a87393719f1cbc40ed63c5834979f49346d31072c4d354c612ab4db9bf7f16e7c15d6802c9ea507d8c46af75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b50922bb4e1aaedca92eba5aa3eaedb1

SHA1
ccbeba27269152aabd7da6f691a4e9466ea44a4a

SHA256
5834e100b1f12da42092cfa056de14db3009ecaf8c2564671c253dccd0450406

SHA512
3dda8897c579c400f3414c7d11bf618783d8bf18772a8280defb2c3b6bb27d704934bd0fbc734c45766d9de6bc53667fb38cf7676e94e1558602d3851ba1df9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
338438310340825c557565a21c6cfdb4

SHA1
eff28b4183899471ba09bc1d7bd114584091e1ce

SHA256
784fea4d9053f1cd28b549d7e0d0a2552a85d1299715e24f406a864abdac4c30

SHA512
bb12be0c57ac3a4a7e1fbbca98b3524126127e2ee8e98a651b300b69ce800bc365b372cb7328db1798e5b9cf298de05dc95d75fd9999f2b1a8c1a476dfc37776

Download Submit