hxxps://bancaenlinea-bantrabgt--leduardoqpita[.]repl[.]co/espere[.]html

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2023, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bancaenlinea-bantrabgt--leduardoqpita.repl.co/espere.html

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1288	msedge.exe
1288	msedge.exe
4768	msedge.exe
4768	msedge.exe
3064	identity_helper.exe
3064	identity_helper.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 2612	4768	msedge.exe	73
PID 4768 wrote to memory of 2612	4768	msedge.exe	73
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1308	4768	msedge.exe	84
PID 4768 wrote to memory of 1288	4768	msedge.exe	85
PID 4768 wrote to memory of 1288	4768	msedge.exe	85
PID 4768 wrote to memory of 1936	4768	msedge.exe	86
PID 4768 wrote to memory of 1936	4768	msedge.exe	86
PID 4768 wrote to memory of 1936	4768	msedge.exe	86
PID 4768 wrote to memory of 1936	4768	msedge.exe	86
PID 4768 wrote to memory of 1936	4768	msedge.exe	86
PID 4768 wrote to memory of 1936	4768	msedge.exe	86
PID 4768 wrote to memory of 1936	4768	msedge.exe	86
PID 4768 wrote to memory of 1936	4768	msedge.exe	86
PID 4768 wrote to memory of 1936	4768	msedge.exe	86
PID 4768 wrote to memory of 1936	4768	msedge.exe	86
PID 4768 wrote to memory of 1936	4768	msedge.exe	86
PID 4768 wrote to memory of 1936	4768	msedge.exe	86
PID 4768 wrote to memory of 1936	4768	msedge.exe	86
PID 4768 wrote to memory of 1936	4768	msedge.exe	86
PID 4768 wrote to memory of 1936	4768	msedge.exe	86
PID 4768 wrote to memory of 1936	4768	msedge.exe	86
PID 4768 wrote to memory of 1936	4768	msedge.exe	86
PID 4768 wrote to memory of 1936	4768	msedge.exe	86
PID 4768 wrote to memory of 1936	4768	msedge.exe	86
PID 4768 wrote to memory of 1936	4768	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bancaenlinea-bantrabgt--leduardoqpita.repl.co/espere.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6f0e46f8,0x7ffc6f0e4708,0x7ffc6f0e4718
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,15039773126360607893,8247930644122168253,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,15039773126360607893,8247930644122168253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,15039773126360607893,8247930644122168253,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15039773126360607893,8247930644122168253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15039773126360607893,8247930644122168253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,15039773126360607893,8247930644122168253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,15039773126360607893,8247930644122168253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15039773126360607893,8247930644122168253,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15039773126360607893,8247930644122168253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15039773126360607893,8247930644122168253,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15039773126360607893,8247930644122168253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,15039773126360607893,8247930644122168253,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2c62dd66-4440-45f4-a683-0b3acc1b5ccb.tmp

Filesize
5KB

MD5
bc48739cc13846bf53636676b84af278

SHA1
aa9d152c577af883c36b93153dea32e578d28296

SHA256
8cb9020baae2cc0b183bde725fa72439cdfc96c3fad97962e9dc0d86a98abf79

SHA512
4acc30c5b5ecacb3818eaa1b0ce1a7d783cd6d74185e222240f4a2b0c2297436fdf94aef518076090698d6b644d5983dd43d031309afc6a2c76008dc3664f594

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
17cd31772fbc07b575739493a1602cda

SHA1
25e0308119c95618bb91482958dcc0fce265e721

SHA256
4147060950bb4fc7a790ae3e84937b617b2268f190ded3e17f2dfb48c3dd77b0

SHA512
1af77eb795c159da8051fe54df0a20af3cc2fa47ce9d9a05a9477e551da93a2d2be360844668a7a1225b1b83f7d50bb8ec2cd7d73f78a9431afd796ef9da00e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
390B

MD5
b1889d8954f1e3d1c231039fcba7b285

SHA1
cd1122d250d76d7cd53ceddd899fff28667b8839

SHA256
9f9123ee110bf08730f06470063ba10334e2ee0a30c66507dc55dbabcf833ce8

SHA512
7cfd01e16d25ca346a9418603943d27ec83227e24c8f69dd747170d4b976a5d06c4685809103f740541bbb85a2d755d8637d42ed070f9eabb0b9f3d2ad034f52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7cb2262ad005ddf6bcf46b1b9beb6f5f

SHA1
5af5297a109bea53b89847b63fcdf975771b0b7e

SHA256
1edd057fdf9a6bd9a780e70873f51eeacd5427b1fe3f15ebf35b06de87a25d27

SHA512
b0bfbea608a969d4934d53391854269a5fea307d602cff102552d6e30c46568add52047b7a9d8cb54f0580b80806c7b04a1bc510d78001e7bad1022203a63618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3a748249c8b0e04e77ad0d6723e564ff

SHA1
5c4cc0e5453c13ffc91f259ccb36acfb3d3fa729

SHA256
f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed

SHA512
53254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
532B

MD5
0797cff19a8f3b4a81f665603b28c3cc

SHA1
830d11635ba2a7e69e2550aef54b30618b70bceb

SHA256
bbc5f9d75bb1949a7d72e4ae8214418efab667b96808edc83fec131c036ba0f3

SHA512
d7e67a66b9e580f399c4f3b8c233f7e9e07d56d5d33fa43eef1f5f7e8173ef34e5c2bff9508346deedcd617344a2257402c81d3c999de3f602f82dbd30660581

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580eb1.TMP

Filesize
367B

MD5
1fdbf75b31b8d85e467edb625b4c6a25

SHA1
cef3067ac324279ed91680ef8e158f2c4707910b

SHA256
ffe814c931a7f845503499e02d727edfeb4e28a0797b303c5d3edb38efb02d44

SHA512
3b558d6481655711ebbcbf542626995a05abbd975ce6f0476514b84b447229087fecc9c1e90f41035776fc93eeeee0db016f2aae736d8a36484e93b489a81d5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
deeb3fb4f24ae0172819b917adb21182

SHA1
c3cb8d075dd81debb3e143786eb10939b3fb382e

SHA256
47452baa0ac7a1d2985134dc50095188d5782033c5903c1a83e76f26d5416cd4

SHA512
a322145e3989be55910d32e6e051b13b6bf01de95a860b0f736d64d7f705c3ead198a76e802b77fb84ed3bc788787e6fb26347e97ad2a5ab9407c3f071e1dc5a

Download Submit