hxxps://shamrockcolony[.]com/JHDJDHGJHDG/dhbdidoz/jdbdjdb/filffjess/terrjdjhfys/criminals@wantedbythepolice[.]nl

General

Target

https://shamrockcolony.com/JHDJDHGJHDG/dhbdidoz/jdbdjdb/filffjess/terrjdjhfys/[email protected]

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
2740	msedge.exe
2740	msedge.exe
2184	msedge.exe
2184	msedge.exe
1144	identity_helper.exe
1144	identity_helper.exe
4324	msedge.exe
4324	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

2184 msedge.exe
2184 msedge.exe
2184 msedge.exe
2184 msedge.exe
2184 msedge.exe
2184 msedge.exe
2184 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2184 wrote to memory of 3252	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 3252	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4916	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 2740	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 2740	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4800	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4800	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4800	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4800	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4800	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4800	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4800	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4800	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4800	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4800	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4800	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4800	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4800	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4800	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4800	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4800	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4800	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4800	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4800	2184	msedge.exe	msedge.exe
PID 2184 wrote to memory of 4800	2184	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://shamrockcolony.com/JHDJDHGJHDG/dhbdidoz/jdbdjdb/filffjess/terrjdjhfys/[email protected]
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8cb823cb8,0x7ff8cb823cc8,0x7ff8cb823cd8
2⤵
PID:3252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,17603486046225326763,15983461521050800251,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
2⤵
PID:4916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,17603486046225326763,15983461521050800251,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,17603486046225326763,15983461521050800251,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
2⤵
PID:4800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17603486046225326763,15983461521050800251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
2⤵
PID:4932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17603486046225326763,15983461521050800251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
2⤵
PID:648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17603486046225326763,15983461521050800251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
2⤵
PID:4072

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,17603486046225326763,15983461521050800251,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,17603486046225326763,15983461521050800251,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17603486046225326763,15983461521050800251,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
2⤵
PID:2088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17603486046225326763,15983461521050800251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
2⤵
PID:2784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17603486046225326763,15983461521050800251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
2⤵
PID:3604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17603486046225326763,15983461521050800251,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
2⤵
PID:4588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,17603486046225326763,15983461521050800251,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5656 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6e126312d2ac3e6411def860af3effb5

SHA1
0bafa7fa6e6ff58c03f90e7be34f176d2fa6482d

SHA256
66d8cd3d3710122eb73a2991cd38b5b9eb0b84a7479d9a18aae674489cd4b45b

SHA512
f0770e3e4c9f0e9160aec628ba7771a76d6761119c12541775fdf4578d185b04ed3c87537e4e43a717dfd8dd152e35aa4b1ddb92ff00667aa74a56877dd21a53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
815bc9b7e37dd70b2a7bf3bb1f1848c0

SHA1
21751e085c3629073ee85da92ad0450ea19ec6aa

SHA256
442da5b58b88afd8eb43dab0024bf5f07a9d35db102362a27a0ddd5c84ccb447

SHA512
33e074cdb9502c4de008b0c3afdad9d8135bfc098f64455e5bd27b932f5f7cc4bd7d73e2cf149187591a8c761e9c410016ff789cfcd7bb7ebacf96536186f6e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
333B

MD5
01e9c1b9278d139bf828a396b81764d0

SHA1
04f4ee9192fb439cc844b1b2244ec43779881cca

SHA256
5cc259dc82160b6e7ef34d75ecd59ee343924f5226db061b339090247a05a4e4

SHA512
755d85cfa386a91b8f7d4354a65ade5151bc587e2db4241713d7c2b5ca4658cb5198d6e4e9dfcb719376f657d1151b4d0697efe4545cba5fcb202ae7e0181366

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
7ea78d2db138a61ee959cac2627c2c84

SHA1
9c175fbca1e5cd2c61d7bdfc5ff4d81237ca7076

SHA256
4aac7a15bf80aeec7866ea448a13d5a0c9af938c8783166b2e51dc6fd1706dce

SHA512
de70779f81d246f521a9703d8ba3b720e3dd661e3752ff9c8a7d3c66f29f1847f82ec8c962089a50e6cb08368bb9bfa73df461b0598f71e2178dee04ec0d2b5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f79f4d69901c2ca5740435b1757d6f26

SHA1
fc7f2ef67c009ac4927e0af6a70f5da794c8eecf

SHA256
fec42c8ba3607ed2891e99d097f5b9dcf6a00f899818c42872883d9b48c68a32

SHA512
c2de5fbacda239dbba839cedd2bd44019111cecd49bf07c172be27b4b8b3bd15c9b4a446813022ffc89158992cddd7807ee208cdb4724eb82e939356e4d66723

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
590a4be82ce0e7f8c69b0a547a8ed945

SHA1
062639b7a6e192a2587e55c8463dfd1173a25c0a

SHA256
e5e00d40a7698d1436f72cfaf14a43372bfad5c71ae3737e8131e4662628dbbb

SHA512
eb91a8f98ed3ff1a7e3ff65ff94cdecead42f31aca2ba25b9edaa5dab948a83bb2566a99f3237659eba753917d283d18ee3286da4150f47d4297b99a979472f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0cd67f80b891850e40d9cfbe95b86f11

SHA1
e138907b682db193920e1e52f1162337e07a8ede

SHA256
50894841ceaff05cde840b1e4040b171698d3ee5fb2a6f7aae0d15b562b4368d

SHA512
218e6f1575b6a862f8b9d6cd0aaf0b6bff61284e0be57a0b251a467977477887c435d6c87d6382700a27fa7a4e2a8c1da0bed237fa2e46af4abd286ad91b18a6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads