hxxps://www[.]movable-ink-6437[.]com/p/rp/23862d605ea37302/urlWspcBe8� [:]ex|bARbg@kirkbi[.]comX

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
10/12/2023, 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.movable-ink-6437.com/p/rp/23862d605ea37302/urlWspcBe8� :ex|[email protected]

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
544	msedge.exe
544	msedge.exe
5016	msedge.exe
5016	msedge.exe
4552	identity_helper.exe
4552	identity_helper.exe
5640	msedge.exe
5640	msedge.exe
5640	msedge.exe
5640	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 2712	5016	msedge.exe	85
PID 5016 wrote to memory of 2712	5016	msedge.exe	85
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 3592	5016	msedge.exe	89
PID 5016 wrote to memory of 544	5016	msedge.exe	87
PID 5016 wrote to memory of 544	5016	msedge.exe	87
PID 5016 wrote to memory of 4984	5016	msedge.exe	88
PID 5016 wrote to memory of 4984	5016	msedge.exe	88
PID 5016 wrote to memory of 4984	5016	msedge.exe	88
PID 5016 wrote to memory of 4984	5016	msedge.exe	88
PID 5016 wrote to memory of 4984	5016	msedge.exe	88
PID 5016 wrote to memory of 4984	5016	msedge.exe	88
PID 5016 wrote to memory of 4984	5016	msedge.exe	88
PID 5016 wrote to memory of 4984	5016	msedge.exe	88
PID 5016 wrote to memory of 4984	5016	msedge.exe	88
PID 5016 wrote to memory of 4984	5016	msedge.exe	88
PID 5016 wrote to memory of 4984	5016	msedge.exe	88
PID 5016 wrote to memory of 4984	5016	msedge.exe	88
PID 5016 wrote to memory of 4984	5016	msedge.exe	88
PID 5016 wrote to memory of 4984	5016	msedge.exe	88
PID 5016 wrote to memory of 4984	5016	msedge.exe	88
PID 5016 wrote to memory of 4984	5016	msedge.exe	88
PID 5016 wrote to memory of 4984	5016	msedge.exe	88
PID 5016 wrote to memory of 4984	5016	msedge.exe	88
PID 5016 wrote to memory of 4984	5016	msedge.exe	88
PID 5016 wrote to memory of 4984	5016	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.movable-ink-6437.com/p/rp/23862d605ea37302/urlWspcBe8� :ex|[email protected]
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc2d4346f8,0x7ffc2d434708,0x7ffc2d434718
  2⤵
  PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,7490768586880110474,1660806407460644906,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,7490768586880110474,1660806407460644906,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,7490768586880110474,1660806407460644906,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7490768586880110474,1660806407460644906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7490768586880110474,1660806407460644906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7490768586880110474,1660806407460644906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7490768586880110474,1660806407460644906,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7490768586880110474,1660806407460644906,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7490768586880110474,1660806407460644906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,7490768586880110474,1660806407460644906,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,7490768586880110474,1660806407460644906,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,7490768586880110474,1660806407460644906,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1256 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
208a234643c411e1b919e904ee20115e

SHA1
400b6e6860953f981bfe4716c345b797ed5b2b5b

SHA256
af80020ae43388bbd3db31c75aade369d489a30a933574dea19163e094d5f458

SHA512
2779b96325234c836cbb91820ee332ed56c15b534ec0c7770b322a5c03849ec3ee67b0ec7978e1fab563eeed1cea96f5155d7b942702555d9352ff6711a548d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
192B

MD5
1a635fd7aa7399cd6b3a4eae091bb868

SHA1
1d0288b14e738fbb70f19703d49066b910eda275

SHA256
3555c5182e4027e4099d3a921f31b37926e76e822444bdc85eb0b158940ab041

SHA512
a65aa055265b2083b749ab2d587387a82126e5321cdbda974d7564f6f6ce6cbca408752eda5f5d7d416631f1b089aebed50848aec6cbd0c7f1a138699fc0235d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7980a761368200077617af68b16dc75f

SHA1
4692fe11400df669d49f5ffad2fec4813037bd92

SHA256
9ecfa4642da5c977bb050c173ca0662ad25f34cb491e10b932270b3c9750bc1a

SHA512
d6c3027e166470eb86f1455b2ffa20a10a63878951546f4745962cd824bd45abf293532225f373721d5190638650ff3d1ad44404d4ca427efe6bb2e523a2ce64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e9d6c73fb9fec5cd03b655be4270fab6

SHA1
04ddc20b50669ef9349b4616d2ae1e42199fb3fb

SHA256
d054ff0ad39dd093479eded0d37d0bfeee6d4b2e333fcc67ed34e388095444af

SHA512
9ce98270ed4c07a306327fe1c79caf89a0db730914cf9b0e594bacf4984ef651caaa720c0c64b8bcced4f3106b37c9555b39eb9044f5455c48c2ffb4eeae554f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5a6206a3489650bf4a9c3ce44a428126

SHA1
3137a909ef8b098687ec536c57caa1bacc77224b

SHA256
0a9e623c6df237c02a585539bffb8249de48949c6d074fe0aaf43063731a3e28

SHA512
980da83c3142bf08433ec1770a2ec5f5560daf3ee680466f89beae8290e921c0db677489daad055fbc1f196388f8bc4f60e050600381f860b06d330062440a78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a720337c76a024d64663c2a8abe74c81

SHA1
704ccd22e199b7302ac753c0c7ed11429184d88b

SHA256
5458b0af46cc917a475f0a2d226f73b50237f07442c91083768696cad8c01185

SHA512
93831638435813b675ddff20c6a74651e3fc9ccff3c4f88fb2e85011d8f531d2bbfc10909188475943c70df57f7673d0c15a8cdba2c7f41780ddb88935663925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f8549971f0fd9eaadbb43d0c3668548a

SHA1
ca4c8cdc7f69fb2da086549b6949357ecd414845

SHA256
9b353ea4529fcfad568698dcd9e95e5fa1c63b4cb6817bb7d77e024a4235b89d

SHA512
18aeb747e61dae2e04a9e41bd081e0930f61b40c904c20f116c42e5c54f0aac57031f4a615fbc15a3960d512827b03d7e2c780bddcbe6690e06170662ae3df01

Download Submit