hxxp://eftrepayment-ato[.]sbs/

Analysis

max time kernel
146s
max time network
147s
platform
windows11-21h2_x64
resource
win11-20231128-en
resource tags

arch:x64arch:x86image:win11-20231128-enlocale:en-usos:windows11-21h2-x64system
submitted
11-12-2023 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://eftrepayment-ato.sbs/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3024	msedge.exe
3024	msedge.exe
3984	msedge.exe
3984	msedge.exe
3480	msedge.exe
3480	msedge.exe
2644	identity_helper.exe
2644	identity_helper.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 1276	3024	msedge.exe	80
PID 3024 wrote to memory of 1276	3024	msedge.exe	80
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 1248	3024	msedge.exe	82
PID 3024 wrote to memory of 3984	3024	msedge.exe	84
PID 3024 wrote to memory of 3984	3024	msedge.exe	84
PID 3024 wrote to memory of 1300	3024	msedge.exe	83
PID 3024 wrote to memory of 1300	3024	msedge.exe	83
PID 3024 wrote to memory of 1300	3024	msedge.exe	83
PID 3024 wrote to memory of 1300	3024	msedge.exe	83
PID 3024 wrote to memory of 1300	3024	msedge.exe	83
PID 3024 wrote to memory of 1300	3024	msedge.exe	83
PID 3024 wrote to memory of 1300	3024	msedge.exe	83
PID 3024 wrote to memory of 1300	3024	msedge.exe	83
PID 3024 wrote to memory of 1300	3024	msedge.exe	83
PID 3024 wrote to memory of 1300	3024	msedge.exe	83
PID 3024 wrote to memory of 1300	3024	msedge.exe	83
PID 3024 wrote to memory of 1300	3024	msedge.exe	83
PID 3024 wrote to memory of 1300	3024	msedge.exe	83
PID 3024 wrote to memory of 1300	3024	msedge.exe	83
PID 3024 wrote to memory of 1300	3024	msedge.exe	83
PID 3024 wrote to memory of 1300	3024	msedge.exe	83
PID 3024 wrote to memory of 1300	3024	msedge.exe	83
PID 3024 wrote to memory of 1300	3024	msedge.exe	83
PID 3024 wrote to memory of 1300	3024	msedge.exe	83
PID 3024 wrote to memory of 1300	3024	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://eftrepayment-ato.sbs/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa9ac63cb8,0x7ffa9ac63cc8,0x7ffa9ac63cd8
  2⤵
  PID:1276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,6630545335343072830,5180853646596905754,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1964 /prefetch:2
  2⤵
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,6630545335343072830,5180853646596905754,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2424 /prefetch:8
  2⤵
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,6630545335343072830,5180853646596905754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,6630545335343072830,5180853646596905754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,6630545335343072830,5180853646596905754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,6630545335343072830,5180853646596905754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1944,6630545335343072830,5180853646596905754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,6630545335343072830,5180853646596905754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,6630545335343072830,5180853646596905754,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,6630545335343072830,5180853646596905754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,6630545335343072830,5180853646596905754,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,6630545335343072830,5180853646596905754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,6630545335343072830,5180853646596905754,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4684 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6e747eaa74130c161ac1176dbd608920

SHA1
a64741bb05f85d3dde1c7e83f49e70dac475e774

SHA256
fd21fc821941a71cc892e19791ea83e15e48366693ce6f4c5b9ac800ad078c13

SHA512
4cd7f2c595870e1901aa4e150ef428ed49bececb9ec812c3c01c11240d8fd0a44b6e0a79a8149c2e97f97ca6c84bf5d38f52a73b58f3ddeee57b90508daec13f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
8b35b2cf66969676b07d557d7f2bc0c1

SHA1
0e6a72c57bb5252b6664d8bd590a5ca730b71ccf

SHA256
3b026ac0a6b1beb1b3daab3e0832b151484d453e3daf5456c38a779ed13e99f9

SHA512
3fee8c02c15498fa8802f2f9e4ee224ac51cc5faf3cbcda199bab7c8cc6ffa1956411b79993a249fbd3405b62ab96bd6b4bd2aafdf3c4958bc96386beec949a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
477B

MD5
ceaea94ff86db8cc39e8766f34f67e22

SHA1
e4e3e8db030c0611577ff10bc6a295e8e754b62c

SHA256
089851117b4260752b6a171cdfbaae288c9648a85794d7203ad7a2edf4c760c4

SHA512
270d8519055376984c190e9e13038f38269908b952ac5b6646e1619e734900155a958c19863a1d0eae35a8bef66060eeb40cae2ba42241611904d70bf65a9768

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
3fa73b6167a51833fef9b49c5ecb592f

SHA1
5f650e9e911726e1ba38f6b548c4b71269069d91

SHA256
babd88e09baae75b3d912ad2b6c83de574d26fa0ca52733feb496c8e3f3ec6bf

SHA512
9320aeba2187918ecf1cec0e8c76352dbcea17775ed5f7d0c871d67e69beb1fd06ac54c91700c75437a072c3a079453ce1838d6aae5e14c69f05449122170382

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
471dd94a8d236a24ff568b4031f5ba4f

SHA1
e0214df047f6e7076b84d42885303e42934fbae5

SHA256
48fd793826e5fbf39d32a142869a3cd2f7f310e3738f5fb339b44d3ec7d31cd0

SHA512
ba71fd44f23c1079d3f4b0dcab671cadce800b4910927c7a317f040ef0e39f7720d9cd196772378f2d4deab746f87a9c019eda026674d9f03de0586584a5454e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
fa08066decccf9e92290326c04532777

SHA1
778b58f445b9f4051d8fd5c9b38a640605743293

SHA256
1dde139be7104cf3b585082724cff60d165a6390f2e04685a276e73acf8609f6

SHA512
4a3f5a47e7f244a2884ed05891fa5adf83714f500df59e7969844e16a27a6ddf8c300d07d051426ce921c9f9ad72c364cca8be15b8d71d3be6ac6ae9f07e3083

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
747eb35a0b84f0cdf5b3dc0cc9feff30

SHA1
d349e0e6161418c3317038abc519d7aa60d5d07b

SHA256
10ff4cce24943687c74949d90df4ff5d81162cb930db069c245a1ca44be29dd1

SHA512
d2faa5c39ca7d2349452ae72e492801fbc028c7f9e9fc136fa446590e1b38af7c09b3683f46673a87b3425388f25c478f78e13d3b8590d2f878673575a887322

Download Submit