Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2023 21:28
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://gdcobros.com/tensile/##_QWNjb3VudHNQYXlhYmxlQGNsdC11ZmEuY29t
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
https://gdcobros.com/tensile/##_QWNjb3VudHNQYXlhYmxlQGNsdC11ZmEuY29t
Resource
win10v2004-20231215-en
General
-
Target
https://gdcobros.com/tensile/##_QWNjb3VudHNQYXlhYmxlQGNsdC11ZmEuY29t
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 2268 msedge.exe 2268 msedge.exe 3324 msedge.exe 3324 msedge.exe 2692 identity_helper.exe 2692 identity_helper.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe 3324 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3324 wrote to memory of 3816 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 3816 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2916 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2268 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 2268 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 4756 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 4756 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 4756 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 4756 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 4756 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 4756 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 4756 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 4756 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 4756 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 4756 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 4756 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 4756 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 4756 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 4756 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 4756 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 4756 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 4756 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 4756 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 4756 3324 msedge.exe msedge.exe PID 3324 wrote to memory of 4756 3324 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gdcobros.com/tensile/##_QWNjb3VudHNQYXlhYmxlQGNsdC11ZmEuY29t1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaec0646f8,0x7ffaec064708,0x7ffaec0647182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,8437115113089022764,363480834652754347,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,8437115113089022764,363480834652754347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,8437115113089022764,363480834652754347,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8437115113089022764,363480834652754347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8437115113089022764,363480834652754347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8437115113089022764,363480834652754347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,8437115113089022764,363480834652754347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,8437115113089022764,363480834652754347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8437115113089022764,363480834652754347,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8437115113089022764,363480834652754347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8437115113089022764,363480834652754347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8437115113089022764,363480834652754347,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,8437115113089022764,363480834652754347,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1052 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5fa070c9c9ab8d902ee4f3342d217275f
SHA1ac69818312a7eba53586295c5b04eefeb5c73903
SHA256245b396ed1accfae337f770d3757c932bc30a8fc8dd133b5cefe82242760c2c7
SHA512df92ca6d405d603ef5f07dbf9516d9e11e1fdc13610bb59e6d4712e55dd661f756c8515fc2c359c1db6b8b126e7f5a15886e643d93c012ef34a11041e02cc0dc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
240B
MD5381eeb474759830a29573d77b658d036
SHA17ae92e088c6744e01ab5a298c7ff9920495e09a5
SHA2561ddf15f09c785d21746d768b66aabbb7bd4e52bd3106325d25cb11e9e460f2bf
SHA5120e40d15b7e62f92c231672d840ca568952b9cb0b51dc621ce133b727eb3492b8a1fc760c006705c98780f8149a328fccbab49e85ac62e9e5bfa9bbb0fb5d143a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD560c9ce3c5c8520e86451f227942e1126
SHA13fe5a8a841faae6923512d6ed90715c868bcaa76
SHA256dd6e66f82235c74ea2bcacfc3043ef6b094da743b40182ce2ea320dd3a3da0f3
SHA512acd3140ec017b9099fa23c6c8eda7b740998d825e8e49d5c69a690ab0469adf63fa712b9227bb17080e22bfecbad65ab335a3fb9d9678d156aefb61587a67c87
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5620fa46adbfd22d131075aa8cb150c52
SHA183a94d4020da5466d2912f81d9d026e0ecb6018c
SHA256d98e15dbff0b9bfbfa881ea5db59f616bcb82761a8294fa961fc31587ef9480c
SHA512391fec31031da45be201cdf7c4a62cb33370ed51cb052105cd042e9e89491e12ea7983b1f34ebdfffe16aac303cc8f30e19d1ba06a24f5bb9e4ff4560d485999
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5754db0a26cf4a0f8be62220bb3cc47fd
SHA19d720da1d52734615d1f8a70f678579435f9900b
SHA256a1d3172cb9c0f10ed2170c8ae81feccc1b69602122bb0e24e2ab1f02bdac2e76
SHA51295abf5abf0b6555dcb949352e332c3ab0aa6b2d2f28f04c171ff81823fa2dd3aab2fbeac928aba3663af4971ffe995741ac108ef52fcf9a5e252010bcb994927
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD5917dedf44ae3675e549e7b7ffc2c8ccd
SHA1b7604eb16f0366e698943afbcf0c070d197271c0
SHA2569692162e8a88be0977395cc0704fe882b9a39b78bdfc9d579a8c961e15347a37
SHA5129628f7857eb88f8dceac00ffdcba2ed822fb9ebdada95e54224a0afc50bccd3e3d20c5abadbd20f61eba51dbf71c5c745b29309122d88b5cc6752a1dfc3be053
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD56e19807c56e89d6742be06a054a4f217
SHA148b1694ef8fadb4fe79b101dc71ab128d6dee39e
SHA2564adf346ceb6964f77bdc18d945bc6d57dd9a0433b653802d4b3148022c908ed6
SHA512005a74198fb7b2596516c09ab366d834b22ff97ffe9e16fc9d20e662e39b3082c37b94394bb7aecdb1db02b4a5fc8167ed4d501ea08159b6e36af95f564b3cc0
-
\??\pipe\LOCAL\crashpad_3324_KSIPDXBWMDNTCFCQMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e