Analysis
-
max time kernel
514s -
max time network
597s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 10:52
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://weaktongue.com
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
http://weaktongue.com
Resource
win10v2004-20231215-en
General
-
Target
http://weaktongue.com
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3040 msedge.exe 3040 msedge.exe 1248 msedge.exe 1248 msedge.exe 1328 identity_helper.exe 1328 identity_helper.exe 2152 msedge.exe 2152 msedge.exe 2152 msedge.exe 2152 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1248 wrote to memory of 2136 1248 msedge.exe 88 PID 1248 wrote to memory of 2136 1248 msedge.exe 88 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3596 1248 msedge.exe 91 PID 1248 wrote to memory of 3040 1248 msedge.exe 89 PID 1248 wrote to memory of 3040 1248 msedge.exe 89 PID 1248 wrote to memory of 4888 1248 msedge.exe 90 PID 1248 wrote to memory of 4888 1248 msedge.exe 90 PID 1248 wrote to memory of 4888 1248 msedge.exe 90 PID 1248 wrote to memory of 4888 1248 msedge.exe 90 PID 1248 wrote to memory of 4888 1248 msedge.exe 90 PID 1248 wrote to memory of 4888 1248 msedge.exe 90 PID 1248 wrote to memory of 4888 1248 msedge.exe 90 PID 1248 wrote to memory of 4888 1248 msedge.exe 90 PID 1248 wrote to memory of 4888 1248 msedge.exe 90 PID 1248 wrote to memory of 4888 1248 msedge.exe 90 PID 1248 wrote to memory of 4888 1248 msedge.exe 90 PID 1248 wrote to memory of 4888 1248 msedge.exe 90 PID 1248 wrote to memory of 4888 1248 msedge.exe 90 PID 1248 wrote to memory of 4888 1248 msedge.exe 90 PID 1248 wrote to memory of 4888 1248 msedge.exe 90 PID 1248 wrote to memory of 4888 1248 msedge.exe 90 PID 1248 wrote to memory of 4888 1248 msedge.exe 90 PID 1248 wrote to memory of 4888 1248 msedge.exe 90 PID 1248 wrote to memory of 4888 1248 msedge.exe 90 PID 1248 wrote to memory of 4888 1248 msedge.exe 90
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://weaktongue.com1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff155a46f8,0x7fff155a4708,0x7fff155a47182⤵PID:2136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,432866278468134031,12793760666677526492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,432866278468134031,12793760666677526492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:82⤵PID:4888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,432866278468134031,12793760666677526492,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:22⤵PID:3596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,432866278468134031,12793760666677526492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵PID:4928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,432866278468134031,12793760666677526492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵PID:452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,432866278468134031,12793760666677526492,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:12⤵PID:2156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,432866278468134031,12793760666677526492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:12⤵PID:548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,432866278468134031,12793760666677526492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:12⤵PID:3004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,432866278468134031,12793760666677526492,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:12⤵PID:3500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,432866278468134031,12793760666677526492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:12⤵PID:2432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,432866278468134031,12793760666677526492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 /prefetch:82⤵PID:2064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,432866278468134031,12793760666677526492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,432866278468134031,12793760666677526492,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5312 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2152
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4368
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3176
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5eb20b5930f48aa090358398afb25b683
SHA14892c8b72aa16c5b3f1b72811bf32b89f2d13392
SHA2562695ab23c2b43aa257f44b6943b6a56b395ea77dc24e5a9bd16acc2578168a35
SHA512d0c6012a0059bc1bb49b2f293e6c07019153e0faf833961f646a85b992b47896092f33fdccc893334c79f452218d1542e339ded3f1b69bd8e343d232e6c3d9e8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize192B
MD541912afdc5b3ec42484042a5fdae68db
SHA1392fa8357a0aae36a7fa3082ea088d75c83d5aa8
SHA2567852941bce62e809f9d290c1e05df64545e735eeec9072038c5325d8a62c2b3c
SHA5127f1b4483f8b3c58e6d9adc4d5125f988336f190188d9ca4312f85a31cd82dd2eab4a5facc2df9dfad2f41d5e4e0d9711fad1cdd02d3e63259889cc5b48cb18d0
-
Filesize
1KB
MD5313047aca5add1864b90b869511bb35e
SHA1c661b1a0f85979ebb87ff9ad1578caa580406a33
SHA256ff034104ae39ac0a5add4ffa86416e0ef165a944dfc299f93cedd07f8d2124e1
SHA51231ee6b192572fc2cf7c60386369f8bd8b84fa7e8c5075a0d02cba6a7b0db56e0875e71480e830668725b72d05f22c2f672ca39319b5ef381109e1416db0cb54f
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD50a58dd74f354944ccdaa5c3aa241e4d7
SHA1dcc5091bf877f1e31b96812a9f8ce6899c557d3a
SHA256164e9dddc02af864d979260a505b840d94448953523ccf9cd3d7790f75462595
SHA512f588b1e3cd4070e2b554df6e47b6387b768a0f19e49819b06039ed6fb4286eb4cf25f9c3f54cae332113be94f9d979b117ca6b1bacfd0d211104d0ec993a6540
-
Filesize
6KB
MD542a333e0fa3dcc4ff1dda7276e911807
SHA1185c20fe6a0c9d39bf7026fa9b73f45c75ffa0ed
SHA25693500f54ce48511d559bce74b28fab599ed8e20e62dc0d9c11c2facc6a98e892
SHA51294c78a0cf908a75daeae5fee3b80566276203690c0b7107ede50e446bef5e3e3bb8bd07cff5e4d7b68e5eaadba07ef4b42d9e4e8dc33a1f8cb2f69299768d3ae
-
Filesize
5KB
MD54d21022dd9d518c70cb43b4f51d8c9d7
SHA1118504f511580d254d4efda168e36d7265971a7c
SHA256091c9862597f00a6e448f3de3e542e88b2df0b603d350a961a0fff40316e0336
SHA512388761081d17474f00a1d23b534e50707073ed9ad73e0cfad54fdc800df8b5e7abc5e978a2466ef47dc6b92be69b882329a385ec021c9db969b7db7dfe4f14a0
-
Filesize
24KB
MD52bbbdb35220e81614659f8e50e6b8a44
SHA17729a18e075646fb77eb7319e30d346552a6c9de
SHA25673f853ad74a9ac44bc4edf5a6499d237c940c905d3d62ea617fbb58d5e92a8dd
SHA51259c5c7c0fbe53fa34299395db6e671acfc224dee54c7e1e00b1ce3c8e4dfb308bf2d170dfdbdda9ca32b4ad0281cde7bd6ae08ea87544ea5324bcb94a631f899
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5a3e6899b2d569fbac25b982a2a906560
SHA1825daeaa9912877b43480f077762baca9aa6ad80
SHA25644e5a8cf8ddfc13e1dd9bd5759a9c3811227f8b304de258882ddaeead768e914
SHA512dcc76ae3b2d86ab4c7bd368feb92978a7437dc5741d5c9b2b45645b4866ca4b4e3d6ef6b88a54b149a0fbbeff8d631571be3edf6debb17a213d3183d62b3df7f
-
Filesize
10KB
MD557f2379374a976dc5d58a2d353086ad9
SHA13c9106d4d6abf6deb08eabb8d1088ad05f70e622
SHA25664a9c88dc4b4a41571c4304d0fd563e22f6f87fe28d2c14753cc3dc4f9c77623
SHA5128e8aa84f5745bde0508a7af047c85d36a3304960eaa2d0be1a81cb341251e30ef1aa20fc0b8807b7dec1ad525cd65b546aeafe75c551a9080060785135212ae2