hxxp://weaktongue[.]com

Analysis

max time kernel
514s
max time network
597s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://weaktongue.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3040	msedge.exe
3040	msedge.exe
1248	msedge.exe
1248	msedge.exe
1328	identity_helper.exe
1328	identity_helper.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 2136	1248	msedge.exe	88
PID 1248 wrote to memory of 2136	1248	msedge.exe	88
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3596	1248	msedge.exe	91
PID 1248 wrote to memory of 3040	1248	msedge.exe	89
PID 1248 wrote to memory of 3040	1248	msedge.exe	89
PID 1248 wrote to memory of 4888	1248	msedge.exe	90
PID 1248 wrote to memory of 4888	1248	msedge.exe	90
PID 1248 wrote to memory of 4888	1248	msedge.exe	90
PID 1248 wrote to memory of 4888	1248	msedge.exe	90
PID 1248 wrote to memory of 4888	1248	msedge.exe	90
PID 1248 wrote to memory of 4888	1248	msedge.exe	90
PID 1248 wrote to memory of 4888	1248	msedge.exe	90
PID 1248 wrote to memory of 4888	1248	msedge.exe	90
PID 1248 wrote to memory of 4888	1248	msedge.exe	90
PID 1248 wrote to memory of 4888	1248	msedge.exe	90
PID 1248 wrote to memory of 4888	1248	msedge.exe	90
PID 1248 wrote to memory of 4888	1248	msedge.exe	90
PID 1248 wrote to memory of 4888	1248	msedge.exe	90
PID 1248 wrote to memory of 4888	1248	msedge.exe	90
PID 1248 wrote to memory of 4888	1248	msedge.exe	90
PID 1248 wrote to memory of 4888	1248	msedge.exe	90
PID 1248 wrote to memory of 4888	1248	msedge.exe	90
PID 1248 wrote to memory of 4888	1248	msedge.exe	90
PID 1248 wrote to memory of 4888	1248	msedge.exe	90
PID 1248 wrote to memory of 4888	1248	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://weaktongue.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff155a46f8,0x7fff155a4708,0x7fff155a4718
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,432866278468134031,12793760666677526492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,432866278468134031,12793760666677526492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,432866278468134031,12793760666677526492,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,432866278468134031,12793760666677526492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,432866278468134031,12793760666677526492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,432866278468134031,12793760666677526492,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,432866278468134031,12793760666677526492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,432866278468134031,12793760666677526492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,432866278468134031,12793760666677526492,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,432866278468134031,12793760666677526492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,432866278468134031,12793760666677526492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 /prefetch:8
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,432866278468134031,12793760666677526492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,432866278468134031,12793760666677526492,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5312 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eb20b5930f48aa090358398afb25b683

SHA1
4892c8b72aa16c5b3f1b72811bf32b89f2d13392

SHA256
2695ab23c2b43aa257f44b6943b6a56b395ea77dc24e5a9bd16acc2578168a35

SHA512
d0c6012a0059bc1bb49b2f293e6c07019153e0faf833961f646a85b992b47896092f33fdccc893334c79f452218d1542e339ded3f1b69bd8e343d232e6c3d9e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
41912afdc5b3ec42484042a5fdae68db

SHA1
392fa8357a0aae36a7fa3082ea088d75c83d5aa8

SHA256
7852941bce62e809f9d290c1e05df64545e735eeec9072038c5325d8a62c2b3c

SHA512
7f1b4483f8b3c58e6d9adc4d5125f988336f190188d9ca4312f85a31cd82dd2eab4a5facc2df9dfad2f41d5e4e0d9711fad1cdd02d3e63259889cc5b48cb18d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
313047aca5add1864b90b869511bb35e

SHA1
c661b1a0f85979ebb87ff9ad1578caa580406a33

SHA256
ff034104ae39ac0a5add4ffa86416e0ef165a944dfc299f93cedd07f8d2124e1

SHA512
31ee6b192572fc2cf7c60386369f8bd8b84fa7e8c5075a0d02cba6a7b0db56e0875e71480e830668725b72d05f22c2f672ca39319b5ef381109e1416db0cb54f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0a58dd74f354944ccdaa5c3aa241e4d7

SHA1
dcc5091bf877f1e31b96812a9f8ce6899c557d3a

SHA256
164e9dddc02af864d979260a505b840d94448953523ccf9cd3d7790f75462595

SHA512
f588b1e3cd4070e2b554df6e47b6387b768a0f19e49819b06039ed6fb4286eb4cf25f9c3f54cae332113be94f9d979b117ca6b1bacfd0d211104d0ec993a6540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
42a333e0fa3dcc4ff1dda7276e911807

SHA1
185c20fe6a0c9d39bf7026fa9b73f45c75ffa0ed

SHA256
93500f54ce48511d559bce74b28fab599ed8e20e62dc0d9c11c2facc6a98e892

SHA512
94c78a0cf908a75daeae5fee3b80566276203690c0b7107ede50e446bef5e3e3bb8bd07cff5e4d7b68e5eaadba07ef4b42d9e4e8dc33a1f8cb2f69299768d3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4d21022dd9d518c70cb43b4f51d8c9d7

SHA1
118504f511580d254d4efda168e36d7265971a7c

SHA256
091c9862597f00a6e448f3de3e542e88b2df0b603d350a961a0fff40316e0336

SHA512
388761081d17474f00a1d23b534e50707073ed9ad73e0cfad54fdc800df8b5e7abc5e978a2466ef47dc6b92be69b882329a385ec021c9db969b7db7dfe4f14a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
2bbbdb35220e81614659f8e50e6b8a44

SHA1
7729a18e075646fb77eb7319e30d346552a6c9de

SHA256
73f853ad74a9ac44bc4edf5a6499d237c940c905d3d62ea617fbb58d5e92a8dd

SHA512
59c5c7c0fbe53fa34299395db6e671acfc224dee54c7e1e00b1ce3c8e4dfb308bf2d170dfdbdda9ca32b4ad0281cde7bd6ae08ea87544ea5324bcb94a631f899

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a3e6899b2d569fbac25b982a2a906560

SHA1
825daeaa9912877b43480f077762baca9aa6ad80

SHA256
44e5a8cf8ddfc13e1dd9bd5759a9c3811227f8b304de258882ddaeead768e914

SHA512
dcc76ae3b2d86ab4c7bd368feb92978a7437dc5741d5c9b2b45645b4866ca4b4e3d6ef6b88a54b149a0fbbeff8d631571be3edf6debb17a213d3183d62b3df7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
57f2379374a976dc5d58a2d353086ad9

SHA1
3c9106d4d6abf6deb08eabb8d1088ad05f70e622

SHA256
64a9c88dc4b4a41571c4304d0fd563e22f6f87fe28d2c14753cc3dc4f9c77623

SHA512
8e8aa84f5745bde0508a7af047c85d36a3304960eaa2d0be1a81cb341251e30ef1aa20fc0b8807b7dec1ad525cd65b546aeafe75c551a9080060785135212ae2

Download Submit