hxxps://mandrillapp[.]com/track/click/30551501/us-app[.]justride[.]com?p=eyJzIjoiUFoxVE4tMnpiTndYcks4MmpLcXZaQld5S1pjIiwidiI6MSwicCI6IntcInVcIjozMDU1MTUwMSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3VzLWFwcC5qdXN0cmlkZS5jb21cXFwvd2Vic2FsZXMtY2xpZW50XFxcL1JURERFTlZFUlxcXC9yZXNldFBhc3N3b3JkXFxcLz9yZXNldD00ZWViMzYxZS1mM2Q3LTQ0YWYtYmU0NS05ZjM3Mzc1MTYwOWUmbGFuZz1lbl9VU1wiLFwiaWRcIjpcImE5NmJjYjc3NmY0NDQzMzBhNjMzM2QxZTdkOTRhODdjXCIsXCJ1cmxfaWRzXCI6W1wiY2FlZDIzZjQ4MmUwZmU2YjE0YjcxM2VhZDliMTBlMDhiY2ExYzU0YVwiXX0ifQ

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mandrillapp.com/track/click/30551501/us-app.justride.com?p=eyJzIjoiUFoxVE4tMnpiTndYcks4MmpLcXZaQld5S1pjIiwidiI6MSwicCI6IntcInVcIjozMDU1MTUwMSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3VzLWFwcC5qdXN0cmlkZS5jb21cXFwvd2Vic2FsZXMtY2xpZW50XFxcL1JURERFTlZFUlxcXC9yZXNldFBhc3N3b3JkXFxcLz9yZXNldD00ZWViMzYxZS1mM2Q3LTQ0YWYtYmU0NS05ZjM3Mzc1MTYwOWUmbGFuZz1lbl9VU1wiLFwiaWRcIjpcImE5NmJjYjc3NmY0NDQzMzBhNjMzM2QxZTdkOTRhODdjXCIsXCJ1cmxfaWRzXCI6W1wiY2FlZDIzZjQ4MmUwZmU2YjE0YjcxM2VhZDliMTBlMDhiY2ExYzU0YVwiXX0ifQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
732	msedge.exe
732	msedge.exe
2668	msedge.exe
2668	msedge.exe
4796	identity_helper.exe
4796	identity_helper.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 844	2668	msedge.exe	14
PID 2668 wrote to memory of 844	2668	msedge.exe	14
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 1460	2668	msedge.exe	26
PID 2668 wrote to memory of 732	2668	msedge.exe	17
PID 2668 wrote to memory of 732	2668	msedge.exe	17
PID 2668 wrote to memory of 220	2668	msedge.exe	25
PID 2668 wrote to memory of 220	2668	msedge.exe	25
PID 2668 wrote to memory of 220	2668	msedge.exe	25
PID 2668 wrote to memory of 220	2668	msedge.exe	25
PID 2668 wrote to memory of 220	2668	msedge.exe	25
PID 2668 wrote to memory of 220	2668	msedge.exe	25
PID 2668 wrote to memory of 220	2668	msedge.exe	25
PID 2668 wrote to memory of 220	2668	msedge.exe	25
PID 2668 wrote to memory of 220	2668	msedge.exe	25
PID 2668 wrote to memory of 220	2668	msedge.exe	25
PID 2668 wrote to memory of 220	2668	msedge.exe	25
PID 2668 wrote to memory of 220	2668	msedge.exe	25
PID 2668 wrote to memory of 220	2668	msedge.exe	25
PID 2668 wrote to memory of 220	2668	msedge.exe	25
PID 2668 wrote to memory of 220	2668	msedge.exe	25
PID 2668 wrote to memory of 220	2668	msedge.exe	25
PID 2668 wrote to memory of 220	2668	msedge.exe	25
PID 2668 wrote to memory of 220	2668	msedge.exe	25
PID 2668 wrote to memory of 220	2668	msedge.exe	25
PID 2668 wrote to memory of 220	2668	msedge.exe	25

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8fd546f8,0x7ffd8fd54708,0x7ffd8fd54718
1⤵
PID:844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mandrillapp.com/track/click/30551501/us-app.justride.com?p=eyJzIjoiUFoxVE4tMnpiTndYcks4MmpLcXZaQld5S1pjIiwidiI6MSwicCI6IntcInVcIjozMDU1MTUwMSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3VzLWFwcC5qdXN0cmlkZS5jb21cXFwvd2Vic2FsZXMtY2xpZW50XFxcL1JURERFTlZFUlxcXC9yZXNldFBhc3N3b3JkXFxcLz9yZXNldD00ZWViMzYxZS1mM2Q3LTQ0YWYtYmU0NS05ZjM3Mzc1MTYwOWUmbGFuZz1lbl9VU1wiLFwiaWRcIjpcImE5NmJjYjc3NmY0NDQzMzBhNjMzM2QxZTdkOTRhODdjXCIsXCJ1cmxfaWRzXCI6W1wiY2FlZDIzZjQ4MmUwZmU2YjE0YjcxM2VhZDliMTBlMDhiY2ExYzU0YVwiXX0ifQ
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,15452466288111657144,10966287410896932746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15452466288111657144,10966287410896932746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15452466288111657144,10966287410896932746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,15452466288111657144,10966287410896932746,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,15452466288111657144,10966287410896932746,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,15452466288111657144,10966287410896932746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15452466288111657144,10966287410896932746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,15452466288111657144,10966287410896932746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15452466288111657144,10966287410896932746,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15452466288111657144,10966287410896932746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15452466288111657144,10966287410896932746,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15452466288111657144,10966287410896932746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,15452466288111657144,10966287410896932746,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4256 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
187B

MD5
926038d747d0f0d30817276167ea1999

SHA1
7c0ac557321ff89ed62cf56c5ad2a9f676e8c96f

SHA256
36e77825bb84b004e5832dd37d53d1e397ca36e012a6a73946ed56a09bc4717b

SHA512
e5b82f35b606234cb7298aecb3c1a2f39f146609599699c2ece45630dc8fa4a098e38d454988923fe17e5d0b9ea111bc3dcd35a5100638aa127d966d78da96bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b37a0497de47601f5c6b838764b9e129

SHA1
cb1d348cf81aa1988a0bf842511aad1b69b5b6f3

SHA256
50f0571ba0b6bb914917d70d9b943ede3d4be19ca2904e4c43010b9584fd73e9

SHA512
07739111fbdab7e9c6c14ada00ddac03b1e4f13c1532d529300e9f45ad60932b6b55163b24213ab67feab11f61b379bb34da23d360f9ac735df86537e30feb98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
506334251a95697ca713e42e3d0be019

SHA1
81b4a608dae01d6bd834ae161432f870cb60c25a

SHA256
a3af7f0b4ec585650c3a9fb74eb09bd42fddf77b2772813d616318dfd519c3dd

SHA512
d3b9f2e2257b05aca486f178a3bae74069caa3b9002f92ab575aa9d47ad9bf1ac86ca3c16eb34fbff68ae13f50f2e8730b1c69b4c95dec80dd565ac476b3f508

Download Submit