hxxps://www[.]optout-nvrw[.]net/o-rwlp-e61-470119243984a48bc2e73d0b1b965c67

Analysis

max time kernel
31s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 15:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://www.optout-nvrw.net/o-rwlp-e61-470119243984a48bc2e73d0b1b965c67

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
220	msedge.exe
220	msedge.exe
640	msedge.exe
640	msedge.exe
1080	identity_helper.exe
1080	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 4996	640	msedge.exe	44
PID 640 wrote to memory of 4996	640	msedge.exe	44
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 2144	640	msedge.exe	89
PID 640 wrote to memory of 220	640	msedge.exe	90
PID 640 wrote to memory of 220	640	msedge.exe	90
PID 640 wrote to memory of 4364	640	msedge.exe	91
PID 640 wrote to memory of 4364	640	msedge.exe	91
PID 640 wrote to memory of 4364	640	msedge.exe	91
PID 640 wrote to memory of 4364	640	msedge.exe	91
PID 640 wrote to memory of 4364	640	msedge.exe	91
PID 640 wrote to memory of 4364	640	msedge.exe	91
PID 640 wrote to memory of 4364	640	msedge.exe	91
PID 640 wrote to memory of 4364	640	msedge.exe	91
PID 640 wrote to memory of 4364	640	msedge.exe	91
PID 640 wrote to memory of 4364	640	msedge.exe	91
PID 640 wrote to memory of 4364	640	msedge.exe	91
PID 640 wrote to memory of 4364	640	msedge.exe	91
PID 640 wrote to memory of 4364	640	msedge.exe	91
PID 640 wrote to memory of 4364	640	msedge.exe	91
PID 640 wrote to memory of 4364	640	msedge.exe	91
PID 640 wrote to memory of 4364	640	msedge.exe	91
PID 640 wrote to memory of 4364	640	msedge.exe	91
PID 640 wrote to memory of 4364	640	msedge.exe	91
PID 640 wrote to memory of 4364	640	msedge.exe	91
PID 640 wrote to memory of 4364	640	msedge.exe	91

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.optout-nvrw.net/o-rwlp-e61-470119243984a48bc2e73d0b1b965c67
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa47146f8,0x7fffa4714708,0x7fffa4714718
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,690567167730490078,5356225581635319515,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,690567167730490078,5356225581635319515,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,690567167730490078,5356225581635319515,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,690567167730490078,5356225581635319515,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,690567167730490078,5356225581635319515,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,690567167730490078,5356225581635319515,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,690567167730490078,5356225581635319515,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,690567167730490078,5356225581635319515,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,690567167730490078,5356225581635319515,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,690567167730490078,5356225581635319515,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,690567167730490078,5356225581635319515,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,690567167730490078,5356225581635319515,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,690567167730490078,5356225581635319515,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
  2⤵
  PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,690567167730490078,5356225581635319515,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,690567167730490078,5356225581635319515,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,690567167730490078,5356225581635319515,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
  2⤵
  PID:3972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\5615fa74-0193-4aff-b4a1-f034f86a572a.tmp

Filesize
11KB

MD5
4a5eff01cc925aa83d6543fc99b54e9c

SHA1
ccdaf374e5fb4de349f639ec334330dfae795f93

SHA256
7f95195d28df13d2c1d2e455a2084bf3e7c59841909d85213531f00fb38ca820

SHA512
2935ad3dea8ebf097dfb62459fa82b53b9c6b8b3b674fde7967d76b83ad30721edda9e03bb90f3bd6f3a809c035eb79a39ae3e717d9d85c32b73a51c337077d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1386433ecc349475d39fb1e4f9e149a0

SHA1
f04f71ac77cb30f1d04fd16d42852322a8b2680f

SHA256
a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc

SHA512
fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5a914c05eacb62037ccb3b8ed579b01b

SHA1
82030ba29da21b26a60b3010c834d2e45fc120ab

SHA256
00eeebcc9b8dba03bc41af3a45a7f762bad9d6ceddff97b7e5379750ccf53a1d

SHA512
bb6c2689206d0abcf9b14e28668f001ff8a5fe5aee581ae230dbbb1676f805bd9faa53e31cfa85b46ea67954417234db8727bf9c8a95aa8d3c2ae78dcfd6c1e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
457c7fe99ab68c4b674e7b99e8c800f5

SHA1
6427a9d958bf854759f47a689a2645518583cadf

SHA256
89d7eb39c214cdf1094568e599d96b94bc6b7a164b009bd87b1e8b8d3c4ac944

SHA512
231e4fc3ac8b0e4bfd9b86eb88f115fc62ddadd5c8b8e78158ff8cbaeeb9de9f0d24ee6147fa706c1a3172f21298a44bbe88dc054fee85f3b7c6a37620b67137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a1d2e8a0e8a7954586563d59228d73e3

SHA1
b617150d7450f91f939f6d017ff0a63d22bedbb7

SHA256
fdbf075ee26a5467400c6deeee8ef4847ced0f7c148ff2220db9bf3e43adf6c5

SHA512
05df92ecaf895a9a717aa3bfb5d2c79b2111f49198e1fc55dfedd97bafb66ae5fdb64b9cd06a79460ee6091df48f5b067b4fc61146bd1822a75ceff4f1a91d2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e664066e3aa135f185ed1c194b9fa1f8

SHA1
358ff3c6ad0580b8ae1e5ef2a89a4e597c2efdc5

SHA256
86e595be48dbc768a52d7ea62116036c024093e1302aced8c29dd6a2d9935617

SHA512
58710818b5f664006a5aa418da6c8cd3f709c2265bc161f81b9dfe6cdb8304fabaa4ce9deba419fe4281623feeeaa0321f481ae5855d347c6d8cf95968ee905e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3dd1a3c7ba70e295795365e91581e63f

SHA1
7491620b62f1b4c39959fb40396d7e805a591c4b

SHA256
6600b388312e1e473cfd1d30ea6c2a62bcc731f9f46a8f51e0beb934b11978f7

SHA512
d9c5909f7cdc3130c776b95aef3a7e37cde13c322b19db16162eb62ee49cc51efa2e6504d69ae78f79a196dea2f39ceb138ea214f53baebed71045ad3ede6341

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit