hxxps://filext[.]com/online-file-viewer[.]html

Analysis

max time kernel
36s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2024 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://filext.com/online-file-viewer.html

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3208	msedge.exe
3208	msedge.exe
1676	msedge.exe
1676	msedge.exe
3864	msedge.exe
3864	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3864	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 4440	1676	msedge.exe	82
PID 1676 wrote to memory of 4440	1676	msedge.exe	82
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3004	1676	msedge.exe	92
PID 1676 wrote to memory of 3208	1676	msedge.exe	91
PID 1676 wrote to memory of 3208	1676	msedge.exe	91
PID 1676 wrote to memory of 4832	1676	msedge.exe	93
PID 1676 wrote to memory of 4832	1676	msedge.exe	93
PID 1676 wrote to memory of 4832	1676	msedge.exe	93
PID 1676 wrote to memory of 4832	1676	msedge.exe	93
PID 1676 wrote to memory of 4832	1676	msedge.exe	93
PID 1676 wrote to memory of 4832	1676	msedge.exe	93
PID 1676 wrote to memory of 4832	1676	msedge.exe	93
PID 1676 wrote to memory of 4832	1676	msedge.exe	93
PID 1676 wrote to memory of 4832	1676	msedge.exe	93
PID 1676 wrote to memory of 4832	1676	msedge.exe	93
PID 1676 wrote to memory of 4832	1676	msedge.exe	93
PID 1676 wrote to memory of 4832	1676	msedge.exe	93
PID 1676 wrote to memory of 4832	1676	msedge.exe	93
PID 1676 wrote to memory of 4832	1676	msedge.exe	93
PID 1676 wrote to memory of 4832	1676	msedge.exe	93
PID 1676 wrote to memory of 4832	1676	msedge.exe	93
PID 1676 wrote to memory of 4832	1676	msedge.exe	93
PID 1676 wrote to memory of 4832	1676	msedge.exe	93
PID 1676 wrote to memory of 4832	1676	msedge.exe	93
PID 1676 wrote to memory of 4832	1676	msedge.exe	93

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://filext.com/online-file-viewer.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc89b646f8,0x7ffc89b64708,0x7ffc89b64718
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,10055474740338566591,2182461572870849866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,10055474740338566591,2182461572870849866,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,10055474740338566591,2182461572870849866,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10055474740338566591,2182461572870849866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10055474740338566591,2182461572870849866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10055474740338566591,2182461572870849866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2148,10055474740338566591,2182461572870849866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
efc9c7501d0a6db520763baad1e05ce8

SHA1
60b5e190124b54ff7234bb2e36071d9c8db8545f

SHA256
7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a

SHA512
bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
651edf3ad4891030c182bea6c842d85b

SHA1
3c9a5e200eba59e827ea2bdfa6a2f8cd0e1fb60a

SHA256
981611ab2792ae45bc5f8a0e7cca4c1db144f77b70353de4c4f636ee1c591f48

SHA512
63f22a1bd7b02ff8cd657eb7530781cee50a880a1ce82441632036b2836869fd2d3f309778d91b90c4d896707772ea8165b593cb57e5785c8200c9f6a132c7c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e121ced5be3d8856668eb17f81546892

SHA1
d0d2c5f1df7fdf4a1e9a3d808ea3f41099865d65

SHA256
c96a77054778936f03179705a6552fc11480afe12d47f24848688e695db5a016

SHA512
5d57b933e1ff8c822f296380a9d3b8e5fece38ba7b6f1d5012401d892c095512d6fdca422f329be097418882e659508343de9585131bb6f0c0ed1e4a37d1f11b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6721587f0df6a9ecca6a9ebf68e4bfb9

SHA1
1f414de50b3ae4b0e6c5957b8985844b5d8dcdac

SHA256
7e2fa163467882ecddc0849883a42f5188dd1d8576d580f7fed642ad81d8dffd

SHA512
258c3c736edb191913d2c76c0b3e36fd29016f825681570bdee6848d533d4173ef52dd81c7e1cc917887abae6775cc2963af5f27c3b5557c19a85d26bb82c60b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
121510c1483c9de9fdb590c20526ec0a

SHA1
96443a812fe4d3c522cfdbc9c95155e11939f4e2

SHA256
cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c

SHA512
b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
02c2f6e5a199a1260e810f2f939f825c

SHA1
f3891a19f3efbb1dc40328b5792b1f1845c91efa

SHA256
0092cc24b11542c0133c2d81006ae89e47ce1cc035e31f1c84c438ac0b209b8b

SHA512
7eab84ed94df33d1412cd77bfdd8d572a5bc3aa1a432543287b36d960ab40af707e77ed81c77d4248106b77e36a3fbcaddbc1dc7a16960802806e46a92703b47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588cf9.TMP

Filesize
371B

MD5
94d2b7a120a77cda4ff4102c3bec4ef8

SHA1
14ea4a280a305ded02e5447b376ddcc8a960ecb7

SHA256
6800820c39f93c87663a37aafbca0c9d5de882a7dae0803746ab65f9a109823d

SHA512
4c8a66842a44c70f1ee7ee08898ede7f8b86e7855882e137cd620e6ad7263ea26d64edb89cd36d9e5cc75269a043f3610060696b305c2775d8adfb62f017dae5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
009abfa7d7e24f8183f92d075ec313b0

SHA1
152f2e1adb151a8bf558f2d9597fddd277562a21

SHA256
9d558e731be09ba632fc8f66986cb3639bd8e4bec23734a1c21cc544ac2b8b66

SHA512
bd587a57fe247b39a73e0bc6927f3a9cd44a83b7664015b02d5463c370c9090c3ca529bacdaf80b583ea088d0804441b75f4d6ff7c634bd8dc1a1126e8ee9bf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c5033789e692d1e93a13daa9557459f3

SHA1
8f63368b5071802fa4554f7f646e65b3828871eb

SHA256
a887f591d903c14f0a80deb80a0f6e79b3061518a540a533904b03dceb21edd8

SHA512
d153245128b0eba077eab2899712fe4f3891f76bea7b6d693651b087202831c538ad6264d805a5962c8b7fcd1652744b46a94f13a97a91c4e8dade2d397a893a

Download Submit