hxxp://sedoparking[.]com/frmpark/atlantichealth[.]com/skenzor7/park[.]js?reg_logo=netsol-logo[.]png&reg_href_text=This+Page+Is+Under+Construction+-+Coming+Soon!&reg_href_url=&reg_href_text_2=Why+am+I+seeing+this+'Under+Construction'+page?&reg_href_url_2=hxxp://atlantichealth[.]com/__media__/design/underconstructionnotice[.]php?d=atlantichealth[.]com

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2024 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://sedoparking.com/frmpark/atlantichealth.com/skenzor7/park.js?reg_logo=netsol-logo.png&reg_href_text=This+Page+Is+Under+Construction+-+Coming+Soon!&reg_href_url=&reg_href_text_2=Why+am+I+seeing+this+'Under+Construction'+page?&reg_href_url_2=http://atlantichealth.com/__media__/design/underconstructionnotice.php?d=atlantichealth.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
616	msedge.exe
616	msedge.exe
2472	msedge.exe
2472	msedge.exe
4704	identity_helper.exe
4704	identity_helper.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 1360	2472	msedge.exe	17
PID 2472 wrote to memory of 1360	2472	msedge.exe	17
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 4892	2472	msedge.exe	50
PID 2472 wrote to memory of 616	2472	msedge.exe	49
PID 2472 wrote to memory of 616	2472	msedge.exe	49
PID 2472 wrote to memory of 3772	2472	msedge.exe	48
PID 2472 wrote to memory of 3772	2472	msedge.exe	48
PID 2472 wrote to memory of 3772	2472	msedge.exe	48
PID 2472 wrote to memory of 3772	2472	msedge.exe	48
PID 2472 wrote to memory of 3772	2472	msedge.exe	48
PID 2472 wrote to memory of 3772	2472	msedge.exe	48
PID 2472 wrote to memory of 3772	2472	msedge.exe	48
PID 2472 wrote to memory of 3772	2472	msedge.exe	48
PID 2472 wrote to memory of 3772	2472	msedge.exe	48
PID 2472 wrote to memory of 3772	2472	msedge.exe	48
PID 2472 wrote to memory of 3772	2472	msedge.exe	48
PID 2472 wrote to memory of 3772	2472	msedge.exe	48
PID 2472 wrote to memory of 3772	2472	msedge.exe	48
PID 2472 wrote to memory of 3772	2472	msedge.exe	48
PID 2472 wrote to memory of 3772	2472	msedge.exe	48
PID 2472 wrote to memory of 3772	2472	msedge.exe	48
PID 2472 wrote to memory of 3772	2472	msedge.exe	48
PID 2472 wrote to memory of 3772	2472	msedge.exe	48
PID 2472 wrote to memory of 3772	2472	msedge.exe	48
PID 2472 wrote to memory of 3772	2472	msedge.exe	48

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://sedoparking.com/frmpark/atlantichealth.com/skenzor7/park.js?reg_logo=netsol-logo.png&reg_href_text=This+Page+Is+Under+Construction+-+Coming+Soon!&reg_href_url=&reg_href_text_2=Why+am+I+seeing+this+'Under+Construction'+page?&reg_href_url_2=http://atlantichealth.com/__media__/design/underconstructionnotice.php?d=atlantichealth.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe07f446f8,0x7ffe07f44708,0x7ffe07f44718
  2⤵
  PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,7249022885910078273,3026792083992665733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,7249022885910078273,3026792083992665733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,7249022885910078273,3026792083992665733,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,7249022885910078273,3026792083992665733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,7249022885910078273,3026792083992665733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,7249022885910078273,3026792083992665733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,7249022885910078273,3026792083992665733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,7249022885910078273,3026792083992665733,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,7249022885910078273,3026792083992665733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,7249022885910078273,3026792083992665733,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,7249022885910078273,3026792083992665733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,7249022885910078273,3026792083992665733,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3116 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eb20b5930f48aa090358398afb25b683

SHA1
4892c8b72aa16c5b3f1b72811bf32b89f2d13392

SHA256
2695ab23c2b43aa257f44b6943b6a56b395ea77dc24e5a9bd16acc2578168a35

SHA512
d0c6012a0059bc1bb49b2f293e6c07019153e0faf833961f646a85b992b47896092f33fdccc893334c79f452218d1542e339ded3f1b69bd8e343d232e6c3d9e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c40665c25d33f758ad1a2b815a313806

SHA1
78d52194b9bbf13c2843fcd34568bcf08df07f6f

SHA256
0c6d479204c3e88acf3c00bfa94fc8b6a4516cb097b8cc13642b52e524283f09

SHA512
cf90247595648c423af1e24e5fbb21c98397fe997049b99f72652f2277ce656371de71a30ab1475bcb32820871f22904554016b3238445ec4506853320df5cb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e39eeef50895765b416735369280929b

SHA1
8f7d8128105f2a55c61f6f89563fa4142d0719cf

SHA256
71d556de7e86b3005205420de03d5a0e791892becfb403e848f708fc62f1c3c9

SHA512
03092f1429f85aa98bff2caa5249bd7017cc240fb67916c08b069f692964aeda64ccf218c8f7c1f6c3eeea6164c816f659156fce6ac53983089f8b8c6f9d5df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
2bbbdb35220e81614659f8e50e6b8a44

SHA1
7729a18e075646fb77eb7319e30d346552a6c9de

SHA256
73f853ad74a9ac44bc4edf5a6499d237c940c905d3d62ea617fbb58d5e92a8dd

SHA512
59c5c7c0fbe53fa34299395db6e671acfc224dee54c7e1e00b1ce3c8e4dfb308bf2d170dfdbdda9ca32b4ad0281cde7bd6ae08ea87544ea5324bcb94a631f899

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
82b21a8b259ff555e368975b2e549cab

SHA1
9a1a4372fbc3f0e00973ec950462ac898199d2b2

SHA256
5367d9c558e212b913ebbf85fd42cde5154068ad38f41277c87367d2198f89e3

SHA512
93839eb635a1bdd339d220cf17df610b84b593a9701d46824d1ede5c99bbc314755ec9063c82a6dfe2343a53e90ceb1e09e11eeead83576973d6158f20d84e48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6dc97e3bcd0a02c7c70f8786109f3dcc

SHA1
ce227d2b60ed6e3b101add7e242dbefdec2a78a4

SHA256
83d6271300b1a598fa7321fc37843e5f51ee37b95ac3f9ac25616b57c885d07c

SHA512
b4f4897b594ab3dfbb8f46804bae47c4aa801617010b656dad5833f1776259bf3b98b9e4c2b735fabcf15b73868ac676f6884b2ca0fa52b0f9dd9bdabd7dbc95

Download Submit