hxxps://cutt[.]ly/zwHO5SUd

Analysis

max time kernel
135s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2024 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cutt.ly/zwHO5SUd

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2656	msedge.exe
2656	msedge.exe
1692	msedge.exe
1692	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 1516	1692	msedge.exe	89
PID 1692 wrote to memory of 1516	1692	msedge.exe	89
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 4136	1692	msedge.exe	92
PID 1692 wrote to memory of 2656	1692	msedge.exe	91
PID 1692 wrote to memory of 2656	1692	msedge.exe	91
PID 1692 wrote to memory of 564	1692	msedge.exe	93
PID 1692 wrote to memory of 564	1692	msedge.exe	93
PID 1692 wrote to memory of 564	1692	msedge.exe	93
PID 1692 wrote to memory of 564	1692	msedge.exe	93
PID 1692 wrote to memory of 564	1692	msedge.exe	93
PID 1692 wrote to memory of 564	1692	msedge.exe	93
PID 1692 wrote to memory of 564	1692	msedge.exe	93
PID 1692 wrote to memory of 564	1692	msedge.exe	93
PID 1692 wrote to memory of 564	1692	msedge.exe	93
PID 1692 wrote to memory of 564	1692	msedge.exe	93
PID 1692 wrote to memory of 564	1692	msedge.exe	93
PID 1692 wrote to memory of 564	1692	msedge.exe	93
PID 1692 wrote to memory of 564	1692	msedge.exe	93
PID 1692 wrote to memory of 564	1692	msedge.exe	93
PID 1692 wrote to memory of 564	1692	msedge.exe	93
PID 1692 wrote to memory of 564	1692	msedge.exe	93
PID 1692 wrote to memory of 564	1692	msedge.exe	93
PID 1692 wrote to memory of 564	1692	msedge.exe	93
PID 1692 wrote to memory of 564	1692	msedge.exe	93
PID 1692 wrote to memory of 564	1692	msedge.exe	93

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cutt.ly/zwHO5SUd
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe84a346f8,0x7ffe84a34708,0x7ffe84a34718
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,14265778564681521664,12170118219004008495,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,14265778564681521664,12170118219004008495,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,14265778564681521664,12170118219004008495,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
  2⤵
  PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14265778564681521664,12170118219004008495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14265778564681521664,12170118219004008495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14265778564681521664,12170118219004008495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2176,14265778564681521664,12170118219004008495,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  PID:2836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3244

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x2f4
1⤵
PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
efc9c7501d0a6db520763baad1e05ce8

SHA1
60b5e190124b54ff7234bb2e36071d9c8db8545f

SHA256
7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a

SHA512
bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
c3b73e63cb3bfb4d5679a0921c7cbd83

SHA1
692c8b3f43d13a9fc4ccd097c7bab3a507621c02

SHA256
d644eccd0ad6ec4f46f375737dd9439a9abadf9848abb0c470349cc1f97de9cc

SHA512
cf57fecfbb39ce5e490372cada43e45ab6e4ddcbd6b26d9e2f180a8c1293acee7eecb15d83d68f3c29a22a88ff021d0161dc6b32ebf164889a9308ca30402d48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
68793cdd6a50f080ff91f2c1ef1e900e

SHA1
937e76dc38cacc7daf04af4716dfee5b1a01eb2f

SHA256
2a9e9c2cac71570ecd98e2be0678974f85de116ae2b7f16ffc2ae2189710ab20

SHA512
be79ffd31f297ca45e35e3883dda666999fd4128f72d69a12912f23c0c300cc1625b477f7e02574613d40c310b8df6a70602a20543391a1742bf146cbe987391

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bea70fb048e033f51f788f9aa48ce45c

SHA1
0861fc266e2b1b83360433c7303b00e1dd71e552

SHA256
429a8b6da1de24604ed8380041269068401b982b0170290545865d63c650ad96

SHA512
eb45861703fee3e5aa19d3b97679f8269a694efec5ea57c8f838ec5bdc61a4ff3ba1ae8fb7f58daf80c1221e51dad31a9cc319d5cfd40c7d2a3e03ba4392fc48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f92f7dd5a56fa11307e978b34eeeba13

SHA1
b2eba4c9a95061a329956ab90f054b4e2ba6ec7c

SHA256
ee8f2824d805a3c47ebaafb39beb434e42e059d764516192c5c7095b83a9e2e1

SHA512
fbed8cf6bcf7cd9f50be003724b4955878093d3dd56ec3919c811a995aa706dee50dbab9650029c745945e7f88a875105d0fffffbbce110784a00dda1458cf5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
88cdbdc7959c245c7e737cbf875393a7

SHA1
63e239d217eeb072e22a9d987ef05eb09d9ff623

SHA256
0f2d9c9da274b875c0c45070939ea6ff1931cef7a2df3fcda01a1ceeceee8da2

SHA512
c39bc036789b1057d72dc76fe4417aca83be4d653b3b4b7cfebe340c993e63e6f5777731ee3ace41cf1758d5d6e93a2a5cbfac3ac4f31c1cb2d8624d0e9c7d3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
121510c1483c9de9fdb590c20526ec0a

SHA1
96443a812fe4d3c522cfdbc9c95155e11939f4e2

SHA256
cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c

SHA512
b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5f6e4edcbdb3f09cb42e36fbda818f86

SHA1
0f09c9dd708fe6edead5c071030a86f13826b30f

SHA256
19535f3ae7b57acb53efdfc1e7124188784f8402120fc9c2275bea807b8c0296

SHA512
8c4773d8a1efc210480bec3a1e0018f51e90c1baec577ff7c048e2e79962e9257f36a63f2d904d81cd128ceaf141163b6971657051d02bba8e51d9931d9f8e74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584ddd.TMP

Filesize
1KB

MD5
44ef0c5cbbf28e38ebaa6d5f44818798

SHA1
c6ac375c455d5134186bd1f3dffd6ca0f9397cad

SHA256
572d2bb9198b53b42bd3ba633c765d91a5b9b77c82a3476963a33162421be720

SHA512
6144f93a549da8e8b7279e4126d4619c225a1df1177efddfef1584e0cd1470315b79af893d36f2ea69f3fe17f3ce01b10c1e867cefe05e7c8f7007bc60ab1af4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e09b0b2dce405fe5f820526f2ff00b90

SHA1
c3fdc3b7937011b6a5f30bb161a54b54b01f7eda

SHA256
f38a393bb72028defda14bba0ad58f54cca6db84cc6bba3ed134a718c895b287

SHA512
11abc1476803cfb267b5b581dd8f2581b4934a4d5b6700208fe5a3db6ec0915720909a5226584999cc4df71b9aa4d9319869d2e59dee26f5fcfd8d609729dd00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8fa91f4af63763900a7d5b399f41ba78

SHA1
855973b65473173ff82fb0574a19e812b9f94a4f

SHA256
2c1ee9515ac4f83085f1d9ae81ff68cd207b6da3f1fd147ac60038ec71aabf5f

SHA512
1024f1649603dbf3378dcfb067b7ae1d8d6f770ad4dbb6455d5830fe28b38e4fc533985d01b6bc5854bf938cc28cca6fd586de8cbe92324269b117a8f931b1f3

Download Submit