Analysis
-
max time kernel
149s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2024, 08:15
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://booking.hotel-id8371.pw/apartment/12345?token=ff8fe01e-a454-4131-ac04-0b82b97b874a
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
https://booking.hotel-id8371.pw/apartment/12345?token=ff8fe01e-a454-4131-ac04-0b82b97b874a
Resource
win10v2004-20231215-en
General
-
Target
https://booking.hotel-id8371.pw/apartment/12345?token=ff8fe01e-a454-4131-ac04-0b82b97b874a
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4412 msedge.exe 4412 msedge.exe 1568 msedge.exe 1568 msedge.exe 1252 identity_helper.exe 1252 identity_helper.exe 5544 msedge.exe 5544 msedge.exe 5544 msedge.exe 5544 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1568 wrote to memory of 3196 1568 msedge.exe 14 PID 1568 wrote to memory of 3196 1568 msedge.exe 14 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 2584 1568 msedge.exe 24 PID 1568 wrote to memory of 4412 1568 msedge.exe 23 PID 1568 wrote to memory of 4412 1568 msedge.exe 23 PID 1568 wrote to memory of 4672 1568 msedge.exe 22 PID 1568 wrote to memory of 4672 1568 msedge.exe 22 PID 1568 wrote to memory of 4672 1568 msedge.exe 22 PID 1568 wrote to memory of 4672 1568 msedge.exe 22 PID 1568 wrote to memory of 4672 1568 msedge.exe 22 PID 1568 wrote to memory of 4672 1568 msedge.exe 22 PID 1568 wrote to memory of 4672 1568 msedge.exe 22 PID 1568 wrote to memory of 4672 1568 msedge.exe 22 PID 1568 wrote to memory of 4672 1568 msedge.exe 22 PID 1568 wrote to memory of 4672 1568 msedge.exe 22 PID 1568 wrote to memory of 4672 1568 msedge.exe 22 PID 1568 wrote to memory of 4672 1568 msedge.exe 22 PID 1568 wrote to memory of 4672 1568 msedge.exe 22 PID 1568 wrote to memory of 4672 1568 msedge.exe 22 PID 1568 wrote to memory of 4672 1568 msedge.exe 22 PID 1568 wrote to memory of 4672 1568 msedge.exe 22 PID 1568 wrote to memory of 4672 1568 msedge.exe 22 PID 1568 wrote to memory of 4672 1568 msedge.exe 22 PID 1568 wrote to memory of 4672 1568 msedge.exe 22 PID 1568 wrote to memory of 4672 1568 msedge.exe 22
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf30b46f8,0x7ffcf30b4708,0x7ffcf30b47181⤵PID:3196
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://booking.hotel-id8371.pw/apartment/12345?token=ff8fe01e-a454-4131-ac04-0b82b97b874a1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,10764603168406038202,4540078704599051816,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:82⤵PID:4672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,10764603168406038202,4540078704599051816,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,10764603168406038202,4540078704599051816,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:22⤵PID:2584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10764603168406038202,4540078704599051816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:12⤵PID:1264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10764603168406038202,4540078704599051816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:12⤵PID:1704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10764603168406038202,4540078704599051816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:12⤵PID:2012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10764603168406038202,4540078704599051816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:12⤵PID:3732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,10764603168406038202,4540078704599051816,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,10764603168406038202,4540078704599051816,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:82⤵PID:2644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10764603168406038202,4540078704599051816,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:12⤵PID:1948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10764603168406038202,4540078704599051816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:12⤵PID:3588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10764603168406038202,4540078704599051816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:12⤵PID:1768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10764603168406038202,4540078704599051816,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:12⤵PID:2724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10764603168406038202,4540078704599051816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:12⤵PID:6108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10764603168406038202,4540078704599051816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2664 /prefetch:12⤵PID:3496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,10764603168406038202,4540078704599051816,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5904 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5544
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2032
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5fa070c9c9ab8d902ee4f3342d217275f
SHA1ac69818312a7eba53586295c5b04eefeb5c73903
SHA256245b396ed1accfae337f770d3757c932bc30a8fc8dd133b5cefe82242760c2c7
SHA512df92ca6d405d603ef5f07dbf9516d9e11e1fdc13610bb59e6d4712e55dd661f756c8515fc2c359c1db6b8b126e7f5a15886e643d93c012ef34a11041e02cc0dc
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
5KB
MD514b4801c0d704dc7c58da49ca36564be
SHA136ddef38aef86d57fcb8b16490da15e41e57e8ff
SHA256542e616b42f8b727f80aaeccb60dc629585aca49df1379d13901cba1b81d681b
SHA512f60c27de78aefe7c4da1eaca0f79c08088aab0c319d7b811e74f14c1727b91852c8df4495b963df736012b5d2a754712d43a30a90c6c23083c9976f309862cc8
-
Filesize
5KB
MD5b9031d7e5b31c2b6d15baf31d4f28a60
SHA1ac5ed76bd4779d94eecbf1649aebc9be6d1e218e
SHA256315aeb05a6376d014c962adf1f9d946bab2eb8df706e727b12932f56be515499
SHA512f1f007771d7e3ed8ef7e2de5bb542304bed9acebc8f2cea552720a8bf59d35ad447893d026b04e1abf303f224dda502eed903621dcea6f5d6d579ab4316df6fb
-
Filesize
24KB
MD5917dedf44ae3675e549e7b7ffc2c8ccd
SHA1b7604eb16f0366e698943afbcf0c070d197271c0
SHA2569692162e8a88be0977395cc0704fe882b9a39b78bdfc9d579a8c961e15347a37
SHA5129628f7857eb88f8dceac00ffdcba2ed822fb9ebdada95e54224a0afc50bccd3e3d20c5abadbd20f61eba51dbf71c5c745b29309122d88b5cc6752a1dfc3be053
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD54e67e544bbb672a80ed9c673137b97ef
SHA13f13e1238053dc26b000e8d8287406313208b53b
SHA25670ec7820ff8b9d29fc65e7bfc608c2deec18b977227f1146d78e9d7e57318707
SHA512e193b7a4086994551b0ecba2e37a9fe8dcbf611ba14bb7dc35b2f251b46c76c5ebfb21447b3ec04c5f8023971704388f63a487181e2db25c4afc994b5ccaa32a
-
Filesize
10KB
MD54c90da667d39da939a13aa6bf438fb85
SHA1496531b978e81ed8aa58ce8ab522f03c4eca714f
SHA25638672290cf78d8e5099611c4682179b81d312d47679b17dd056d2e28c7ce6494
SHA512cb5983a51c37b1eb58cc87c3fe4e88edd73770442d834c67f7fdba6b5497e2ec559d5c830b67c3321c7a3018e372d2b04ea83216488033eaa9bafc9e888ade12