hxxp://steamcommunity[.]com/gift/7656685934762596

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2024 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://steamcommunity.com/gift/7656685934762596

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
680	msedge.exe
680	msedge.exe
1160	msedge.exe
1160	msedge.exe
4132	identity_helper.exe
4132	identity_helper.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 3884	1160	msedge.exe	32
PID 1160 wrote to memory of 3884	1160	msedge.exe	32
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 984	1160	msedge.exe	91
PID 1160 wrote to memory of 680	1160	msedge.exe	90
PID 1160 wrote to memory of 680	1160	msedge.exe	90
PID 1160 wrote to memory of 3144	1160	msedge.exe	92
PID 1160 wrote to memory of 3144	1160	msedge.exe	92
PID 1160 wrote to memory of 3144	1160	msedge.exe	92
PID 1160 wrote to memory of 3144	1160	msedge.exe	92
PID 1160 wrote to memory of 3144	1160	msedge.exe	92
PID 1160 wrote to memory of 3144	1160	msedge.exe	92
PID 1160 wrote to memory of 3144	1160	msedge.exe	92
PID 1160 wrote to memory of 3144	1160	msedge.exe	92
PID 1160 wrote to memory of 3144	1160	msedge.exe	92
PID 1160 wrote to memory of 3144	1160	msedge.exe	92
PID 1160 wrote to memory of 3144	1160	msedge.exe	92
PID 1160 wrote to memory of 3144	1160	msedge.exe	92
PID 1160 wrote to memory of 3144	1160	msedge.exe	92
PID 1160 wrote to memory of 3144	1160	msedge.exe	92
PID 1160 wrote to memory of 3144	1160	msedge.exe	92
PID 1160 wrote to memory of 3144	1160	msedge.exe	92
PID 1160 wrote to memory of 3144	1160	msedge.exe	92
PID 1160 wrote to memory of 3144	1160	msedge.exe	92
PID 1160 wrote to memory of 3144	1160	msedge.exe	92
PID 1160 wrote to memory of 3144	1160	msedge.exe	92

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://steamcommunity.com/gift/7656685934762596
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff7ac746f8,0x7fff7ac74708,0x7fff7ac74718
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,12137796878667509675,2192583826609917648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,12137796878667509675,2192583826609917648,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,12137796878667509675,2192583826609917648,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12137796878667509675,2192583826609917648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12137796878667509675,2192583826609917648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12137796878667509675,2192583826609917648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,12137796878667509675,2192583826609917648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 /prefetch:8
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,12137796878667509675,2192583826609917648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12137796878667509675,2192583826609917648,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12137796878667509675,2192583826609917648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12137796878667509675,2192583826609917648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12137796878667509675,2192583826609917648,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:5304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,12137796878667509675,2192583826609917648,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5528 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d6e17218d9a99976d1a14c6f6944c96

SHA1
9e54a19d6c61d99ac8759c5f07b2f0d5faab447f

SHA256
32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93

SHA512
3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
672B

MD5
ee7d3382b02ca99d2b156174d11d153a

SHA1
b6f3a3f36e5bd30e03390ef1862ec0135af705b6

SHA256
122132b933b63ce6f9e4655248095ddde5cc907a955a03f6d773c9d6e682f955

SHA512
1bce4f77f1b67a85f94c9d1bf403a77acc0b16e45f3fa787bc0f954a33bc2dcdd23cd3990c81f21d1b31e7e3c0e8d44ddcb5ca67f686f79a3898c55fdb4e516f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
484B

MD5
951ada5d90ba54f847831f372e176694

SHA1
8b6d1c713b5da3071e394cb8e16c614954b63b7b

SHA256
37fff6fd0bd97006373663ac75dddf768b562ba9f0ee1be87861cac26b793b05

SHA512
a45467868193831901277b351b332bfedf6ffe0b69787263fc01c2d35b5a3a7a2028f83306d263bead18f12a94a74fbe73bf03aa6ab612519ab5daea5c4366d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9655d90bbb51901312b87f2d87aafbe2

SHA1
5a2b709531ce22dc4a8585281302ecf7bc8a0fb0

SHA256
602179bc1b82c09577808fcb9468f7b8cbc564b97736affb7eb50793ab9ef4a7

SHA512
4a43b1b8557ce1be92d579736ed9228a4eededf84db9e60b870ed651d94b4d8cd2f061651f947483a651134f44f7299c17cf0dea3055779e63b931c99e5127ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
aca2913de25261e878210e181137bf52

SHA1
bd591a4cde86e3455494659f0dae072f8cd4546f

SHA256
692ba24a29e6e4d1e4fbe4a64310e0bc67407a37c88113b1de319159a532bb32

SHA512
48fd6330d10614ce669ce46a86de56a6603994f0ceb2e1696da1a2c920875faffb210a66058dd3fed4358747f5740a17ff657bf5faf2544b2ce6ef4595a3209f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2782fc21c1b132f20e70569fdda7b217

SHA1
7eb1c7956dc21997c0c0bd5e561724cf2e4e3828

SHA256
981c5c06ba14a1f35eb47e7a3f7918afabed8c4384f380887667ac7c41f07d29

SHA512
00f645f8cd5fce852fd31d6974a388dd146cde2abaf90c97b06e341d24f8f786216de9f1698b3028a3acb75bc09985c9a63337ab1be990b20cba73391059a87e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
c2ef1d773c3f6f230cedf469f7e34059

SHA1
e410764405adcfead3338c8d0b29371fd1a3f292

SHA256
185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521

SHA512
2ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b981be490da7c2abb34ac0143f58ab78

SHA1
24d150dc444bc7032deb309e6f1334a1115ea64b

SHA256
1e7f9997a836f11f3f23f3eb84eaf0cbb985acc806fb3d1ba62df8f83a0f9657

SHA512
012e2748e8123fc978a43b64044799ad20357dea300b24ba57bbbf6524bc83496b28b2b124cb3c52585b38a83ec024fe2df7ed5455b27cc656b7b98005def6fd

Download Submit