hxxps://vmqe4kz1y2gq-1323563947[.]cos[.]ap-jakarta[.]myqcloud[.]com/vmqe4kz1y2gq[.]html

Analysis

max time kernel
145s
max time network
142s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
18-01-2024 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://vmqe4kz1y2gq-1323563947.cos.ap-jakarta.myqcloud.com/vmqe4kz1y2gq.html

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
2296	msedge.exe
2296	msedge.exe
428	msedge.exe
428	msedge.exe
1048	msedge.exe
1048	msedge.exe
2844	identity_helper.exe
2844	identity_helper.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

428 msedge.exe
428 msedge.exe
428 msedge.exe
428 msedge.exe
428 msedge.exe
428 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 428 wrote to memory of 3456	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3456	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 3380	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 2296	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 2296	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 2024	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 2024	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 2024	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 2024	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 2024	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 2024	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 2024	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 2024	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 2024	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 2024	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 2024	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 2024	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 2024	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 2024	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 2024	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 2024	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 2024	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 2024	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 2024	428	msedge.exe	msedge.exe
PID 428 wrote to memory of 2024	428	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://vmqe4kz1y2gq-1323563947.cos.ap-jakarta.myqcloud.com/vmqe4kz1y2gq.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffc9793cb8,0x7fffc9793cc8,0x7fffc9793cd8
2⤵
PID:3456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,13243393682152784890,3245074251295635129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,13243393682152784890,3245074251295635129,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
2⤵
PID:3380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,13243393682152784890,3245074251295635129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
2⤵
PID:2024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13243393682152784890,3245074251295635129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
2⤵
PID:1076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13243393682152784890,3245074251295635129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
2⤵
PID:3304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,13243393682152784890,3245074251295635129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13243393682152784890,3245074251295635129,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
2⤵
PID:1328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13243393682152784890,3245074251295635129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
2⤵
PID:1504

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,13243393682152784890,3245074251295635129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13243393682152784890,3245074251295635129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
2⤵
PID:780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13243393682152784890,3245074251295635129,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
2⤵
PID:1100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,13243393682152784890,3245074251295635129,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4800 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:780

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize
330B

MD5
d8dc7acad9531fde4ac97a525bcc170b

SHA1
668dafb1e6c0470ed14f92e75cb5e7f568d35ccd

SHA256
895f7a9ede17759b6cff4d3aaa0aeba459a55122e1e7e3ba4535c5b1f121338b

SHA512
24a17a4c28e537db8199daa16e070e85f498842eeec1e7db389b17193619abfa7f7f2e5e37b12b78874d7a2337cf404ff69077a5251de09068e366d05500d53b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0bed556ffeb1e69835b408d733b041f0

SHA1
e2aec94abd489a26f36a9694c7ef3903af6409b6

SHA256
7d60b9117a935eaba25d7273a5b5e8ba04ece22672661ecb37a3c8a08f61def3

SHA512
47d492a7c72f9d12511f070d7d28451b1c52c5f0d446890e704b02bbc51330b1890c5ac4e050d514ff1bfd9c64421adeebee114718042af5aee3f5fdfb413fc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
240B

MD5
86b82c28624a6b6ea68fef538408dc77

SHA1
85fcc8ed48323b54d6088d2edbb2ab2d0e30295e

SHA256
886cfecfe2d3871239460254e3365f6e57fadb2be4a105a3a53714ebce6ce33b

SHA512
aa082e7af9c90bf09b59ba4aab37b56c67ad21c25dd32ac9e88188b3755ca97b38bb3086460d548c1b8b55b193d8f45135a162642c5e87b2677623d4214f4594

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
968B

MD5
61cec52844d0ba83dcd4b9afca6fa025

SHA1
5e76ab796cb674f94ffb6080c60c99e5707ff178

SHA256
ff45f4a920f1fc5587262587a02dc1f272ee4278044276c54dd9ddaa1c702fb3

SHA512
4abe9515e9fa754a8b6b3bb6350743d124ee5364ebfea9c567b3f799008b864630d6489d50a1546708e87711f96c9f830506fd68ede92714c27df3f322ebeade

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
96643be66f8fcadb1533848decda7b90

SHA1
a65ae77a1caa99d92900e5da9caea723b55d3f1a

SHA256
60440eac7c036409ec241fe681e238db0e6c369a111e57c1e00088b5dac74a4f

SHA512
2d58ec2a08b19df1b23071820dcd1b8209f1fee9c58325f6e651523ef9420113e867ad02931dfb4fbc99c1d03c789467ae153021b875ae73fb83fa7ba35fe2c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
581de23ac12fd5b23700eb97f694d1fa

SHA1
02f7926fa4913d8cc1dc7d3ef17c537a2cca94ec

SHA256
ff0d34f1af5256ab01aa0f1d79d1bfb0d8d69adb3677a1d87727f090e5039ac9

SHA512
bffd41d01c52953c8ea2cdd1f89a17a19733f854a0d51737e1c653239794099020650a083a9e58c2ace76511d63618373e1c700ac10171bd699ef7457be81dee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
25KB

MD5
5e1542ec05a1840cfb56ae87d1c2e16e

SHA1
25bdd95b83b7c614a6446609cff6ecbcab58d9d8

SHA256
41acd6ffea81ff1b8b58a4693696a397817473eb899edbf6606314820a8e40b8

SHA512
12c32368cbedc3d2515907ab740c75022fc4eaecec9b45734f346db0df209e667b066b2fcd891e84193868ecec8b892e7b484c66a8b329562bad53a69b25c0db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
000e5ba76609fc6bde068aaf08f99ab2

SHA1
fdc2ad421e44a7f87f563aded56f4b57fd3a6396

SHA256
f9e16ac2426684113e5e929a49c80902ca00448d31f1d18b65ad26891697cf77

SHA512
5b5deeb866631fdf41699f583299bc0bbcf0239ff9b45229e459e691a4f86e147b87dcda118d52deef9fb5b727bc810ea4e481a93b34e09c7d6c4e0ad39debdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
e35e3bdbf73a6806eeeface590ea538f

SHA1
5f594aec6fff5737e5b092aef4fe50811294b2e8

SHA256
38a86ccf58f68c6bd4048a1e63cd520028e07936218975738e740a0d3c6a00c4

SHA512
84ef6e877e65adea6fba4f7a65cd1ba70830322266ecd3c13c2a2446eab28da989fe76b0b65f9462f443c8efb7da713f1886f319e8348ddaff14838928a1e3ea

Download Submit
\??\pipe\LOCAL\crashpad_428_CQPJDELSFJHCUEIC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit