hxxp://www[.]fort-napoleon-brasserie[.]be

Analysis

max time kernel
145s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
26-01-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.fort-napoleon-brasserie.be

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2940	msedge.exe
2940	msedge.exe
3896	msedge.exe
3896	msedge.exe
4228	msedge.exe
4228	msedge.exe
4948	identity_helper.exe
4948	identity_helper.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 2168	3896	msedge.exe	16
PID 3896 wrote to memory of 2168	3896	msedge.exe	16
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 4564	3896	msedge.exe	49
PID 3896 wrote to memory of 2940	3896	msedge.exe	48
PID 3896 wrote to memory of 2940	3896	msedge.exe	48
PID 3896 wrote to memory of 3128	3896	msedge.exe	47
PID 3896 wrote to memory of 3128	3896	msedge.exe	47
PID 3896 wrote to memory of 3128	3896	msedge.exe	47
PID 3896 wrote to memory of 3128	3896	msedge.exe	47
PID 3896 wrote to memory of 3128	3896	msedge.exe	47
PID 3896 wrote to memory of 3128	3896	msedge.exe	47
PID 3896 wrote to memory of 3128	3896	msedge.exe	47
PID 3896 wrote to memory of 3128	3896	msedge.exe	47
PID 3896 wrote to memory of 3128	3896	msedge.exe	47
PID 3896 wrote to memory of 3128	3896	msedge.exe	47
PID 3896 wrote to memory of 3128	3896	msedge.exe	47
PID 3896 wrote to memory of 3128	3896	msedge.exe	47
PID 3896 wrote to memory of 3128	3896	msedge.exe	47
PID 3896 wrote to memory of 3128	3896	msedge.exe	47
PID 3896 wrote to memory of 3128	3896	msedge.exe	47
PID 3896 wrote to memory of 3128	3896	msedge.exe	47
PID 3896 wrote to memory of 3128	3896	msedge.exe	47
PID 3896 wrote to memory of 3128	3896	msedge.exe	47
PID 3896 wrote to memory of 3128	3896	msedge.exe	47
PID 3896 wrote to memory of 3128	3896	msedge.exe	47

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffda6e43cb8,0x7ffda6e43cc8,0x7ffda6e43cd8
1⤵
PID:2168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.fort-napoleon-brasserie.be
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1772,11493678897581987778,16957890168131247489,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1772,11493678897581987778,16957890168131247489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1772,11493678897581987778,16957890168131247489,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,11493678897581987778,16957890168131247489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,11493678897581987778,16957890168131247489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,11493678897581987778,16957890168131247489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1772,11493678897581987778,16957890168131247489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1772,11493678897581987778,16957890168131247489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,11493678897581987778,16957890168131247489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,11493678897581987778,16957890168131247489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,11493678897581987778,16957890168131247489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,11493678897581987778,16957890168131247489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1772,11493678897581987778,16957890168131247489,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4720 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\92fb853f-2883-4854-a3fe-d315d0932242.tmp

Filesize
10KB

MD5
40909c19667d3366fb0dc332b4c4105b

SHA1
5e272384e14a542b9616620ea29163fd13790ebb

SHA256
5073882599b319f9c46d4d2088705f1b048293f04cd12e82032097ed25cc0900

SHA512
13dbfedaf284a6b8de4c04a6735849b9d26999773f804c5cb5fdc61b9ce09ef111d6ae3d33ce8fe1f1c377ca352fdb0ca3cd6ceb9db16359bec2aabf5cab431b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dbe72a1f5827efc08f70d06ef815d46

SHA1
6aacd61519fce53ecb92e5e61207a6c29c01f47b

SHA256
dd673404dd6deb2d2b331316370fd05e47c01b9dc489640f05b50898d536a6e3

SHA512
2e6115ca818df5f5b7985caf3ce2324e266b376f6180f84b44e9ae725e037a8456c2cd63e22b9750e2ba27f4c7460dfa429ce9910517a728b056e5f1e730e25a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
a5a52575ae5d40177190c9504f5d4f22

SHA1
02fb41953bf3193e4a3fd22912862d92a60dabc7

SHA256
239d2661d04e89b78e74ac90cde1c14245250a858581579651dda3c1f86f468f

SHA512
300469b4598f0784759b29c441cae565f47e088d71ae939cfed1646442bc519bb77b9b21801467d273cda7f88157fa548fcb17180ad2f7bd24f75876cb21f107

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
877B

MD5
cfca7d6eb4f9b349545e165e77c979e9

SHA1
81f4960649ee9304ca28261aa59f27c7dce64f78

SHA256
887e1f4e779ea44e03159eb7216a11eb7978394ee129b00d38d67f070fff7409

SHA512
47e690e8db750ba8cba2035577fd3bc759a2ba294eddb24bdff796a9eb912ad018d0f516adf0d99792b4b5c6283cf6cb81c7c43b18ad78f77a19e45329636d65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
a340d5fb83891c459fc4e69638d561b6

SHA1
57236e7a5011c5a2e4e4ad2803fd0052003196bc

SHA256
03bd13017dd15384ce17a4e3f49f11e902580e6d331ea7449e2366f8836e1621

SHA512
ae1d031f9cd8d528050683700739a9902d9ded158bffeb122e1e8edbf6d0ff2830fce2426692108960017b4629088dda4201b6bd24fcd33f827a03b104f9c295

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9d6a2a6e888d084d390b44bfaa536048

SHA1
50a6ad30a2f6cfe244175e39429e0ea94fe7eaa0

SHA256
77a5f3274b5f8c41e92617e699f2779e44a0fa3fdfa404cac75a5645c33081f4

SHA512
e1375032a9bab1505e31bf81084d0f15ada460be2158bec501823fd447b35cedf9b9a968f0385827801a1aee895d8f3c9bcf50069dea81e854cc5d46978b38ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
e5477be1e6c4cc9f570c69a84dd4f681

SHA1
fdcbdc83ccfef1c270b927c6815e641f6d96a132

SHA256
f06ab204d1d24ecd2d13e473bf807a8fc65ed09114a227966b4a308bd7eaa531

SHA512
24eb3338f0a7be6df183c5d5f22831bed07ce0779dcc124e805364a128a08f571160a6809556cd1de323c9d3cc64299855978967c8693b8324cd9bb22f5ffe14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit