hxxps://phimno4[.]xyz/phim/benh-dich-ma-ca-rong-phan-1-4176/

Analysis

max time kernel
83s
max time network
85s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 10:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://phimno4.xyz/phim/benh-dich-ma-ca-rong-phan-1-4176/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4008	msedge.exe
4008	msedge.exe
3604	msedge.exe
3604	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 4276	3604	msedge.exe	84
PID 3604 wrote to memory of 4276	3604	msedge.exe	84
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 400	3604	msedge.exe	85
PID 3604 wrote to memory of 4008	3604	msedge.exe	86
PID 3604 wrote to memory of 4008	3604	msedge.exe	86
PID 3604 wrote to memory of 1240	3604	msedge.exe	87
PID 3604 wrote to memory of 1240	3604	msedge.exe	87
PID 3604 wrote to memory of 1240	3604	msedge.exe	87
PID 3604 wrote to memory of 1240	3604	msedge.exe	87
PID 3604 wrote to memory of 1240	3604	msedge.exe	87
PID 3604 wrote to memory of 1240	3604	msedge.exe	87
PID 3604 wrote to memory of 1240	3604	msedge.exe	87
PID 3604 wrote to memory of 1240	3604	msedge.exe	87
PID 3604 wrote to memory of 1240	3604	msedge.exe	87
PID 3604 wrote to memory of 1240	3604	msedge.exe	87
PID 3604 wrote to memory of 1240	3604	msedge.exe	87
PID 3604 wrote to memory of 1240	3604	msedge.exe	87
PID 3604 wrote to memory of 1240	3604	msedge.exe	87
PID 3604 wrote to memory of 1240	3604	msedge.exe	87
PID 3604 wrote to memory of 1240	3604	msedge.exe	87
PID 3604 wrote to memory of 1240	3604	msedge.exe	87
PID 3604 wrote to memory of 1240	3604	msedge.exe	87
PID 3604 wrote to memory of 1240	3604	msedge.exe	87
PID 3604 wrote to memory of 1240	3604	msedge.exe	87
PID 3604 wrote to memory of 1240	3604	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://phimno4.xyz/phim/benh-dich-ma-ca-rong-phan-1-4176/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa598146f8,0x7ffa59814708,0x7ffa59814718
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,17396761400262459241,9722846081899039939,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,17396761400262459241,9722846081899039939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,17396761400262459241,9722846081899039939,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  PID:1240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17396761400262459241,9722846081899039939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17396761400262459241,9722846081899039939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17396761400262459241,9722846081899039939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,17396761400262459241,9722846081899039939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,17396761400262459241,9722846081899039939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17396761400262459241,9722846081899039939,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17396761400262459241,9722846081899039939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17396761400262459241,9722846081899039939,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17396761400262459241,9722846081899039939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17396761400262459241,9722846081899039939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e71d66ce903fcba6050e4b99b624fa7

SHA1
139d274762405b422eab698da8cc85f405922de5

SHA256
53b34e24e3fbb6a7f473192fc4dec2ae668974494f5636f0359b6ca27d7c65e3

SHA512
17e2f1400000dd6c54c8dc067b31bcb0a3111e44a9d2c5c779f484a51ada92d88f5b6e6847270faae8ff881117b7ceaaf8dfe9df427cbb8d9449ceacd0480388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
95558328f84cfdc08cc1b665069a13aa

SHA1
5ec6f263f7023f681081175b196184823754fb22

SHA256
1f83a769324679bc8a4c9fd26ef95f9d9a675098e3c89ceacbc89de2d9172b24

SHA512
f8ad20f236d76df2eaae2c795d75bb15806ac2bb8fda62b4ec91e65f735584d4c3e42f290da2bdbc582fb9f61e6ad86070d4bfaa8201aa4961ea8fa068bfc674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
beca875f093f25e53c12ff5b7ae7ef63

SHA1
aec8b99375f634158dae53130331ca1ee293315a

SHA256
cd5f64c4e9de413d99a6deb0a84de24a214f31959063a4fe0dd430d7f6377650

SHA512
297af8e2e6c0d4eb4fd8f71587423a98c24c968107400ff189085ccbc6f02af9318b4bdf136b7eb5ce7b275fabb2894d2dd16afc908ee504edbf7ed51b64baf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8e78b258c6997d213c0465578a31d5c5

SHA1
da2b5876b1216dece3885a662444828d4201a164

SHA256
6066f92e45a958e165297b3f8fcb9e3a3d3fc18ca34f0a879eedc8fc26fbb15a

SHA512
e3bbdbf37f492e67e6ce07565e44ec1680b748dc9142dfe4c553ebefd34c7d2b44de5b99a08ad86f1ab3984dc1b98564047e20f961f89c10d98c943c23240f72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
40d176a1e1f3d39c940d45ae577dd648

SHA1
0e37c6775bcf2ed703456f4762ce92054c66f1f2

SHA256
2d0e7e51ea61cc213c9e917f2f4d01dd0077eadaf95306cf003f4b331e512896

SHA512
78086be5b6c001ee4c7471230d04b4658c72240acf7c0e0ef701cef13b3792ff9bc1cef13f5c62262e38323939c3e95bd302acce581c6d7ecd3f3c34f58a7681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1887988fad674d6c6f99a8c07b01976c

SHA1
910f5d1cc597bdbdc5b712b37afcf32aedd6bf98

SHA256
8d8a2741ca09cff39a88e9f39b7a84b912ee60435644838aaa81ee2cf032899e

SHA512
c6f00c3ce974b974b1ce9024d98e6c373ce22158696219a81d54da97f65feff9865f99a0e322b87a6a7e80afa86f0fb65bb57e9cd10ddc3cababbf044e94f995

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1b1b142e24215f033793d1311e24f6e6

SHA1
74e23cffbf03f3f0c430e6f4481e740c55a48587

SHA256
3dca3ec65d1f4109c6b66a1a47b2477afaf8d15306a523f297283da0eccbe8b1

SHA512
a569385710e3a0dc0d6366476c457927a847a2b2298c839e423c485f7dcce2468a58d20133f6dc81913056fb579957e67f63cf1e20b910d61816210447cd1f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
012d5c572d37ab6dfd0a7f33d442236b

SHA1
ae58226bb6e03441383b193c41b5d567ed076b47

SHA256
a3d17204851e9a093c47efd83d435b26db4f8ad5a7dfe9243624113c89f57157

SHA512
ec18dddbf09ea2f5f87cf02c0e11f554852874c93370faa1cbb1f5072cb85d2b3d591f3f5d0c94ec4ab45b55b94dffb5a65c7b475a04c6b5c16b8175ef4d4c93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c20b10285071c1325790901763b0a75d

SHA1
10b79abc0dcdaf8e59538f12f2503b924b5ce6f0

SHA256
4996f490ffa691fbdd3dd21929c529506cd350c834927720949dc45bdabbf7ad

SHA512
6cc3370f25ccf0acc02d09f2f4fa7f22fbd71e75bdf2f648903420f449aef890246f7e58e2ad66c760a85d884a70f2cae7883bef4f60afeae1acf6f4670539c3

Download Submit