hxxp://www[.]capitalit-eg[.]com/

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 14:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://www.capitalit-eg.com/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1876	msedge.exe
1876	msedge.exe
728	msedge.exe
728	msedge.exe
1884	identity_helper.exe
1884	identity_helper.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 4136	728	msedge.exe	85
PID 728 wrote to memory of 4136	728	msedge.exe	85
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 952	728	msedge.exe	88
PID 728 wrote to memory of 1876	728	msedge.exe	86
PID 728 wrote to memory of 1876	728	msedge.exe	86
PID 728 wrote to memory of 1924	728	msedge.exe	87
PID 728 wrote to memory of 1924	728	msedge.exe	87
PID 728 wrote to memory of 1924	728	msedge.exe	87
PID 728 wrote to memory of 1924	728	msedge.exe	87
PID 728 wrote to memory of 1924	728	msedge.exe	87
PID 728 wrote to memory of 1924	728	msedge.exe	87
PID 728 wrote to memory of 1924	728	msedge.exe	87
PID 728 wrote to memory of 1924	728	msedge.exe	87
PID 728 wrote to memory of 1924	728	msedge.exe	87
PID 728 wrote to memory of 1924	728	msedge.exe	87
PID 728 wrote to memory of 1924	728	msedge.exe	87
PID 728 wrote to memory of 1924	728	msedge.exe	87
PID 728 wrote to memory of 1924	728	msedge.exe	87
PID 728 wrote to memory of 1924	728	msedge.exe	87
PID 728 wrote to memory of 1924	728	msedge.exe	87
PID 728 wrote to memory of 1924	728	msedge.exe	87
PID 728 wrote to memory of 1924	728	msedge.exe	87
PID 728 wrote to memory of 1924	728	msedge.exe	87
PID 728 wrote to memory of 1924	728	msedge.exe	87
PID 728 wrote to memory of 1924	728	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.capitalit-eg.com/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbbda246f8,0x7ffbbda24708,0x7ffbbda24718
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,9540833532104129030,10397843150910149649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,9540833532104129030,10397843150910149649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,9540833532104129030,10397843150910149649,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9540833532104129030,10397843150910149649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9540833532104129030,10397843150910149649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,9540833532104129030,10397843150910149649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,9540833532104129030,10397843150910149649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9540833532104129030,10397843150910149649,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9540833532104129030,10397843150910149649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9540833532104129030,10397843150910149649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9540833532104129030,10397843150910149649,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9540833532104129030,10397843150910149649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,9540833532104129030,10397843150910149649,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5020 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e71d66ce903fcba6050e4b99b624fa7

SHA1
139d274762405b422eab698da8cc85f405922de5

SHA256
53b34e24e3fbb6a7f473192fc4dec2ae668974494f5636f0359b6ca27d7c65e3

SHA512
17e2f1400000dd6c54c8dc067b31bcb0a3111e44a9d2c5c779f484a51ada92d88f5b6e6847270faae8ff881117b7ceaaf8dfe9df427cbb8d9449ceacd0480388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
624B

MD5
b4cdd17d34c8794371e873d94d4e2cb0

SHA1
b5d92c39c40bbe3360d12aed6dd4b9919ca76e05

SHA256
88093d7957259ff16476d424bcdd8d3baa910e37f4f1da6744d4df6de6622ed5

SHA512
916967f0bdc3f812e4fd61a7be9298bace95e57cef170b5e124a775c2463ec3e66844d72f5e0e0daf14578c0dc5eb6ab03c1a0078c0283aba489c733cc8b082b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
e5ec0f6ea11b36f891ae10410e7c6a02

SHA1
4c1b130774ba1f19052ba5d3165e486fa088749d

SHA256
bb7f7439d848c6775a1bf5b9fb4e118cc4a13d64b8a71d55be6beb2b0a48e636

SHA512
8c16b8c82c2c833990bac9c0356d09941fe30c07321959fb6bd0cfe4d57f826ed16ec66d91983b2ab9ae9b362a17fc0af82e98dee3497d5f90c3e361b505e57b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
715c282a08815806007209f27fb264ab

SHA1
286f1e8bac561ac50c74bad9d05643fb116320b7

SHA256
5d1786a837feb1b9175443b51a3fd921d2d0fad61fe5a6d3db5ba7d182325d43

SHA512
b6cc8c1ce7c0cc47555d10daca7a1bb1fa0701ae656eeed43e1f0fe44cda0f472c273b5f66c3eae62c09c936707e70d07349d2b50480f851de0d1b5526b22b48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
552865933b8f1ddcce30dd20c7b8d256

SHA1
61a6b80850a9a649f90d05e88d9bec989a747fda

SHA256
5f9298846760f1f3220a6e42ec1c2c1cbb66e426f0761feb11027e9741cbdd6e

SHA512
976693d7418dc6bf025b6c2e9cd0f1e7a69503305c881544b41fc719b22f0c802c580eb109930f326c8fdd8878ef8ce58902e80c210820330466651ae8dbcb55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f8e75daef0269c1c3627c2bd052f17ee

SHA1
042a2314a57c69c0fd7bbe44c5631bd7dff853c7

SHA256
1dd76fed97e772f71bac7dae2aa6054a29af12d9e2c804d28fbaa8a2a793cfb4

SHA512
6217b705efd430951bdb21b53dfb6f1a8ff0948dc18e679ac9666f3b4f83f1717d7d8b5ecf72a4655c2f4192a97cc373033b9932d2fee4e90fccd83ff0a81405

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1b1b142e24215f033793d1311e24f6e6

SHA1
74e23cffbf03f3f0c430e6f4481e740c55a48587

SHA256
3dca3ec65d1f4109c6b66a1a47b2477afaf8d15306a523f297283da0eccbe8b1

SHA512
a569385710e3a0dc0d6366476c457927a847a2b2298c839e423c485f7dcce2468a58d20133f6dc81913056fb579957e67f63cf1e20b910d61816210447cd1f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b177c797-fc76-4281-a1b5-136554a31c5d.tmp

Filesize
6KB

MD5
3f4b2ee5c66608c4b7aaa5b4114e7ac8

SHA1
c4ca61460779db4fc3615af123859ee644f3c295

SHA256
71d83bc909789ed8a692ede2ee33ea9e9d80441b8ee4f795aa81279c6db8ed2a

SHA512
53d97dbaa83558834780a311fc0d8d91ed4e0d913cd95fe637e89b09370604799f457e71b712fdc2a5915e56b5b1aa971339be47391bdc85a191c45c048846d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b9ea6e612de33e0ca4c73b5b0f8d59d2

SHA1
f1505f3d77fb1f29af41b916c78dffc638a4a172

SHA256
5a030882ed1c0284efeef47769dfcac571807957d8e63b66be28bb279e884748

SHA512
9591189d84e075b8df24b10583272b1287656c1a1ed45eed4805c1114f9cf3b16a1e88deaaea5fe93c81aec699a2cbac3e83228109e2d997729449216e8844f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
061bfead3a347c0daf22d01e27ccee66

SHA1
a2b37e80942ce7cd2e6b4c680e6d29373b041999

SHA256
932b0f027b0cef2f4786fa611645d909225528968512e7cc8b4540d02581d77a

SHA512
48440a530be76d8eabe82c612b7cc40f76d0c7027871f08ddeb85043d9cbf969506bf1b042fa68514071f86c0aa318ed7597bb01d5fe7987a31dcb3b48499b16

Download Submit