Analysis
-
max time kernel
45s -
max time network
48s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12-02-2024 20:06
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://chat.openai.com/share/e4c3b4df-ca92-46e4-8774-46bda5b52bd8
Resource
win10v2004-20231215-en
General
-
Target
https://chat.openai.com/share/e4c3b4df-ca92-46e4-8774-46bda5b52bd8
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid process 4092 msedge.exe 4092 msedge.exe 4600 msedge.exe 4600 msedge.exe 2604 identity_helper.exe 2604 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
msedge.exepid process 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
Processes:
msedge.exepid process 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
msedge.exepid process 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4600 wrote to memory of 2908 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 2908 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4492 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4092 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 4092 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 1688 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 1688 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 1688 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 1688 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 1688 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 1688 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 1688 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 1688 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 1688 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 1688 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 1688 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 1688 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 1688 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 1688 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 1688 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 1688 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 1688 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 1688 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 1688 4600 msedge.exe msedge.exe PID 4600 wrote to memory of 1688 4600 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://chat.openai.com/share/e4c3b4df-ca92-46e4-8774-46bda5b52bd81⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef72146f8,0x7ffef7214708,0x7ffef72147182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,10445034268619037420,188573042957301647,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,10445034268619037420,188573042957301647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,10445034268619037420,188573042957301647,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10445034268619037420,188573042957301647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10445034268619037420,188573042957301647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10445034268619037420,188573042957301647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,10445034268619037420,188573042957301647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,10445034268619037420,188573042957301647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54d6e17218d9a99976d1a14c6f6944c96
SHA19e54a19d6c61d99ac8759c5f07b2f0d5faab447f
SHA25632e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93
SHA5123fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
336B
MD59d0c0cb6a76c6ed9dd8b9d8bb6a6ab2a
SHA1c69e37cab8270e8e1deb54029047c5f9b1ab0d70
SHA2569f95797c509c1e38192f7f8af5bf1805a2f4ea3051a05af8f2bb8004495a0e66
SHA512bbc91d0bdd36e4a8ee7679daa28ac332dfa29352f33245598a6f599962266c3cccdc7884e1b0dea15a3bdc7c77cb7b013ac5e3b318d1e289ad29e3683b0b8c86
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD55a92191ed64ef26cf7ceb52182304091
SHA1ba5bbb21fa50077fd6915e31110c74f3027d3f39
SHA2569ea86aff14a14091d14e5bd23c5a4ab5931ea354b68e3774f3707b05d30fba6a
SHA5123390503c61d7767371f70d6851191b69f0fadda5e52ff6b4e652d10de4690ada74de5258798391277758aed2a96f97833f3110890ad4a328dd53ba076dbf2a79
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5d24fefcb872dd8f07de4f39f06ad9dfa
SHA108d0e48167cf643b936a8369234b4399e35f0fb7
SHA25667c7676a25a95d1703d3b617b190d0ee373af2e5f16313b6b757586d44e6b1aa
SHA512d96ce546a46760304b549705fc6ac96ee97713a6d7846cc492203849da25e4a52ba47f686aff4fd1126e1ad432fc1ca763e3f432488f4125e00725070a796d03
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5f35a5cfea8ae3577c5e191e412e5780b
SHA14d986d9a144387cdc7804087a3c1dd198ddf974a
SHA2560560e6b48587b7ecac07280b9199da3de2321e7381a62805e477cc7463b8322c
SHA5127adc78f81c01cffa076455ca54a41dbd0b53fae1025dfbf4d4b24ac1d5e21fe9007e997b6e22f9bfd4be0f2797faedd12dd922b7943354cda62abdb351edcb68
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD56c8373dc64f62c68d5346511a6ef3eac
SHA188d764625996747cb2313d4f48ec077d60bcd96e
SHA2567089ed3a2a1cf66bad5a94915e4c776b4d787411874e0f510597338c03e0bfca
SHA5128264d5620a318f9413f0a77cee5ac206818c1e7b36b9636a8844b2a06c938a4fb4cfd9819b54183cad53b72e7ca0b5e609ebaf795e5d738e8361c6e5ab2de873
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD5c2ef1d773c3f6f230cedf469f7e34059
SHA1e410764405adcfead3338c8d0b29371fd1a3f292
SHA256185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521
SHA5122ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
702B
MD56c4b971923b5240db41fec7d2bcb6a5f
SHA1fa51dd2b1a5a27568c4f5de230c3d936e2eecce6
SHA256a5fb8bc727dd4b70e00f1bb2f03861216d7227755a80d944a7f73e1bee058db7
SHA512ac1bab87ee6ccdd43b33b1fb3e769e053cb967666bca24b31d77519ea56538c54247420646877a213dd508f13bdd0e7653c106e6e92765c2d2a196f29a218e08
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
702B
MD504d6c01eb5b513964741c6473412492d
SHA1ce3203a470bb022c8f997a324eeaa1e2ce9b157c
SHA256039d1b940b5dd0606718eb9872f06fa4386a181e0e286fb8847d9c5a99485542
SHA512d7d2d53ff582e97381fb657a58a450b59d41306f7199ea47189c5fcdd1dd025857e2f26156d8e23113e2b6dcb4ebcf13f760021f12179d6127876f3d1bab6d0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a24b.TMPFilesize
704B
MD59516e350a6fe9a24be5f1fece8d78d3a
SHA135e1d8a6339e6dea611a041c755d4a959ad8c086
SHA256c802af537b2f7517787857098c8ffa620ef29fb7e8a596a661c5f1422c6f8690
SHA5120aa133203941e346cfdad138a3482553fb2202aa956f0614fff1d999b405061614132a7cb1af55fa413dff910e0d260eab4a92e84ad63e11dc2b133b9572cc5e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD524d77f077aee5adf99eb3b53734d140b
SHA13b9dd257d6f1e415867d7c47a0b6a9dd2958afb4
SHA256df9d2228fd487beb908e56ec09d8cf3cb53b09c9c9d49214c80b4bcacb87fdd9
SHA512431e35a7cd439e38db050f8a7f25986191790e0c6b6aa996e76c619a6c4bfc5a9b1218f1603ac2b51a1941bf4d5b07726638cd267b8830e274d9e1d1a8d4a038
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD53694732509c9e1b73bead1a97e99be6e
SHA1460154a2ca0b37b8a19a199a5e70c55cc8772745
SHA2560536e9a6fd36acc403c0f10cbc1cf2d0229079bd1b78cc53428a833199423ff4
SHA5124140e437ec3c92c992b7667aa2b75275a85b3e730129fb2d9691f476dcdc7ae2a291863e862e24b1affde620e85374701cb11df78f80b58899a4c8304a137ef8
-
\??\pipe\LOCAL\crashpad_4600_TSGVRRCIKBPYKMGMMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e