Resubmissions
14-02-2024 17:05
240214-vl6g3sgc5t 1014-02-2024 17:05
240214-vlyr8shb93 114-02-2024 17:00
240214-vh4jbagb5w 814-02-2024 16:55
240214-vfga1aga7x 1014-02-2024 16:52
240214-vdlgyagh93 1Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
14-02-2024 17:05
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://malc0de.com/database/
Resource
win10v2004-20231215-en
General
-
Target
https://malc0de.com/database/
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2252 msedge.exe 2252 msedge.exe 2392 msedge.exe 2392 msedge.exe 3980 identity_helper.exe 3980 identity_helper.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2392 wrote to memory of 1592 2392 msedge.exe 59 PID 2392 wrote to memory of 1592 2392 msedge.exe 59 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 4380 2392 msedge.exe 87 PID 2392 wrote to memory of 2252 2392 msedge.exe 85 PID 2392 wrote to memory of 2252 2392 msedge.exe 85 PID 2392 wrote to memory of 3032 2392 msedge.exe 86 PID 2392 wrote to memory of 3032 2392 msedge.exe 86 PID 2392 wrote to memory of 3032 2392 msedge.exe 86 PID 2392 wrote to memory of 3032 2392 msedge.exe 86 PID 2392 wrote to memory of 3032 2392 msedge.exe 86 PID 2392 wrote to memory of 3032 2392 msedge.exe 86 PID 2392 wrote to memory of 3032 2392 msedge.exe 86 PID 2392 wrote to memory of 3032 2392 msedge.exe 86 PID 2392 wrote to memory of 3032 2392 msedge.exe 86 PID 2392 wrote to memory of 3032 2392 msedge.exe 86 PID 2392 wrote to memory of 3032 2392 msedge.exe 86 PID 2392 wrote to memory of 3032 2392 msedge.exe 86 PID 2392 wrote to memory of 3032 2392 msedge.exe 86 PID 2392 wrote to memory of 3032 2392 msedge.exe 86 PID 2392 wrote to memory of 3032 2392 msedge.exe 86 PID 2392 wrote to memory of 3032 2392 msedge.exe 86 PID 2392 wrote to memory of 3032 2392 msedge.exe 86 PID 2392 wrote to memory of 3032 2392 msedge.exe 86 PID 2392 wrote to memory of 3032 2392 msedge.exe 86 PID 2392 wrote to memory of 3032 2392 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://malc0de.com/database/1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbf97646f8,0x7ffbf9764708,0x7ffbf97647182⤵PID:1592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,3159358662414869007,2681705261958878584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,3159358662414869007,2681705261958878584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:82⤵PID:3032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,3159358662414869007,2681705261958878584,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:22⤵PID:4380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,3159358662414869007,2681705261958878584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,3159358662414869007,2681705261958878584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:2220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,3159358662414869007,2681705261958878584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:12⤵PID:1280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,3159358662414869007,2681705261958878584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:82⤵PID:3256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,3159358662414869007,2681705261958878584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,3159358662414869007,2681705261958878584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:12⤵PID:3744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,3159358662414869007,2681705261958878584,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:12⤵PID:5004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,3159358662414869007,2681705261958878584,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:12⤵PID:4960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,3159358662414869007,2681705261958878584,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1816
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5080
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1200
Network
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestmalc0de.comIN AResponsemalc0de.comIN A208.113.221.91
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request91.221.113.208.in-addr.arpaIN PTRResponse91.221.113.208.in-addr.arpaIN PTRapache2-vatbedford dreamhostcom
-
Remote address:8.8.8.8:53Request187.178.17.96.in-addr.arpaIN PTRResponse187.178.17.96.in-addr.arpaIN PTRa96-17-178-187deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request16.53.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.135.221.88.in-addr.arpaIN PTRResponse217.135.221.88.in-addr.arpaIN PTRa88-221-135-217deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request0.205.248.87.in-addr.arpaIN PTRResponse0.205.248.87.in-addr.arpaIN PTRhttps-87-248-205-0lgwllnwnet
-
Remote address:8.8.8.8:53Request21.236.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request8.167.79.40.in-addr.arpaIN PTRResponse
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
57 B 73 B 1 1
DNS Request
malc0de.com
DNS Response
208.113.221.91
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 120 B 1 1
DNS Request
91.221.113.208.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
187.178.17.96.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
16.53.126.40.in-addr.arpa
-
457 B 7
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
217.135.221.88.in-addr.arpa
-
71 B 116 B 1 1
DNS Request
0.205.248.87.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
21.236.111.52.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
8.167.79.40.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5011193d03a2492ca44f9a78bdfb8caa5
SHA171c9ead344657b55b635898851385b5de45c7604
SHA256d21f642fdbc0f194081ffdd6a3d51b2781daef229ae6ba54c336156825b247a0
SHA512239c7d603721c694b7902996ba576c9d56acddca4e2e7bbe500039d26d0c6edafbbdc2d9f326f01d71e162872d6ff3247366481828e0659703507878ed3dd210
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD5c9fdd5103e18374ba042e22671ddc165
SHA1711dc34347ecfb92aa1d00c7ea7c833a0bb94058
SHA256bcdfad852c67c392b3d0a4b65588a883589c8104807b7e02c4f76daabddf1390
SHA512badec87dc8747df9363a6c19339be4110dc56e919b4a4ad1fb2f3251943c9d1177597fd37a034bf9c86058ad6cb9607864a182ad200b68f4c08e72ae10047018
-
Filesize
5KB
MD51bc3fa2ed2b793350d5b90bc8c268be0
SHA1daf89b61d811ec541a1415aa083d102ef7aa3d55
SHA25690653009458c40c7e8d084edd6af63c401b3bf8bcd1306ad8dc27f7fc974bc04
SHA512114568e8f163117db45176d7943bbf29d6c7f6a7ad88bb8f2340dd71ae656d952bd78dd607b7c6d8ac9d42a56c49aab4814f78e87f5a1098e1d053467c470775
-
Filesize
24KB
MD5f5b764fa779a5880b1fbe26496fe2448
SHA1aa46339e9208e7218fb66b15e62324eb1c0722e8
SHA25697de05bd79a3fd624c0d06f4cb63c244b20a035308ab249a5ef3e503a9338f3d
SHA5125bfc27e6164bcd0e42cd9aec04ba6bf3a82113ba4ad85aa5d34a550266e20ea6a6e55550ae669af4c2091319e505e1309d27b7c50269c157da0f004d246fe745
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5647f711f664aec6047f05f0e377d7a4f
SHA1232783adebdc91c35b9cacbb0b99f34712312439
SHA25622d7824cfb13de562b443fe0723d4a4bd127f04c569192f4cb07705d303b84d9
SHA5127ed036650a87ae2a54b9d9fc111634a0609819ef03a5eecea17761d770403768e14aa092acd351e153f4c9b9366ae06b95c10f09c93fadf3f20c818d4c39ae36