Resubmissions

14-02-2024 17:05

240214-vl6g3sgc5t 10

14-02-2024 17:05

240214-vlyr8shb93 1

14-02-2024 17:00

240214-vh4jbagb5w 8

14-02-2024 16:55

240214-vfga1aga7x 10

14-02-2024 16:52

240214-vdlgyagh93 1

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-02-2024 17:05

General

  • Target

    https://malc0de.com/database/

Score
1/10

Malware Config

Signatures

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://malc0de.com/database/
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2392
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbf97646f8,0x7ffbf9764708,0x7ffbf9764718
      2⤵
        PID:1592
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,3159358662414869007,2681705261958878584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:3
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2252
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,3159358662414869007,2681705261958878584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
        2⤵
          PID:3032
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,3159358662414869007,2681705261958878584,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
          2⤵
            PID:4380
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,3159358662414869007,2681705261958878584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
            2⤵
              PID:968
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,3159358662414869007,2681705261958878584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
              2⤵
                PID:2220
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,3159358662414869007,2681705261958878584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1
                2⤵
                  PID:1280
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,3159358662414869007,2681705261958878584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
                  2⤵
                    PID:3256
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,3159358662414869007,2681705261958878584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3980
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,3159358662414869007,2681705261958878584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
                    2⤵
                      PID:3744
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,3159358662414869007,2681705261958878584,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
                      2⤵
                        PID:5004
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,3159358662414869007,2681705261958878584,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
                        2⤵
                          PID:4960
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,3159358662414869007,2681705261958878584,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:2
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1816
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:5080
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:1200

                          Network

                          • flag-us
                            DNS
                            232.168.11.51.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            232.168.11.51.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            malc0de.com
                            msedge.exe
                            Remote address:
                            8.8.8.8:53
                            Request
                            malc0de.com
                            IN A
                            Response
                            malc0de.com
                            IN A
                            208.113.221.91
                          • flag-us
                            DNS
                            95.221.229.192.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            95.221.229.192.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            91.221.113.208.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            91.221.113.208.in-addr.arpa
                            IN PTR
                            Response
                            91.221.113.208.in-addr.arpa
                            IN PTR
                            apache2-vatbedford dreamhostcom
                          • flag-us
                            DNS
                            187.178.17.96.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            187.178.17.96.in-addr.arpa
                            IN PTR
                            Response
                            187.178.17.96.in-addr.arpa
                            IN PTR
                            a96-17-178-187deploystaticakamaitechnologiescom
                          • flag-us
                            DNS
                            16.53.126.40.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            16.53.126.40.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            228.249.119.40.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            228.249.119.40.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            209.205.72.20.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            209.205.72.20.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            86.23.85.13.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            86.23.85.13.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            18.31.95.13.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            18.31.95.13.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            217.135.221.88.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            217.135.221.88.in-addr.arpa
                            IN PTR
                            Response
                            217.135.221.88.in-addr.arpa
                            IN PTR
                            a88-221-135-217deploystaticakamaitechnologiescom
                          • flag-us
                            DNS
                            0.205.248.87.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            0.205.248.87.in-addr.arpa
                            IN PTR
                            Response
                            0.205.248.87.in-addr.arpa
                            IN PTR
                            https-87-248-205-0lgwllnwnet
                          • flag-us
                            DNS
                            21.236.111.52.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            21.236.111.52.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            8.167.79.40.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            8.167.79.40.in-addr.arpa
                            IN PTR
                            Response
                          • 208.113.221.91:443
                            malc0de.com
                            tls
                            msedge.exe
                            863 B
                            2.7kB
                            7
                            6
                          • 8.8.8.8:53
                            232.168.11.51.in-addr.arpa
                            dns
                            72 B
                            158 B
                            1
                            1

                            DNS Request

                            232.168.11.51.in-addr.arpa

                          • 8.8.8.8:53
                            malc0de.com
                            dns
                            msedge.exe
                            57 B
                            73 B
                            1
                            1

                            DNS Request

                            malc0de.com

                            DNS Response

                            208.113.221.91

                          • 8.8.8.8:53
                            95.221.229.192.in-addr.arpa
                            dns
                            73 B
                            144 B
                            1
                            1

                            DNS Request

                            95.221.229.192.in-addr.arpa

                          • 8.8.8.8:53
                            91.221.113.208.in-addr.arpa
                            dns
                            73 B
                            120 B
                            1
                            1

                            DNS Request

                            91.221.113.208.in-addr.arpa

                          • 8.8.8.8:53
                            187.178.17.96.in-addr.arpa
                            dns
                            72 B
                            137 B
                            1
                            1

                            DNS Request

                            187.178.17.96.in-addr.arpa

                          • 8.8.8.8:53
                            16.53.126.40.in-addr.arpa
                            dns
                            71 B
                            157 B
                            1
                            1

                            DNS Request

                            16.53.126.40.in-addr.arpa

                          • 224.0.0.251:5353
                            457 B
                            7
                          • 8.8.8.8:53
                            228.249.119.40.in-addr.arpa
                            dns
                            73 B
                            159 B
                            1
                            1

                            DNS Request

                            228.249.119.40.in-addr.arpa

                          • 8.8.8.8:53
                            209.205.72.20.in-addr.arpa
                            dns
                            72 B
                            158 B
                            1
                            1

                            DNS Request

                            209.205.72.20.in-addr.arpa

                          • 8.8.8.8:53
                            86.23.85.13.in-addr.arpa
                            dns
                            70 B
                            144 B
                            1
                            1

                            DNS Request

                            86.23.85.13.in-addr.arpa

                          • 8.8.8.8:53
                            18.31.95.13.in-addr.arpa
                            dns
                            70 B
                            144 B
                            1
                            1

                            DNS Request

                            18.31.95.13.in-addr.arpa

                          • 8.8.8.8:53
                            217.135.221.88.in-addr.arpa
                            dns
                            73 B
                            139 B
                            1
                            1

                            DNS Request

                            217.135.221.88.in-addr.arpa

                          • 8.8.8.8:53
                            0.205.248.87.in-addr.arpa
                            dns
                            71 B
                            116 B
                            1
                            1

                            DNS Request

                            0.205.248.87.in-addr.arpa

                          • 8.8.8.8:53
                            21.236.111.52.in-addr.arpa
                            dns
                            72 B
                            158 B
                            1
                            1

                            DNS Request

                            21.236.111.52.in-addr.arpa

                          • 8.8.8.8:53
                            8.167.79.40.in-addr.arpa
                            dns
                            70 B
                            144 B
                            1
                            1

                            DNS Request

                            8.167.79.40.in-addr.arpa

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            011193d03a2492ca44f9a78bdfb8caa5

                            SHA1

                            71c9ead344657b55b635898851385b5de45c7604

                            SHA256

                            d21f642fdbc0f194081ffdd6a3d51b2781daef229ae6ba54c336156825b247a0

                            SHA512

                            239c7d603721c694b7902996ba576c9d56acddca4e2e7bbe500039d26d0c6edafbbdc2d9f326f01d71e162872d6ff3247366481828e0659703507878ed3dd210

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                            Filesize

                            111B

                            MD5

                            285252a2f6327d41eab203dc2f402c67

                            SHA1

                            acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                            SHA256

                            5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                            SHA512

                            11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            5KB

                            MD5

                            c9fdd5103e18374ba042e22671ddc165

                            SHA1

                            711dc34347ecfb92aa1d00c7ea7c833a0bb94058

                            SHA256

                            bcdfad852c67c392b3d0a4b65588a883589c8104807b7e02c4f76daabddf1390

                            SHA512

                            badec87dc8747df9363a6c19339be4110dc56e919b4a4ad1fb2f3251943c9d1177597fd37a034bf9c86058ad6cb9607864a182ad200b68f4c08e72ae10047018

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            5KB

                            MD5

                            1bc3fa2ed2b793350d5b90bc8c268be0

                            SHA1

                            daf89b61d811ec541a1415aa083d102ef7aa3d55

                            SHA256

                            90653009458c40c7e8d084edd6af63c401b3bf8bcd1306ad8dc27f7fc974bc04

                            SHA512

                            114568e8f163117db45176d7943bbf29d6c7f6a7ad88bb8f2340dd71ae656d952bd78dd607b7c6d8ac9d42a56c49aab4814f78e87f5a1098e1d053467c470775

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                            Filesize

                            24KB

                            MD5

                            f5b764fa779a5880b1fbe26496fe2448

                            SHA1

                            aa46339e9208e7218fb66b15e62324eb1c0722e8

                            SHA256

                            97de05bd79a3fd624c0d06f4cb63c244b20a035308ab249a5ef3e503a9338f3d

                            SHA512

                            5bfc27e6164bcd0e42cd9aec04ba6bf3a82113ba4ad85aa5d34a550266e20ea6a6e55550ae669af4c2091319e505e1309d27b7c50269c157da0f004d246fe745

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                            Filesize

                            16B

                            MD5

                            6752a1d65b201c13b62ea44016eb221f

                            SHA1

                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                            SHA256

                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                            SHA512

                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                            Filesize

                            10KB

                            MD5

                            647f711f664aec6047f05f0e377d7a4f

                            SHA1

                            232783adebdc91c35b9cacbb0b99f34712312439

                            SHA256

                            22d7824cfb13de562b443fe0723d4a4bd127f04c569192f4cb07705d303b84d9

                            SHA512

                            7ed036650a87ae2a54b9d9fc111634a0609819ef03a5eecea17761d770403768e14aa092acd351e153f4c9b9366ae06b95c10f09c93fadf3f20c818d4c39ae36

                          We care about your privacy.

                          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.