hxxps://csgobeta[.]ru/

Analysis

max time kernel
31s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
17-02-2024 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://csgobeta.ru/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4748	msedge.exe
4748	msedge.exe
552	msedge.exe
552	msedge.exe
1688	identity_helper.exe
1688	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 2452	552	msedge.exe	84
PID 552 wrote to memory of 2452	552	msedge.exe	84
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 2092	552	msedge.exe	85
PID 552 wrote to memory of 4748	552	msedge.exe	86
PID 552 wrote to memory of 4748	552	msedge.exe	86
PID 552 wrote to memory of 2536	552	msedge.exe	87
PID 552 wrote to memory of 2536	552	msedge.exe	87
PID 552 wrote to memory of 2536	552	msedge.exe	87
PID 552 wrote to memory of 2536	552	msedge.exe	87
PID 552 wrote to memory of 2536	552	msedge.exe	87
PID 552 wrote to memory of 2536	552	msedge.exe	87
PID 552 wrote to memory of 2536	552	msedge.exe	87
PID 552 wrote to memory of 2536	552	msedge.exe	87
PID 552 wrote to memory of 2536	552	msedge.exe	87
PID 552 wrote to memory of 2536	552	msedge.exe	87
PID 552 wrote to memory of 2536	552	msedge.exe	87
PID 552 wrote to memory of 2536	552	msedge.exe	87
PID 552 wrote to memory of 2536	552	msedge.exe	87
PID 552 wrote to memory of 2536	552	msedge.exe	87
PID 552 wrote to memory of 2536	552	msedge.exe	87
PID 552 wrote to memory of 2536	552	msedge.exe	87
PID 552 wrote to memory of 2536	552	msedge.exe	87
PID 552 wrote to memory of 2536	552	msedge.exe	87
PID 552 wrote to memory of 2536	552	msedge.exe	87
PID 552 wrote to memory of 2536	552	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://csgobeta.ru/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbbad946f8,0x7ffbbad94708,0x7ffbbad94718
  2⤵
  PID:2452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,2309424346787172591,3234335032072238973,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,2309424346787172591,3234335032072238973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,2309424346787172591,3234335032072238973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
  2⤵
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2309424346787172591,3234335032072238973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2309424346787172591,3234335032072238973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2309424346787172591,3234335032072238973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2309424346787172591,3234335032072238973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,2309424346787172591,3234335032072238973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,2309424346787172591,3234335032072238973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2309424346787172591,3234335032072238973,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2309424346787172591,3234335032072238973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2309424346787172591,3234335032072238973,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2309424346787172591,3234335032072238973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:4072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eb20b5930f48aa090358398afb25b683

SHA1
4892c8b72aa16c5b3f1b72811bf32b89f2d13392

SHA256
2695ab23c2b43aa257f44b6943b6a56b395ea77dc24e5a9bd16acc2578168a35

SHA512
d0c6012a0059bc1bb49b2f293e6c07019153e0faf833961f646a85b992b47896092f33fdccc893334c79f452218d1542e339ded3f1b69bd8e343d232e6c3d9e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d56948e45c352e8531e4b756a2bfa480

SHA1
e89a5d3425e2a8e86d1ff0bd53990c9f27b9a653

SHA256
32814e77c56f30dc8537e9c7685185456e5dc5f24a12af49d9c2196d4bcc1a81

SHA512
ab50a0576ac6e3624843180f10df0d17aba7ec2236c99f4ffa547dc6d2a2ef24f083b336cc7ae4217f96126d53c381868a8fcf5d3dbc968d1009bc777c855927

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
efc694e47f8acd54d39b97df3744c1a6

SHA1
54749538b1db97c0134198ea739dba20f95a0729

SHA256
6abbe5a88cb8451720017f9b9da378d36d884e17d92914fe3bbcd4f2de1f21e1

SHA512
0224662c7a558cc1a3d65b6baf35f76fb86f20225434a5a89629486503900b48f6c7fadfa2066582f77dab0fe43095fe5c8ddeaeb6aaf6da6aca4e828877cc71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
2bbbdb35220e81614659f8e50e6b8a44

SHA1
7729a18e075646fb77eb7319e30d346552a6c9de

SHA256
73f853ad74a9ac44bc4edf5a6499d237c940c905d3d62ea617fbb58d5e92a8dd

SHA512
59c5c7c0fbe53fa34299395db6e671acfc224dee54c7e1e00b1ce3c8e4dfb308bf2d170dfdbdda9ca32b4ad0281cde7bd6ae08ea87544ea5324bcb94a631f899

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\c5b82bdc-44d2-4dee-aafc-41517ae360fa.tmp

Filesize
10KB

MD5
2fb3303f128026fd56203c66dda878f8

SHA1
d7412841ba67e3d30fb056164fc5b392d3bf5b8c

SHA256
fc06692de0584f5b0193c84134c4a24eeddd6969a53838485ac376d6fa37fa4d

SHA512
0e89da70283289c86e510d12467ca8c71d3ee7764799df8f1d79c389a7aa9e264f7ddaaa68a5e6019454ccc5b9bbb18e84f4ec50e0154982336392f963722826

Download Submit