hxxps://gelbooru[.]com/index[.]php?page=post&s=list&tags=all&pid=126

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2024 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gelbooru.com/index.php?page=post&s=list&tags=all&pid=126

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3664	msedge.exe
3664	msedge.exe
3248	msedge.exe
3248	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3664	msedge.exe
3664	msedge.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3664 wrote to memory of 4440	3664	msedge.exe	83
PID 3664 wrote to memory of 4440	3664	msedge.exe	83
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 2616	3664	msedge.exe	85
PID 3664 wrote to memory of 3248	3664	msedge.exe	84
PID 3664 wrote to memory of 3248	3664	msedge.exe	84
PID 3664 wrote to memory of 1828	3664	msedge.exe	86
PID 3664 wrote to memory of 1828	3664	msedge.exe	86
PID 3664 wrote to memory of 1828	3664	msedge.exe	86
PID 3664 wrote to memory of 1828	3664	msedge.exe	86
PID 3664 wrote to memory of 1828	3664	msedge.exe	86
PID 3664 wrote to memory of 1828	3664	msedge.exe	86
PID 3664 wrote to memory of 1828	3664	msedge.exe	86
PID 3664 wrote to memory of 1828	3664	msedge.exe	86
PID 3664 wrote to memory of 1828	3664	msedge.exe	86
PID 3664 wrote to memory of 1828	3664	msedge.exe	86
PID 3664 wrote to memory of 1828	3664	msedge.exe	86
PID 3664 wrote to memory of 1828	3664	msedge.exe	86
PID 3664 wrote to memory of 1828	3664	msedge.exe	86
PID 3664 wrote to memory of 1828	3664	msedge.exe	86
PID 3664 wrote to memory of 1828	3664	msedge.exe	86
PID 3664 wrote to memory of 1828	3664	msedge.exe	86
PID 3664 wrote to memory of 1828	3664	msedge.exe	86
PID 3664 wrote to memory of 1828	3664	msedge.exe	86
PID 3664 wrote to memory of 1828	3664	msedge.exe	86
PID 3664 wrote to memory of 1828	3664	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gelbooru.com/index.php?page=post&s=list&tags=all&pid=126
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff866fc46f8,0x7ff866fc4708,0x7ff866fc4718
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,13989360557619595689,2087620773050302131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,13989360557619595689,2087620773050302131,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,13989360557619595689,2087620773050302131,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13989360557619595689,2087620773050302131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13989360557619595689,2087620773050302131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2088,13989360557619595689,2087620773050302131,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  PID:3796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:800

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x50c
1⤵
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
84381d71cf667d9a138ea03b3283aea5

SHA1
33dfc8a32806beaaafaec25850b217c856ce6c7b

SHA256
32dd52cc3142b6e758bd60adead81925515b31581437472d1f61bdeda24d5424

SHA512
469bfac06152c8b0a82de28e01f7ed36dc27427205830100b1416b7cd8d481f5c4369e2ba89ef1fdd932aaf17289a8e4ede303393feab25afc1158cb931d23a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
991a294cacf4f6cab05bb0e4d3db1e52

SHA1
1f3ebe89b3f2ec26ba26bee49ac8c23fb0e944be

SHA256
4cb85f3fecafd5388c87d97b65067bdc862759638f64c8bd2fc9608aa571a933

SHA512
894333f4b6f8736d2dd709010c99387a4fe4ac3894e818f9795615386a7a4ccd3712d853f76d0e595e0daab5ef80c032196ba1c156f037b262f9dfb3ee511202

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
8c640cf309785864f205639d6c3c0407

SHA1
c3fc0a13105495442c712d0c67ce817cf53e4359

SHA256
9f07cd2f42afdd2e82acb3c02e80c301039c58b2a958d70fbbce73fd4baac8df

SHA512
118d6bc03b21852c96907dd7a21072ab3b06fbf17061434569d30e3dc6bbf40dc1fe279206c3a1fd324892974b58f62c6729fcc255339abb9c180a1ee2644422

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
29eb688192756138ae3551f30055a436

SHA1
e7e92790df5a1fb882e1c8a77ca3ddc5f0d759ef

SHA256
837c5ecf6a3e9d7a0afed02b92b17d0468af8ee2f8b872b65ab09d3e6425df4c

SHA512
637d8d35163982469e29826b2923c29866a0d821bb34f108dd07409a4fc886911553e9028a1fbcfbcb7dd6c6e691cf52db9c629194419776cbc135559629e0b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ed37ba8e52ad141c1eb2d44fc05d602f

SHA1
f9259d00437b0f08219a9e9343ae2201b995b1e6

SHA256
276f4d99e45e7252c9721f867663cd69625d977121abec28daceabdeaac7a85b

SHA512
8d747aba3935368acad8be3822f11b796943f6cf5d05471aa0803280cfc762e8a2cd9c8a9bae325e2a5d1168488e0fbd4650a45ac939f0f5ad6ad7ebb5ea4099

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
85123d7385029add5d71dfdac5a4040e

SHA1
0f7601b1740bfd232aad74efbd4cc8dfa0182018

SHA256
2be91c7177fcd042e768fd7fdfa75d3af2adc99940fd5cf0f95a3a4d6db0dd8c

SHA512
24805e36aa9e0257451f67e44e0c990bfa6349cf76c60258d0fd266cb05ebde814cefd6640b915acfbfa028c4581ee9f7ad3ffe4692c219efc72b8057299c612

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
35f77ec6332f541cd8469e0d77af0959

SHA1
abaec73284cee460025c6fcbe3b4d9b6c00f628c

SHA256
f0be4c5c99b216083bd9ee878f355e1aa508f94feb14aeebcfba4648d85563a7

SHA512
e0497dbe48503ebbf6a3c9d188b9637f80bccf9611a9e663d9e4493912d398c6b2a9eab3f506e5b524b3dabbca7bb5a88f882a117b03a3b39f43f291b59870c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ba46ec1b279a9408c4462e5e1f2ca496

SHA1
eafed7e65f682c362ff97add71f96f7507322c80

SHA256
ec0468337d04974a4b288e31c99f63bfe06c99333699b6b71c5a8909e2012ec5

SHA512
ef83bd661b2057cc01778eceacccd5e338ac319e7f4741fe9b211b29cd6c611edd181dbd505f9b80e778bd1c3f3ae8f8d6fc6ef038f4f0590cf4f5187f964733

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8228e3cd503d260343e81deead343ff7

SHA1
f5a15b42fa4c37deef7d073e080e036c85981eec

SHA256
d649e2247eeda20be542380ff91dbc1b1bc54ecef86f944a6d9dd450f565d502

SHA512
719c077d7e709b7919a5ebde65c833127d669ec57e7846171bcb3edb652fc0ddf8e5aded95c25fdb0d30974cdc56b227e9f8ac4311cd241498af3cd6e5db62db

Download Submit