hxxps://www[.]youtube[.]com/channel/UCBcVLfbsZEDQgpF-p7c8sYg

Resubmissions

20/02/2024, 01:30

240220-bwy17sgg2v 1

20/02/2024, 01:29

240220-bwrxwsgf9x 1

Analysis

max time kernel
1174s
max time network
1176s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
20/02/2024, 01:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/channel/UCBcVLfbsZEDQgpF-p7c8sYg

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4504	msedge.exe
4504	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
3140	msedge.exe
3140	msedge.exe
1928	identity_helper.exe
1928	identity_helper.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 2764	4368	msedge.exe	74
PID 4368 wrote to memory of 2764	4368	msedge.exe	74
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 2032	4368	msedge.exe	80
PID 4368 wrote to memory of 4504	4368	msedge.exe	81
PID 4368 wrote to memory of 4504	4368	msedge.exe	81
PID 4368 wrote to memory of 1004	4368	msedge.exe	82
PID 4368 wrote to memory of 1004	4368	msedge.exe	82
PID 4368 wrote to memory of 1004	4368	msedge.exe	82
PID 4368 wrote to memory of 1004	4368	msedge.exe	82
PID 4368 wrote to memory of 1004	4368	msedge.exe	82
PID 4368 wrote to memory of 1004	4368	msedge.exe	82
PID 4368 wrote to memory of 1004	4368	msedge.exe	82
PID 4368 wrote to memory of 1004	4368	msedge.exe	82
PID 4368 wrote to memory of 1004	4368	msedge.exe	82
PID 4368 wrote to memory of 1004	4368	msedge.exe	82
PID 4368 wrote to memory of 1004	4368	msedge.exe	82
PID 4368 wrote to memory of 1004	4368	msedge.exe	82
PID 4368 wrote to memory of 1004	4368	msedge.exe	82
PID 4368 wrote to memory of 1004	4368	msedge.exe	82
PID 4368 wrote to memory of 1004	4368	msedge.exe	82
PID 4368 wrote to memory of 1004	4368	msedge.exe	82
PID 4368 wrote to memory of 1004	4368	msedge.exe	82
PID 4368 wrote to memory of 1004	4368	msedge.exe	82
PID 4368 wrote to memory of 1004	4368	msedge.exe	82
PID 4368 wrote to memory of 1004	4368	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UCBcVLfbsZEDQgpF-p7c8sYg
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe55933cb8,0x7ffe55933cc8,0x7ffe55933cd8
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,1331484742897109074,5131219152216259835,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,1331484742897109074,5131219152216259835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,1331484742897109074,5131219152216259835,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
  2⤵
  PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,1331484742897109074,5131219152216259835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,1331484742897109074,5131219152216259835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,1331484742897109074,5131219152216259835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,1331484742897109074,5131219152216259835,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,1331484742897109074,5131219152216259835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,1331484742897109074,5131219152216259835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,1331484742897109074,5131219152216259835,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,1331484742897109074,5131219152216259835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,1331484742897109074,5131219152216259835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,1331484742897109074,5131219152216259835,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5500 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3ac94e49addbb0b2b78b1cc0c4fdc41a

SHA1
41dda9076097a81d24a814805f80979eb5736a72

SHA256
259e79a3a5696dd704f943a3146b6622715c38d269751ea5b90c4858aeecaec5

SHA512
9890dd31736bf96b3669a9ba135e029d02a0245e31795f71f15bdb79066e95f8d43233643a78e1a36780b6983d88a5a82f71a07eb91133d9319c014e935fc9fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
dfe87fc56b9c0257aa19519a9fb14efa

SHA1
8cc887c2740c59fd18893e7f5c3f4f6815d6390b

SHA256
b5bbce58a64fdb3ec129631a9572957c60cda27ab94dde68588f4d2953a3f631

SHA512
bf139b3de86e6f2d295fb6df5ee137d5bb6bafa8d8e67c854bce55244ad4bd4c961a05c494d5394b63c054e8b91b6acf3cc8abd408617a09ea710fa4b48c55ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
bec17701dcaec01c7efe4f5e4906062b

SHA1
101966688f90df27ec5244689b4a03a9086a8d67

SHA256
57ac42f8293d505e5b388cd3025b54e3735fa4cefbf332eab73ed26e417ae64d

SHA512
9f7a25613702106f44f1921d1dacb05aba481ab91253aa52b9ec0822a63b8978ce47720121237543566537d0e58f23ac5f37f4da86db94e0410e4b62656ae48d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
01795fa4871b2a12124b3123272e8e91

SHA1
2a045165c1ffd83d435c1ccc1f18ce404aa07194

SHA256
e61cbe7f760b22302210d06591749af9e9181ca92cce2368010d4b6fcb8825ad

SHA512
c22864d8498bc342d1ae212fb7906918ce1271cd4504ba567b7a2735c76a51715e960ff647c8469bab5326ea9ef35a70e9b89b97cb3b95c61de13c4a9c18757b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7443679799b47f08dda8bcdd0af9f3b2

SHA1
85ed11157fa40f8d254d00dda30b6979dad47732

SHA256
884bec53e482ecec3898198859c3d2ab5859418fbc94168e3488de8c029ae471

SHA512
f8c89515608703725740ba1f94f4a9a8523d1818bbe70a085cb7a77574a40428c8f0c9aed6ddb7d7b82c39a50eaca57540f4cbc75100f3b9fb96980a44b117d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
405efe7d64a1fba4f2ffd1b35aaab5e2

SHA1
b047eb3d1dff71567e244fac51e61ecd1d159b36

SHA256
18d3cc7a551d176cf3b346f8d585068919496f0c44871226bf8a5193cfd8c82b

SHA512
e1a71a09bae17283cb72eb5fc439ecc0dd6ec24c887f2425b7a02f83730493d812c296d798169d0458db7b7cf1fee4feb54324e5e6426d515929cc0206d68b02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4c75dff874d1c0468aa78c044d803292

SHA1
bf6b623a4675ad74a2d007b3c28db265b36a15dc

SHA256
ea0f74f0f3c72c9ae6ee44dc4fd92451fa2fd97e36c106e8fe12f0f865cb1d8f

SHA512
cb426db4458210a32cb9e4430a1f2df884118ec6dc01d72c50ed5395c18cbdecf29635720076d3a9670305913f7997265a035f2a3e71ee87b1f7ef7f6646a85c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
973cd7ed69b8540e1a57bad78d30599f

SHA1
49f951986dc378627a5d87680ab4006205fa989a

SHA256
1aa7471f9300797bafe23e67d3e97e37aca2fefac941c292695677f8233f6200

SHA512
a97a59162f3413b42c67a60a7a4a882872076b2b13e6145fafc93893b1d2da71700a487a5fc27ece47576ac1c64b0d92da86f709ceb40a4d05f71338f6ed57bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
0ee370fd0b36aa248467fe639b6efd62

SHA1
8d05ed1594e797f3b884c0640b394305cca30521

SHA256
7546533b63e8d119b7d4d58459a88b1bfeb060128844de5ffa9a2800a07505ba

SHA512
9f36083d5068d2b293bd459c8a03e7d79b1f005f7386dccd2df7599b8f94875bfb7bec715e8141d02dbcd92043c8dc621493939cae7bdfa96763927487bc261c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8ea717335d18711d62e7d4d21fe973a9

SHA1
5e42106b96cb74623488815b2ddc5780017369e0

SHA256
bca090c210df520eedac10b16eed216d958786e736814ae0e6705e74b8464bd5

SHA512
f40ec235607899f6f4670c86a2b7362dcf91fc61b709a631a03794bdd94010ac3e22793538353c25d410f0a0a25839d77c5003309613b99978f95b1107e3c4a0

Download Submit