hxxps://steamcomunnutiy[.]com/gift/activation/feor37569hFvrb1ga

Analysis

max time kernel
51s
max time network
54s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
20-02-2024 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://steamcomunnutiy.com/gift/activation/feor37569hFvrb1ga

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exe

pid process

1092 msedge.exe
1092 msedge.exe
1060 msedge.exe
1060 msedge.exe
3988 msedge.exe
3988 msedge.exe
1908 identity_helper.exe
1908 identity_helper.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

1060 msedge.exe
1060 msedge.exe
1060 msedge.exe
1060 msedge.exe
1060 msedge.exe
1060 msedge.exe

pid	process
1092	msedge.exe
1092	msedge.exe
1060	msedge.exe
1060	msedge.exe
3988	msedge.exe
3988	msedge.exe
1908	identity_helper.exe
1908	identity_helper.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1060 wrote to memory of 1960	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 1960	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4168	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 1092	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 1092	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4176	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4176	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4176	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4176	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4176	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4176	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4176	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4176	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4176	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4176	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4176	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4176	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4176	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4176	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4176	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4176	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4176	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4176	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4176	1060	msedge.exe	msedge.exe
PID 1060 wrote to memory of 4176	1060	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcomunnutiy.com/gift/activation/feor37569hFvrb1ga
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8daf23cb8,0x7ff8daf23cc8,0x7ff8daf23cd8
2⤵
PID:1960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,6855866949333671789,7058107837670531966,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,6855866949333671789,7058107837670531966,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:2
2⤵
PID:4168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,6855866949333671789,7058107837670531966,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
2⤵
PID:4176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6855866949333671789,7058107837670531966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
2⤵
PID:964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6855866949333671789,7058107837670531966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
2⤵
PID:1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,6855866949333671789,7058107837670531966,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3988

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,6855866949333671789,7058107837670531966,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6855866949333671789,7058107837670531966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
2⤵
PID:1512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6855866949333671789,7058107837670531966,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
2⤵
PID:4072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6855866949333671789,7058107837670531966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
2⤵
PID:3492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6855866949333671789,7058107837670531966,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
2⤵
PID:5012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3776

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d4a7484ba6d457556ace4c311458fce2

SHA1
fd8ef690a7b356300e024699478ea1f4193ef660

SHA256
ed5f71ca09455340e6a3a9b196b276e2880f482ba20c959248af412fbf993a50

SHA512
e35626dce77f642e060d3e54a84a4ad62af74576581f68ea1e041977dcf61d679c7b546102b99a221963d1d754566661b46eff2b3d6d751d300200d17e69ccad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
576B

MD5
5fe7cc117f741e270653a7a786a90c54

SHA1
c2888317770d6044b965ea191bac939075c1f7d9

SHA256
2b7d74d01259632047d8154d81f9d957bd7448449d52c9c4196467b78fc24e59

SHA512
bc715486ca417a349213def89d411d8e5b3128c3aa43f4ba62b1693c6bea62b5f7c59d4a2d31661eb2a1fba0ca7063e4bb8ce17f0aac9d3a914e2b2b374f4e67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
1ee617bf33b5f4440f36eb1c1184c021

SHA1
3fb892ac84f964fe3143bffede76be424ddc8a7a

SHA256
9242b6155ad4ca9a5beb1b85d3a88e078e2e743411435ac24094b38ca679a9d0

SHA512
11b706136ee6a2c8445a638c14c48bf4caf5267775ec6c7398e708ef136d3727cf0058711b74c08a783faa0f6819bc19594a0661a0e644acdc583f5054ad214d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
c19b4ad2b7f1fe8fd564d9ec0e508a2c

SHA1
1de96ae12eecbcb2e927dfb63ae9311413f615ad

SHA256
b647a2b5fe5bb43f73e2f1aa1defab0b2bc4629aaeb828f57edc322670d0fd85

SHA512
5e7d4b3d6b8c023bc43dda9ab30324cee128f3d3c2f95e8e57c851b7b742e02df3c3f2e33a823548179b128f0dfaff50cdd95745e13cad95f3a59e20495b6e57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
25KB

MD5
67c5b5de2d96b3aba17eeeb157772dd1

SHA1
f663f64b78cf495b61c7e7a72ffa73552d8cdacd

SHA256
c475b30757887c335be79c087620eeaa31749cb1f82cefb2ea48640e377739f0

SHA512
0f892384278f868f6e986d31ec787720de25d261688551058110b3e4961390876d053c73dd156aebe1ba49364675e19669aed2842c4c38dd9c4820625f4c22a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
c0d16a0c0362766b8c18e1c0c99b519a

SHA1
a3f3e8db5efc4ded1df605a33d11adaa887df08f

SHA256
97cdd17ece22932300fd2121932e4acb6c343c8914462f9170ac4dc0d14c07a6

SHA512
d4a6b6e078fb93689f5da854a7cdb5420f92222634ea215817437aa30ae3e7c1d618b22729ae4501fdd27aa0741d270c66cd558052c73f7cd31ed9ee7a164bba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
b8b89b3b4886765534f38ba0123e1955

SHA1
bbd68126cc3cf5213fed20c5c9a4b763417f4872

SHA256
97c6393fd8fe037bdd925b12b530ef4258bea93bfd383af088c113b0de7c65f6

SHA512
d149c32418fd0a14190cb18d88b3f7b7acb5b014adee087956720c4225847565c17d9bed23251f53996241dcc61e0720a3c3c4fff14aad964c8df695dae710da

Download Submit
\??\pipe\LOCAL\crashpad_1060_URGVHHAPOSCYCCDI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit