Analysis
-
max time kernel
242s -
max time network
255s -
platform
windows11-21h2_x64 -
resource
win11-20240214-en -
resource tags
arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-02-2024 08:19
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://steamcomunnutiy.com/gift/activation/feor37569hFvrb1ga
Resource
win11-20240214-en
General
-
Target
https://steamcomunnutiy.com/gift/activation/feor37569hFvrb1ga
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepid process 5084 msedge.exe 5084 msedge.exe 1052 msedge.exe 1052 msedge.exe 2896 identity_helper.exe 2896 identity_helper.exe 4932 msedge.exe 4932 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe 1052 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1052 wrote to memory of 1836 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 1836 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 4524 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 5084 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 5084 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 1276 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 1276 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 1276 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 1276 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 1276 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 1276 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 1276 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 1276 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 1276 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 1276 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 1276 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 1276 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 1276 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 1276 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 1276 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 1276 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 1276 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 1276 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 1276 1052 msedge.exe msedge.exe PID 1052 wrote to memory of 1276 1052 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcomunnutiy.com/gift/activation/feor37569hFvrb1ga1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff952393cb8,0x7ff952393cc8,0x7ff952393cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,4918456290428567640,13438132364473433194,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,4918456290428567640,13438132364473433194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,4918456290428567640,13438132364473433194,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,4918456290428567640,13438132364473433194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,4918456290428567640,13438132364473433194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,4918456290428567640,13438132364473433194,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,4918456290428567640,13438132364473433194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4416 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,4918456290428567640,13438132364473433194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,4918456290428567640,13438132364473433194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,4918456290428567640,13438132364473433194,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,4918456290428567640,13438132364473433194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,4918456290428567640,13438132364473433194,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4984 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57bfba10fa6c480f99af59a64b6074ca5
SHA14c3640f96d8c6748fcd93c318168c0fdd2a9e490
SHA256887d03cf55cc9222818b2e91d7486ccac2483ff1808617c3fdbb21f6faaa5f67
SHA512b1cbae5e99edf05b1ba3bee9650e00747ef4e40c44fcb9a0c2c241c0130cc7697f8a62482cd231845bc130b94b398a87192915d32fb85afc0bf2a2c4572dd553
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
480B
MD56a48fa9c2541c0e683afa134c22f2d4d
SHA1d7758ac296171090054b2e006d0d214f98c3061a
SHA25655ef6bb192f1aa2618120ba663814440112fe561c2ba75d40236067e8d55eb95
SHA51222769b0131d2e5cf57d24f1ce6fa397e7c2715d896fe713b08ea1adcad2591f0d703bdd101031dbc9ed4ba7879084c901c625535e3ca28ba0a8f632542ca70a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
983B
MD5a16e1aeb6b9e8f7e8d78c7f4b50c7a80
SHA15a157a66fa71a3c19aa8b57106057fcd82f2790a
SHA256c9c6b2279e50d96a0498c6b1017da6a0cf499ca5fa9409fd620044e99420682d
SHA51239367dc6f603518b4943d859e352175652e2cf09efdc508b210c3c8b3ab9566f176625fde23790f73094034814bfaed4dd0759f7c3301d1a0762b87f099351e0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
983B
MD5aa07fa1728dff880fa12db0b650fe877
SHA131c8dcb991027e88c9278ce9490c3a1d3fd31af9
SHA2560bb4d0c4316730cac7ebe25eae839184b2dcb1112187e1b975382dc07c851731
SHA512e136be2d89a1dbcb0a73543160aad17aaaa84f9e1d69df35fb566cbd85934d19b559bfb7f045af14b21c50ae8a7f43787a79756013f781c473ad2a7019768827
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD51036985c4267c84477ac32a7f602c8e9
SHA11d7b29c5a832dd4205e73cea36b0c07869e63528
SHA2566b540d0cad0843e2cb1cd03eeb16ccd199e44c0380f086def8ba0ea2fc8fd97f
SHA512cc600eb1f5c883006d757ebeb4a805aace4f99b3971962e4ea42ccb8c1b0823a2161c7081fd46418b58fb445e4cce783855439bedec2c02dbd807f57d470a116
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD50511234586f72f1a22dadac7668d2195
SHA1c42d841c9bfb7f58a78a204ddb4e7f2285d37437
SHA2563e7fd65fc46e8a0f512a1d2f80c13f22895b16175db7fa9deb4442945a64ab4f
SHA5124accb8f752780ed67329cfda3091beb63e2138eefa7def0fd80f46f6a202937218a33585d65bf3c407b3385dd01d1a876d0ec2ee16c2e21a0600d82493a87a78
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
25KB
MD56c8c2722fd9b3559b495c03a0bbe794c
SHA13c16a586fc9137ea47431209374a12ed5b90bc92
SHA256fcc46c78ef645b5429c3d9b49e156eaf68aebdf3efdc5bacdc926231c99a884e
SHA5129542bc5b6b3d1b107b15aeae51494533c1f46c6751c266e4fb2b3c05224865646ee37716983ea0f6512625bbd9e8443befc58a7cf512a1dcde9e339f940e80b1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5c158b482a27e9362a97424293478d013
SHA1b7a853cb8bac44c467540bf0e2394059d9e0123d
SHA256e153f4bdb21c80760fcdea44115ac0850feae87da254a0b566f86bf602ba25ee
SHA512ec4608f79cd1409d106fd9ddc5766609ac1219511f183ba63024110a29403cb670ddd9c40dd4047547b5b803b241fd3d9bf4853ba91c60039507ed3925a28f8f
-
\??\pipe\LOCAL\crashpad_1052_CFTVSKRVMCJEVPQSMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e