hxxps://steamcommunijty[.]com/gift/6388299377

Analysis

max time kernel
145s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
20-02-2024 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://steamcommunijty.com/gift/6388299377

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
4808	msedge.exe
4808	msedge.exe
4876	msedge.exe
4876	msedge.exe
2292	msedge.exe
2292	msedge.exe
1220	identity_helper.exe
1220	identity_helper.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4876 msedge.exe
4876 msedge.exe
4876 msedge.exe
4876 msedge.exe
4876 msedge.exe
4876 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4876 wrote to memory of 1732	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 1732	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 3124	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 4808	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 4808	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 2680	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 2680	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 2680	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 2680	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 2680	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 2680	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 2680	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 2680	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 2680	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 2680	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 2680	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 2680	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 2680	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 2680	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 2680	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 2680	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 2680	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 2680	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 2680	4876	msedge.exe	msedge.exe
PID 4876 wrote to memory of 2680	4876	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunijty.com/gift/6388299377
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc3a9d3cb8,0x7ffc3a9d3cc8,0x7ffc3a9d3cd8
2⤵
PID:1732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,9150647729163915819,7846299933768197362,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
2⤵
PID:3124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,9150647729163915819,7846299933768197362,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,9150647729163915819,7846299933768197362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
2⤵
PID:2680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,9150647729163915819,7846299933768197362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
2⤵
PID:764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,9150647729163915819,7846299933768197362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
2⤵
PID:1148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,9150647729163915819,7846299933768197362,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,9150647729163915819,7846299933768197362,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
2⤵
PID:4040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,9150647729163915819,7846299933768197362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
2⤵
PID:2304

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,9150647729163915819,7846299933768197362,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,9150647729163915819,7846299933768197362,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
2⤵
PID:2080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,9150647729163915819,7846299933768197362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
2⤵
PID:412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,9150647729163915819,7846299933768197362,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5336 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4852

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\7dcd5776-ff85-4775-9f6d-6e945c5fae46.tmp
Filesize
10KB

MD5
ca47243a11039329b51bac975693b412

SHA1
8c716cd92f21235c431fb0858ef360d22ebcb62e

SHA256
af3688f362ed307885dbc934dc41c1805e7108433e248273a5ef5b364b2742a7

SHA512
53e41c15f8df503776320e5272342ee411e5185776364ced15c435e461c25a871fee9305f9afb88084868aad3bdbf0a64e65b96f350ef66942cc41dc05a2e007

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
90bbaa873cb1024ace83f887dfde38ae

SHA1
922416490e14f9098df969a56b75e7523f108e53

SHA256
2ff8abbbdad2acf5f04a3b47624055a0f2c36a09b0db3945b494f7eb92ae87bc

SHA512
60587031845ee5ae354c760bd2714a47ff561d3bd6e8aab7b2073d1b9c6b544c7eca94078d9cdefcd87b44adce4e814852c1e8f6af8ca3bdd5b0ddd0312e57b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
432B

MD5
d119f4097e5ff6a714809ea5477946cd

SHA1
b924b9f741c4c299ec6776912e61cf0973d32c41

SHA256
73af87506f8bc597765a3585c3835a80fd4b7e49a3aa9d830a7ef1895f2bb16f

SHA512
38ce2779b917f24e07a9976ead2b2c3c558736f11520d17341f9847333b88e5e515b9a0cfeed2749343018807ee4c0e7907975a0e4eef3bad1ec801dc93a4579

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
789B

MD5
e267b17b791e2431f727a1decaefb2d1

SHA1
32be887c59d785ab612648aa41adffb26c90c1ec

SHA256
b568c2c829a42a84e84fdcc254badb99985a6ff9a7d077dfde65f04ef231645f

SHA512
ad9e201a3c99e6c0011dc285f5e0b10d379a6e007a2efc73682545cc9e162ac8d5b652174320186863935902ecb88d530e145b60fb7d48efdd5090791e36552e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
5cecb0d572b617513fd08c7e1bb6ad6d

SHA1
e90da5f7da1964c5ab73c5a45c07d9bcee6990b0

SHA256
c075c8a4fa6821e14c7fbc814f2a54c979cc7c2385997936ee6359c6a69f003b

SHA512
1e6ea73bb662c16d1f99f0a4c28350986219c2a5eaa85d8d57d4de6a57637e0171c10a8d214ce09aa8e10976b99ab8a36fd1af7bcb64eb4b23b7e7072756880a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
775cd8c4bccf97a39627b475db1f0131

SHA1
542f54c1043000beff9b0c918217f8926700a126

SHA256
6fa59daae96a20c41170317e25facd230112eda0a5e745752bf75f07aa947bf7

SHA512
f8631b2ed8be6b23aeef1bc14ca804f04ec3de52ec1562b1ca74845eb502061e5ce20a55af44f82cc0d770043206f506a07377b42643eed3801ca8a870db541a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
25KB

MD5
38e0f825a71c236dde48aa2f551fc800

SHA1
1aff06111b765ed4e382b9216101e1f54a09d73e

SHA256
8018002d860e6370cd760a83b61d41f77cfb9473aeafbf630b27e4b4a7c100bf

SHA512
28fc9207402287a3742a8b409aa0db3d570cbd8e456c4ece1ced7b34b6d22f8fd0a2f699142090a9fe54062b35082560012ae80aa9785ce2b21da0aa9bd40399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
f48215595b1ea1207971dff534af3eec

SHA1
8394728e0433b31b661c81e893b497865e704044

SHA256
2fb4135de839c28f9f2401d729a6ab8ded6a9ea1f557fa8782f199c9ebba0c2e

SHA512
ecf0cce30acf33dac42de156529df0d0eb35c2cc8b203ff09183f9d6b5a4e3ef95ce1545ef13ed3e822b7fe4094dcaf1b6eae8d59f702bef14bea64220894251

Download Submit
\??\pipe\LOCAL\crashpad_4876_OXCPGGGJMDQPUCCH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit