hxxps://github[.]com/I-S00N/I-S00N/blob/main/0/0-08a6bcd3-6477-4252-8f35-4f8f80d114f9[.]png

Analysis

max time kernel
50s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20240220-en
resource tags

arch:x64arch:x86image:win10v2004-20240220-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/I-S00N/I-S00N/blob/main/0/0-08a6bcd3-6477-4252-8f35-4f8f80d114f9.png

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
31	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1500	msedge.exe
1500	msedge.exe
392	msedge.exe
392	msedge.exe
4504	identity_helper.exe
4504	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 4996	392	msedge.exe	59
PID 392 wrote to memory of 4996	392	msedge.exe	59
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1468	392	msedge.exe	88
PID 392 wrote to memory of 1500	392	msedge.exe	87
PID 392 wrote to memory of 1500	392	msedge.exe	87
PID 392 wrote to memory of 1584	392	msedge.exe	89
PID 392 wrote to memory of 1584	392	msedge.exe	89
PID 392 wrote to memory of 1584	392	msedge.exe	89
PID 392 wrote to memory of 1584	392	msedge.exe	89
PID 392 wrote to memory of 1584	392	msedge.exe	89
PID 392 wrote to memory of 1584	392	msedge.exe	89
PID 392 wrote to memory of 1584	392	msedge.exe	89
PID 392 wrote to memory of 1584	392	msedge.exe	89
PID 392 wrote to memory of 1584	392	msedge.exe	89
PID 392 wrote to memory of 1584	392	msedge.exe	89
PID 392 wrote to memory of 1584	392	msedge.exe	89
PID 392 wrote to memory of 1584	392	msedge.exe	89
PID 392 wrote to memory of 1584	392	msedge.exe	89
PID 392 wrote to memory of 1584	392	msedge.exe	89
PID 392 wrote to memory of 1584	392	msedge.exe	89
PID 392 wrote to memory of 1584	392	msedge.exe	89
PID 392 wrote to memory of 1584	392	msedge.exe	89
PID 392 wrote to memory of 1584	392	msedge.exe	89
PID 392 wrote to memory of 1584	392	msedge.exe	89
PID 392 wrote to memory of 1584	392	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/I-S00N/I-S00N/blob/main/0/0-08a6bcd3-6477-4252-8f35-4f8f80d114f9.png
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8e78746f8,0x7ff8e7874708,0x7ff8e7874718
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,9197104162776436703,16227678768224325566,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,9197104162776436703,16227678768224325566,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,9197104162776436703,16227678768224325566,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2568 /prefetch:8
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9197104162776436703,16227678768224325566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9197104162776436703,16227678768224325566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,9197104162776436703,16227678768224325566,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,9197104162776436703,16227678768224325566,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9197104162776436703,16227678768224325566,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9197104162776436703,16227678768224325566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9197104162776436703,16227678768224325566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9197104162776436703,16227678768224325566,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:1612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9ebd667e8db80b0ab07f02f3dc844252

SHA1
461bade20eebf59e30e8c3620640d6df6db79249

SHA256
d04531e41d70e7832898e797081335b3f0314b09141a01de921ff679dba41b0f

SHA512
75f92d1f4ab942c3fdd3b70542956ea246f718aa8808a53f33d52278505f4f783e4c0458e5093ea4f459e72faea431f926373883eed2ec7da1109bd7efc6fb57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f621c7614503377ba83f2fcfca1c303b

SHA1
c7ec737f8e0262052e038691e5b38db37bdfe56e

SHA256
c2d2e04acc5e2cd129dd3211f73b498043051b74a2f661c1199224b37b681b26

SHA512
203e5e582007efb7d11b0442e85d4e37a4cc1332bd6367cd74b0d4b9de0d0df85757bdc66474f62309bf530841ab7a5e4c0d43c95aa416b7175129e2e2b36c26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
bfa3405f00a8b0b6907d376b64d40729

SHA1
6fbfeab5b05b129abfb15250ca9964d969689cf9

SHA256
491c2d17bf8fb7072fc57d2996ed1f35de37db4c373e0a4c81b1f0dea9879fed

SHA512
81408c147cbdcacf4a4b383fc20c4767ba5fa9be68acbdb2469d953df585081748eb32113baadf648acebab67846b56f5a30b0dc55337f29180259e870361902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fa6bce2c7f5decd0d789191e90f5749d

SHA1
8b1e4b9f675cb92dfb9b443eacc23baed8144f30

SHA256
bfecf35457c9ad53c464655b98edf5bf04ec2028b5445709aa3a845feaf94b65

SHA512
b621ddd9f557ba71010374b8f210bc73d47ed6764146561faf4b4cf7873d63374ed7b1b8b5f553180df6044ff9ee77ffe67ef2dc7c025e487ba768636cb0f05c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a9dce9077465971ba9abce07753671c7

SHA1
30431ccd9111c484b44e370879aa816470bb6810

SHA256
1c372cadf3b8b9009d6d7519bbd98afb47af9782d2faa6ad9af314c3ba771622

SHA512
8a7bcf59fab4d3d31fb7de9ad85b6909156f3d863e99a31d848f4d0bcc6897d957267171a7a583ee3f09f9e200c5ccc6d9a17e9d4d5fc7a2d518d6ef4b6862d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
704e631f2b564d0e9faaf8d535183a6e

SHA1
5c3f45039c7bfed50ce7587f1d26d0d7f124c504

SHA256
c0e7c95960e3b098d1b48f3dd0064622b8b2f42e9cc1140678629fdc46f9f525

SHA512
a6087aac86a418a650e69df2b920eaa6d70b08a941882621522c688548277a9cf2b5d6b91a25fc3769f7105e21080adaea507cec1cff131291927cd3104ff918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e2c110692c06f327b8e54176c2d29400

SHA1
e1bf51402e8ab6c54a5ed7aaea5af6cc4e7f8172

SHA256
d5d409eb1ac4e8d00b86ad91018f6fa7b7f8e89e52ce91d98814d5f4da2355bc

SHA512
7f0ab5f5d817df1f36bbf88c5ce0b9b5765befe17a8497f36326fdd437ffebabb54c1b921feeae2da40041f82d399c67d7ab7f72faf1c215a19594bd3bde0a97

Download Submit