Resubmissions
21-02-2024 11:30
240221-nl61aafa53 1021-02-2024 11:27
240221-nkhlased7v 1021-02-2024 11:22
240221-ngvrfsed4x 10Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240220-en -
resource tags
arch:x64arch:x86image:win10v2004-20240220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-02-2024 11:27
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://go-link.ru/P4YKx
Resource
win10v2004-20240220-en
General
-
Target
https://go-link.ru/P4YKx
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 3212 msedge.exe 3212 msedge.exe 396 msedge.exe 396 msedge.exe 844 identity_helper.exe 844 identity_helper.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 396 wrote to memory of 404 396 msedge.exe msedge.exe PID 396 wrote to memory of 404 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 4956 396 msedge.exe msedge.exe PID 396 wrote to memory of 3212 396 msedge.exe msedge.exe PID 396 wrote to memory of 3212 396 msedge.exe msedge.exe PID 396 wrote to memory of 3040 396 msedge.exe msedge.exe PID 396 wrote to memory of 3040 396 msedge.exe msedge.exe PID 396 wrote to memory of 3040 396 msedge.exe msedge.exe PID 396 wrote to memory of 3040 396 msedge.exe msedge.exe PID 396 wrote to memory of 3040 396 msedge.exe msedge.exe PID 396 wrote to memory of 3040 396 msedge.exe msedge.exe PID 396 wrote to memory of 3040 396 msedge.exe msedge.exe PID 396 wrote to memory of 3040 396 msedge.exe msedge.exe PID 396 wrote to memory of 3040 396 msedge.exe msedge.exe PID 396 wrote to memory of 3040 396 msedge.exe msedge.exe PID 396 wrote to memory of 3040 396 msedge.exe msedge.exe PID 396 wrote to memory of 3040 396 msedge.exe msedge.exe PID 396 wrote to memory of 3040 396 msedge.exe msedge.exe PID 396 wrote to memory of 3040 396 msedge.exe msedge.exe PID 396 wrote to memory of 3040 396 msedge.exe msedge.exe PID 396 wrote to memory of 3040 396 msedge.exe msedge.exe PID 396 wrote to memory of 3040 396 msedge.exe msedge.exe PID 396 wrote to memory of 3040 396 msedge.exe msedge.exe PID 396 wrote to memory of 3040 396 msedge.exe msedge.exe PID 396 wrote to memory of 3040 396 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go-link.ru/P4YKx1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa328d46f8,0x7ffa328d4708,0x7ffa328d47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,5813710099346008488,16851002054086372454,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,5813710099346008488,16851002054086372454,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,5813710099346008488,16851002054086372454,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5813710099346008488,16851002054086372454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5813710099346008488,16851002054086372454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5813710099346008488,16851002054086372454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,5813710099346008488,16851002054086372454,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,5813710099346008488,16851002054086372454,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5813710099346008488,16851002054086372454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5813710099346008488,16851002054086372454,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5813710099346008488,16851002054086372454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5813710099346008488,16851002054086372454,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,5813710099346008488,16851002054086372454,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2332 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59ebd667e8db80b0ab07f02f3dc844252
SHA1461bade20eebf59e30e8c3620640d6df6db79249
SHA256d04531e41d70e7832898e797081335b3f0314b09141a01de921ff679dba41b0f
SHA51275f92d1f4ab942c3fdd3b70542956ea246f718aa8808a53f33d52278505f4f783e4c0458e5093ea4f459e72faea431f926373883eed2ec7da1109bd7efc6fb57
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f621c7614503377ba83f2fcfca1c303b
SHA1c7ec737f8e0262052e038691e5b38db37bdfe56e
SHA256c2d2e04acc5e2cd129dd3211f73b498043051b74a2f661c1199224b37b681b26
SHA512203e5e582007efb7d11b0442e85d4e37a4cc1332bd6367cd74b0d4b9de0d0df85757bdc66474f62309bf530841ab7a5e4c0d43c95aa416b7175129e2e2b36c26
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
648B
MD5ba73d48cd98d77e39654de8480afe55f
SHA1574bdea65659ed8b042604277a1650f134e36b4a
SHA2560b6ee94c4f8b79c8afad2c36727d9682105ba1f32471e105b8a4930f2b50d0e8
SHA5120c088b662129a230b4d06fb429226442c56a12d2082ff833aefaa1598f438b9bee9824a581809fece6cb7b6d50a92d4149aa0c6ed758063d821e9cc8d11b3bb7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD56e142306bfd6a6b8382104bbbdbe5654
SHA1ec69d99be969b53bd9009af9a562b45cafa1b32f
SHA25685331f998f723a2a43006ef46ff0ec97702843687dd344b7181cb122be468698
SHA51243a3a9b0f84e5cea3f6523a979f5c0caf559658d82d4e4a7bead35f51bef8e39b4c8262910d09e0051f0aefc50d54df40cc3ce22cf1770d3ed194aa501c65cdb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD57bee21a4368c51a8bc625c946b40735f
SHA108e3a3c2daac7f4873e2fb746ba8dd213f3e5ac4
SHA25616a70789129795f424ef2da89bc8e3ec1a7b63bb43abf43cdf48157a35c68305
SHA5126aa2d3ce4fea817faa313b8d97cc3c48f80157b8f18046043508695bf470dfb8c010dcbaa56efc6a2188017c32d2ff32e0a13de229803c82e0bac3561207293b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5532d381e461198245ef1b9bd94a55a57
SHA1f8843beee287ce930183b433bb77069456e1c0e5
SHA256953cc88032283e150380c03f8308232fa1e6ec97af28b9e7d3dc5d5023e8878b
SHA5126fa5ba8e7ae5435a7b2cd489b048f5d524c6a90e43e29fd6f26fca509f3d80620e0b2c4b5946e90aa912632f114b7453b5c06f165d5dd92f6c8b0ba7353d6c40
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD59a44f12d6a4b8f6a35cd0b2cdfb6640a
SHA1cfbadb7677081e7d98320bf92bdd03d560d9f029
SHA256887d54bf4f314692e537741fd7d42d2b9696a2de3837ea5e1b1b94e6024cbe7f
SHA512109613eb3073b3c7bf5a9230a82512f0e120d2742995ea1f8032926d0ae3f56bab4c4f0f6322105f266ab260d2431edbd6a5e51964f6c613c9df9773809aaa9b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dicFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84