hxxp://bepoat[.]top/love

Analysis

max time kernel
146s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://bepoat.top/love

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2516	msedge.exe
2516	msedge.exe
3016	msedge.exe
3016	msedge.exe
4444	identity_helper.exe
4444	identity_helper.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 3672	3016	msedge.exe	54
PID 3016 wrote to memory of 3672	3016	msedge.exe	54
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 1944	3016	msedge.exe	85
PID 3016 wrote to memory of 2516	3016	msedge.exe	84
PID 3016 wrote to memory of 2516	3016	msedge.exe	84
PID 3016 wrote to memory of 892	3016	msedge.exe	86
PID 3016 wrote to memory of 892	3016	msedge.exe	86
PID 3016 wrote to memory of 892	3016	msedge.exe	86
PID 3016 wrote to memory of 892	3016	msedge.exe	86
PID 3016 wrote to memory of 892	3016	msedge.exe	86
PID 3016 wrote to memory of 892	3016	msedge.exe	86
PID 3016 wrote to memory of 892	3016	msedge.exe	86
PID 3016 wrote to memory of 892	3016	msedge.exe	86
PID 3016 wrote to memory of 892	3016	msedge.exe	86
PID 3016 wrote to memory of 892	3016	msedge.exe	86
PID 3016 wrote to memory of 892	3016	msedge.exe	86
PID 3016 wrote to memory of 892	3016	msedge.exe	86
PID 3016 wrote to memory of 892	3016	msedge.exe	86
PID 3016 wrote to memory of 892	3016	msedge.exe	86
PID 3016 wrote to memory of 892	3016	msedge.exe	86
PID 3016 wrote to memory of 892	3016	msedge.exe	86
PID 3016 wrote to memory of 892	3016	msedge.exe	86
PID 3016 wrote to memory of 892	3016	msedge.exe	86
PID 3016 wrote to memory of 892	3016	msedge.exe	86
PID 3016 wrote to memory of 892	3016	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://bepoat.top/love
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0x100,0x104,0xe4,0x108,0x7ffe5f3f46f8,0x7ffe5f3f4708,0x7ffe5f3f4718
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,15513206041957625712,16531669844671388122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,15513206041957625712,16531669844671388122,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,15513206041957625712,16531669844671388122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15513206041957625712,16531669844671388122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15513206041957625712,16531669844671388122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15513206041957625712,16531669844671388122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,15513206041957625712,16531669844671388122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,15513206041957625712,16531669844671388122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15513206041957625712,16531669844671388122,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15513206041957625712,16531669844671388122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15513206041957625712,16531669844671388122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15513206041957625712,16531669844671388122,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,15513206041957625712,16531669844671388122,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4908 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:60

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
58670ac03d80eb4bd1cec7ac5672d2e8

SHA1
276295d2f9e58fb0b8ef03bd9567227fb94e03f7

SHA256
76e1645d9c4f363b34e554822cfe0d53ff1fce5e994acdf1edeff13ae8df30f8

SHA512
99fe23263de36ec0c8b6b3b0205df264250392cc9c0dd8fa28cf954ff39f9541f722f96a84fbc0b4e42cfd042f064525a6be4b220c0180109f8b1d51bbdef8ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3782686f747f4a85739b170a3898b645

SHA1
81ae1c4fd3d1fddb50b3773e66439367788c219c

SHA256
67ee813be3c6598a8ea02cd5bb5453fc0aa114606e3fc7ad216f205fe46dfc13

SHA512
54eb860107637a611150ff18ac57856257bf650f70dce822de234aee644423080b570632208d38e45e2f0d2bf60ca2684d3c3480f9637ea4ad81f2bcfb9f24d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
80ac1ed917b2a1d62dd631e78ea268fb

SHA1
78c8e5a99daaa36321bd2e6ac7b736450ce18c6e

SHA256
6df55d8895205096a89c53ade6581a8024855fef312d7f672c5788b093b87dc4

SHA512
e799924eee707f8593456cea8a2af373e8d0c2b1ea2a3ea7b9b6bf03f2edcbbf461e8c74d18f243ef86f91846ff4eaf3cd602324a5b8c6d430c4501b57bff43e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4572c2bc68912ed8381b6d367c9741d1

SHA1
cf6d064a0d681df25b5ae0db204ba5bb327ca133

SHA256
fe6e296054447f88891f7405169633a76481028f62c694b16847a4520119f47b

SHA512
46073df0281a6cda384b16c38f472e8b36ffd754ab61fc66d6304816dbcf3a331945ae8c4d3e0b3e786303ee277ed9f7a13b6ed2101a38186cfe3fd54e492383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5f5849b1ce61cdc2b803b93e1f70ac17

SHA1
6b1ce91df65429050c4277c4cae3c3d6806f5b55

SHA256
d8879f38ba752145d33ae1c0ce1c89de8ff107c7028def25dd9d030f1d99d712

SHA512
58f873f5974b0e308a00ede72b3b511debaadec6447d81770bd9e8751171594281230dd111545b95814eb045fb0127dc992c74dd5788892bc7dd163542d4cb8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cdc3f466f738c0f1bae1bcba2445eedb

SHA1
ed3705c21023476eaca040fdc4cbd131301aa2e9

SHA256
bf3cdb1fdff68afc6a6fa2b9f5a677daab4fb6e2f5545f60d7b0d6a2c29ba465

SHA512
a551b5eede72230a8139f69bcf4533716eea596c169fd9e368ef1c476a677a5440a64dec8b1682e09a8277c93ff70c289782447eddb450ca1fe59bc5a48d1265

Download Submit