hxxps://u[.]to/UiVkIA

Analysis

max time kernel
34s
max time network
38s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://u.to/UiVkIA

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exe

pid process

2776 msedge.exe
2776 msedge.exe
4708 msedge.exe
4708 msedge.exe
1600 identity_helper.exe
1600 identity_helper.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4708 msedge.exe
4708 msedge.exe
4708 msedge.exe
4708 msedge.exe
4708 msedge.exe
4708 msedge.exe
4708 msedge.exe

pid	process
2776	msedge.exe
2776	msedge.exe
4708	msedge.exe
4708	msedge.exe
1600	identity_helper.exe
1600	identity_helper.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

msedge.exe

pid	process
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4708 wrote to memory of 4896	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 4896	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2928	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2776	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2776	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 652	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 652	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 652	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 652	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 652	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 652	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 652	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 652	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 652	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 652	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 652	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 652	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 652	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 652	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 652	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 652	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 652	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 652	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 652	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 652	4708	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://u.to/UiVkIA
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa17c546f8,0x7ffa17c54708,0x7ffa17c54718
2⤵
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,13261627740810728778,14926771389406560364,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
2⤵
PID:2928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,13261627740810728778,14926771389406560364,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,13261627740810728778,14926771389406560364,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
2⤵
PID:652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13261627740810728778,14926771389406560364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
2⤵
PID:3628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13261627740810728778,14926771389406560364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
2⤵
PID:3808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13261627740810728778,14926771389406560364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
2⤵
PID:2648

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,13261627740810728778,14926771389406560364,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
2⤵
PID:860

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,13261627740810728778,14926771389406560364,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13261627740810728778,14926771389406560364,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
2⤵
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13261627740810728778,14926771389406560364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
2⤵
PID:3908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13261627740810728778,14926771389406560364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
2⤵
PID:2888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13261627740810728778,14926771389406560364,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
2⤵
PID:5068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2768

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\16b1d9a6-b9e8-414f-b2f3-c5104f76acdf.tmp
Filesize
11KB

MD5
3e383652ffc35e28bd5517efcfc7e70f

SHA1
33804e2cb92ea04a932d21cbeaaf81193d239e5d

SHA256
6c98fed9b17f174a05cb556101db7f8b476838e08eeb197b00706bf044568d02

SHA512
a22865eead54fab7c8da2dc3f16fcb150c3ed5e0a2219f614e9ed96f7f3d9954e585ab3a50963548709e5447bf58cb1dd6a6ccc37ffcb891df671d6fe576a93d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
91746379e314b064719e43e3422d0388

SHA1
65f1a2b5a93922d589142a6edf99b5b35d986dba

SHA256
0b3cf8ae20afd84c9bf06546e876c84922cb5800526df72a628479f4d5487df7

SHA512
a783d8d9613cf92020fc36fd27d384dbd4e105a1ebd02c4507bf7263e61ff5b377e6d1734b066700782fa64bcbeb11af31ac3972d404625cbdb587cfa3bc0808

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ccf8b7b618672b2da2775b890d06c7af

SHA1
83717bc0ff28b8775a1360ef02882be22e4a5263

SHA256
ef08e2971a9ba903c9b91412275b39aabfd6d4aa5c46ade37d74ff86f0285420

SHA512
eb550889db8c4c0e7d79b2bd85c7d0e61b696df10ce3d76c48ab21b935c7ecc7b12403a00d6570e7d8e4121f72747242c2358f8f0823f804e704bd44ed603b97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
456B

MD5
bf85f337a12ccba4bc8ed983d320bba0

SHA1
b896d59810141f8ea734c7583504662b4fb1d32d

SHA256
9372d506039ca7abd7f06cc97b472e2035a7173485df3807e4c96d455d8fe6f2

SHA512
d9d1cba64fbadd8d3fffa91085375ab3e6ed518b7511eab789b031b1e52f58be5e7a38844cf305746cc8e758bc3e71e266a4779bc15fba36be2b145b44df0de7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
ef265631a9fcb71c0863cec2f47b8a1e

SHA1
cd6b360a434da43e06c15bf2d6ccd4b3a93e0034

SHA256
e3de9ecde11634863d3804945bf9879af66d99a906a39d740b89a685afb5b70a

SHA512
ce91beb396fa92cb124c1e1a4c1e3c61d48001478b433df86abfdd8e792d6f74e59dc97e5b43fb8d44263457928c3aa42c4c17ad15d943bd4970ef9d21cd7ca3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
128da34e5fc8a0d66d43aa5ebf3a94bb

SHA1
c05e82525e437466b281373079b678932f428b3c

SHA256
6b59a8db6b53e9368f787f21392368b49c3e06d9c2091ae1205b283b586c2a28

SHA512
a0215e8a7e06725157a08d0ca64a9a3b49f296fb647201df8efb5169705a6c42518d93b9ea426e7d0543479808a6d0ced8541a4c8db6c1a619a1a304eb167f0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
0c44ddc19dce064a984844e531e50680

SHA1
54df38b63bf1141c2adc7d7291db64f734960271

SHA256
f17bbb81550bd35d3098f6f5758a6a0a93df67820a32c64a99db65a5d9745c57

SHA512
2491b40b21dd42aab41307f44b1aed5384c74257ca3b993de49973f7659d27f3bee32798f147c72685afb36b2d967fab6e7e35eb573550ca9e339ef66d2942af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
91d9e3c82d8d6673bbef61aca22b7b07

SHA1
f4263ee13438d229cdde71a799fb15c258e94c51

SHA256
7a9088352c519a5c628e392848657d50dc770a7f0439b9f98e23fa378dceb50d

SHA512
fa5828494f21592e4a3fe52a86fb1314b0e8c23911b86488c33b8492772108efbf5e154b6ddac491b7830d999afebbc28a71316f35f4584e47eba6f0908521a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
\??\pipe\LOCAL\crashpad_4708_VGXMWGEOSRBFOAKW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit