Analysis
-
max time kernel
34s -
max time network
38s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
21-02-2024 17:48
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://u.to/UiVkIA
Resource
win10v2004-20240221-en
General
-
Target
https://u.to/UiVkIA
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid process 2776 msedge.exe 2776 msedge.exe 4708 msedge.exe 4708 msedge.exe 1600 identity_helper.exe 1600 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
Processes:
msedge.exepid process 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4708 wrote to memory of 4896 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 4896 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2928 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2776 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 2776 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 652 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 652 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 652 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 652 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 652 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 652 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 652 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 652 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 652 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 652 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 652 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 652 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 652 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 652 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 652 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 652 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 652 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 652 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 652 4708 msedge.exe msedge.exe PID 4708 wrote to memory of 652 4708 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://u.to/UiVkIA1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa17c546f8,0x7ffa17c54708,0x7ffa17c547182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,13261627740810728778,14926771389406560364,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,13261627740810728778,14926771389406560364,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,13261627740810728778,14926771389406560364,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13261627740810728778,14926771389406560364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13261627740810728778,14926771389406560364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13261627740810728778,14926771389406560364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,13261627740810728778,14926771389406560364,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,13261627740810728778,14926771389406560364,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13261627740810728778,14926771389406560364,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13261627740810728778,14926771389406560364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13261627740810728778,14926771389406560364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13261627740810728778,14926771389406560364,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\16b1d9a6-b9e8-414f-b2f3-c5104f76acdf.tmpFilesize
11KB
MD53e383652ffc35e28bd5517efcfc7e70f
SHA133804e2cb92ea04a932d21cbeaaf81193d239e5d
SHA2566c98fed9b17f174a05cb556101db7f8b476838e08eeb197b00706bf044568d02
SHA512a22865eead54fab7c8da2dc3f16fcb150c3ed5e0a2219f614e9ed96f7f3d9954e585ab3a50963548709e5447bf58cb1dd6a6ccc37ffcb891df671d6fe576a93d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD591746379e314b064719e43e3422d0388
SHA165f1a2b5a93922d589142a6edf99b5b35d986dba
SHA2560b3cf8ae20afd84c9bf06546e876c84922cb5800526df72a628479f4d5487df7
SHA512a783d8d9613cf92020fc36fd27d384dbd4e105a1ebd02c4507bf7263e61ff5b377e6d1734b066700782fa64bcbeb11af31ac3972d404625cbdb587cfa3bc0808
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ccf8b7b618672b2da2775b890d06c7af
SHA183717bc0ff28b8775a1360ef02882be22e4a5263
SHA256ef08e2971a9ba903c9b91412275b39aabfd6d4aa5c46ade37d74ff86f0285420
SHA512eb550889db8c4c0e7d79b2bd85c7d0e61b696df10ce3d76c48ab21b935c7ecc7b12403a00d6570e7d8e4121f72747242c2358f8f0823f804e704bd44ed603b97
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
456B
MD5bf85f337a12ccba4bc8ed983d320bba0
SHA1b896d59810141f8ea734c7583504662b4fb1d32d
SHA2569372d506039ca7abd7f06cc97b472e2035a7173485df3807e4c96d455d8fe6f2
SHA512d9d1cba64fbadd8d3fffa91085375ab3e6ed518b7511eab789b031b1e52f58be5e7a38844cf305746cc8e758bc3e71e266a4779bc15fba36be2b145b44df0de7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5ef265631a9fcb71c0863cec2f47b8a1e
SHA1cd6b360a434da43e06c15bf2d6ccd4b3a93e0034
SHA256e3de9ecde11634863d3804945bf9879af66d99a906a39d740b89a685afb5b70a
SHA512ce91beb396fa92cb124c1e1a4c1e3c61d48001478b433df86abfdd8e792d6f74e59dc97e5b43fb8d44263457928c3aa42c4c17ad15d943bd4970ef9d21cd7ca3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5128da34e5fc8a0d66d43aa5ebf3a94bb
SHA1c05e82525e437466b281373079b678932f428b3c
SHA2566b59a8db6b53e9368f787f21392368b49c3e06d9c2091ae1205b283b586c2a28
SHA512a0215e8a7e06725157a08d0ca64a9a3b49f296fb647201df8efb5169705a6c42518d93b9ea426e7d0543479808a6d0ced8541a4c8db6c1a619a1a304eb167f0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD50c44ddc19dce064a984844e531e50680
SHA154df38b63bf1141c2adc7d7291db64f734960271
SHA256f17bbb81550bd35d3098f6f5758a6a0a93df67820a32c64a99db65a5d9745c57
SHA5122491b40b21dd42aab41307f44b1aed5384c74257ca3b993de49973f7659d27f3bee32798f147c72685afb36b2d967fab6e7e35eb573550ca9e339ef66d2942af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD591d9e3c82d8d6673bbef61aca22b7b07
SHA1f4263ee13438d229cdde71a799fb15c258e94c51
SHA2567a9088352c519a5c628e392848657d50dc770a7f0439b9f98e23fa378dceb50d
SHA512fa5828494f21592e4a3fe52a86fb1314b0e8c23911b86488c33b8492772108efbf5e154b6ddac491b7830d999afebbc28a71316f35f4584e47eba6f0908521a8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
\??\pipe\LOCAL\crashpad_4708_VGXMWGEOSRBFOAKWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e