hxxp://url3963[.]my-media[.]com[.]au

Resubmissions

22-02-2024 03:53

240222-efybhsbh95 1

22-02-2024 03:47

240222-eckk9abh69 1

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2024 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://url3963.my-media.com.au

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3920	msedge.exe
3920	msedge.exe
4728	msedge.exe
4728	msedge.exe
1080	identity_helper.exe
1080	identity_helper.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 3884	4728	msedge.exe	82
PID 4728 wrote to memory of 3884	4728	msedge.exe	82
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 1676	4728	msedge.exe	84
PID 4728 wrote to memory of 3920	4728	msedge.exe	83
PID 4728 wrote to memory of 3920	4728	msedge.exe	83
PID 4728 wrote to memory of 3208	4728	msedge.exe	85
PID 4728 wrote to memory of 3208	4728	msedge.exe	85
PID 4728 wrote to memory of 3208	4728	msedge.exe	85
PID 4728 wrote to memory of 3208	4728	msedge.exe	85
PID 4728 wrote to memory of 3208	4728	msedge.exe	85
PID 4728 wrote to memory of 3208	4728	msedge.exe	85
PID 4728 wrote to memory of 3208	4728	msedge.exe	85
PID 4728 wrote to memory of 3208	4728	msedge.exe	85
PID 4728 wrote to memory of 3208	4728	msedge.exe	85
PID 4728 wrote to memory of 3208	4728	msedge.exe	85
PID 4728 wrote to memory of 3208	4728	msedge.exe	85
PID 4728 wrote to memory of 3208	4728	msedge.exe	85
PID 4728 wrote to memory of 3208	4728	msedge.exe	85
PID 4728 wrote to memory of 3208	4728	msedge.exe	85
PID 4728 wrote to memory of 3208	4728	msedge.exe	85
PID 4728 wrote to memory of 3208	4728	msedge.exe	85
PID 4728 wrote to memory of 3208	4728	msedge.exe	85
PID 4728 wrote to memory of 3208	4728	msedge.exe	85
PID 4728 wrote to memory of 3208	4728	msedge.exe	85
PID 4728 wrote to memory of 3208	4728	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://url3963.my-media.com.au
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff942e446f8,0x7ff942e44708,0x7ff942e44718
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,7010174113388189600,9410035010355693523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,7010174113388189600,9410035010355693523,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,7010174113388189600,9410035010355693523,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7010174113388189600,9410035010355693523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7010174113388189600,9410035010355693523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,7010174113388189600,9410035010355693523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,7010174113388189600,9410035010355693523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7010174113388189600,9410035010355693523,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7010174113388189600,9410035010355693523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7010174113388189600,9410035010355693523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7010174113388189600,9410035010355693523,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7010174113388189600,9410035010355693523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7010174113388189600,9410035010355693523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,7010174113388189600,9410035010355693523,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3bde7b7b0c0c9c66bdd8e3f712bd71eb

SHA1
266bd462e249f029df05311255a15c8f42719acc

SHA256
2ccd4a1b56206faa8f6482ce7841636e7bb2192f4cf5258d47e209953a77a01a

SHA512
5fab7a83d86d65e7c369848c5a7d375d9ad132246b57653242c7c7d960123a50257c9e8c4c9a8f22ee861fce357b018236ac877b96c03990a88de4ddb9822818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9cafa4c8eee7ab605ab279aafd19cc14

SHA1
e362e5d37d1a79e7b4a8642b068934e4571a55f1

SHA256
d0817f51aa2fb8c3cae18605dbfd6ec21a6ff3f953171e7ac064648ffdee1166

SHA512
eefd65ffcfb98ac8c3738eb2b3f4933d5bc5b992a1d465b8424903c8f74382ec2c95074290ddbb1001204843bfef59a32b868808a6bee4bc41ee9571515bbac6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
648B

MD5
afa3c289c758a2a2e4b5c97e5adff0f6

SHA1
304c45ed29bc2eb73f38bfc9b8bc3213843c8c3b

SHA256
5d04b9400dc9fc17403e20abf49d3b6a5184eaebd712722edbbf0e004d0d02ae

SHA512
7a4ffad8504e0a16d08f975da70476d33e89d91869b5ed0db506e44c79b7a6bb0a3766ce975ccc4e6de4a92b5413ad302546eab2c388f6ffaeab05d9a5cf12e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
7b3a37e4576d85c7954507b2aab179c8

SHA1
90270a1fc7dfde01fb181cee244c8ee25a469b55

SHA256
9b7d22a7e135676a99a642dd8297352d3c3b2f26cd26eea561113d69eff3ad3c

SHA512
2362fb5f2bf41df1bb3156a2f0a8c3e12c5362ac559397e9ee2797cf9154bbe00a63bcd8c13d5f0ef7059915e6430a37d6bcf1df791bb356680d1377125ba003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2f1e9eb1a6bbc9d78805fde9bd7af95d

SHA1
68806b86dda050738b80ce6b7a1e48a48b1b1866

SHA256
ebb1ee9c70d96d9d715ddea7f6afd833389b139962ca613a17ab7eb6f413bc13

SHA512
e9afec80c1c5692258edebedf3d80387786e34c8469c2c0e0fd665ef21a06fa389a862280d4d429c8cdb859bcc947f4e10f8ea6abd3ee63c8f857c36f191ded9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
549d5df1f730c9bca2568c9db66402e0

SHA1
fd1af0f663bc560fb3b51e884c5b5a39900e0cce

SHA256
7eddc978f860f47d1fc22c0e8a342c3a004c503dac527d2e846e31ae3447053f

SHA512
9b4fef82eb21a35665b03e29d967b1b1725bc494261ba08ad09c39888df2168ded25d62d90ee7dff8179972a2dde28c3a340cbfa5dea806b36fd1c6b0bfedab6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4f3b587a04cdca2247fc5d5c311e2f4f

SHA1
1592bc7189efd58c1b311cd4fff31e9b7a069482

SHA256
cda4eef385b7ad26114cb0b988a6dd595de34255a29440e551dc757400c6ae60

SHA512
fbcbee3893fff9b1fc175b333d804207aac8ca7681e82681c0d1343dd11ee9aedfbd7411bd62ec7b2d69563c3faf55df32f29d4b443091a57347339770d2f460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
831c24bdaf387befc89f491a41702788

SHA1
162cfc21baa60a2cd37876c99c79aeb02dd5cf88

SHA256
4375837b6968997fc6389ffebeb2886a772c934ea540fc67a8a9c33e38cf0a7a

SHA512
540c8e74a86bd52e9c58b0ad1debf18ade43b1e99bb33b22c55fbedc7d3a53c4b0adfe36f08045a651d8492fbddf345bf2c15e83f21b1ce208c1c9275a111828

Download Submit