Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
22-02-2024 13:35
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://sexyleakz.com/
Resource
win10v2004-20240221-en
General
-
Target
http://sexyleakz.com/
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid process 1772 msedge.exe 1772 msedge.exe 2688 msedge.exe 2688 msedge.exe 4856 identity_helper.exe 4856 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.exepid process 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2688 wrote to memory of 232 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 232 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1616 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1772 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 1772 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 2372 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 2372 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 2372 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 2372 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 2372 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 2372 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 2372 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 2372 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 2372 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 2372 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 2372 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 2372 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 2372 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 2372 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 2372 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 2372 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 2372 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 2372 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 2372 2688 msedge.exe msedge.exe PID 2688 wrote to memory of 2372 2688 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://sexyleakz.com/1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf86346f8,0x7ffdf8634708,0x7ffdf86347182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,12195273456262996046,15681643435240563028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,12195273456262996046,15681643435240563028,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,12195273456262996046,15681643435240563028,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12195273456262996046,15681643435240563028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12195273456262996046,15681643435240563028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,12195273456262996046,15681643435240563028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,12195273456262996046,15681643435240563028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12195273456262996046,15681643435240563028,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12195273456262996046,15681643435240563028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12195273456262996046,15681643435240563028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12195273456262996046,15681643435240563028,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12195273456262996046,15681643435240563028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f4db60c9bb06ea5452df26771fa873ac
SHA1c118183a1315a285606f81da05fc19367a2cdfe1
SHA256f168242e74bfde18bacb9e18945a39bb447188eba916c7adf0f342ed8d82281e
SHA512180ed98f9d5a14a22687a099c4a0ba6b586610f7b8b4c8de89f3b91713b07a2ef3726fcd318cb4e270b1745213b898037d29cca4b490d0c91833b797d69ac406
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f5b0bf4edca2187f7715ddd49777a1b2
SHA1eb78099013d0894a11c48d496f48973585f0c7c0
SHA256562016f9159ef363fcbe62ed13ee26052b31d4f67dc5ea6d60864a7d5dfa50a1
SHA5121039b98cffd32ca4c9e37486b96e01b167d76b19dd8440a21da4932d677c463f4c5ce2260239e8337f59bd61ff3111905e23ab71d3ca5b20e7d2935fea7952c9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
192B
MD50c91e5b090c00175f996dc1b770a94fc
SHA16ca31f8b5b541315436e43142d4e19239fddbacb
SHA256dd251a223a2616a62fa0b4ad5ff8cbc703685b31cae121bc7c1e6b83ddc8b2ef
SHA5120d22bce82928ab944f1f2c79004863e2a2d605e7324bda966d7ea8bf491dff0ddb8d596a8d26fe48d4f90d5adabb1e97cc5a2b7443c95428335775080654652a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
596B
MD53ced1ebd77b886713cf727d3ba4533d7
SHA1ed307322c20245afa1478015b0d6e30126c4d277
SHA25605e4b9d5391f7407a72993f4e3ddeee9f1f096d99d45b79eabd6809f68017509
SHA5121f808770c17a3f1b4d47bb4f193dcbfe5546e05964410cbf6bb0387cd49680e78be22e73f143c24acecabc17663aabe8029648d4a7ff3550693281ff88b6a568
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f1d5612f88192adbc2b153a6af190ad6
SHA1bd6438f9b633367abb6ccdaf826cba706286c3de
SHA25626fd1124972c16f9bd0516ed5c6c6b8bed015fc953372cb5959a710eb27cd9e7
SHA512201d64b35db6e4a6be1f2340dd49172aa1cc73d3fc277141521e0b1354be6e79d2523ac2d0cc8245edad441a8fce59a8774f9ed6b2c5d16fe0e724c3829ff1ff
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD524d9557d9db28d011ea6ff9dd9cd2bfd
SHA1c27404b81dfbec1e07bb5d05b5ffe3e905ae3a49
SHA256d15580f4539a02f40bb98f659eb4d83c92065fc37d53716f3e77e877bd76607c
SHA512e0fc1a988cee1daef00e3be53e4dee3a36cc95454f91c23b1af0978a5d4f8e6ea46c8d5c8a4cd697c4915457605ab1f08ecb1b28222f973c74e4d905ce3595c0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD50d800197e76aa04b1ac62a97bb1ea4ff
SHA1bf932114016407149f47b7892415ad8c6cf0e1b0
SHA256a7e88de25cb2a6c5c302766bc524d0f5fb66e78033944848e9934f9d6175d54f
SHA512a0b56082c012d808ba9f3c843cb3af210dac269cfc9e90531780c15983c81d19c069c56f614d822ee9c1faa1e3f7d547e45d0619cdd0c5e5d052f643e1730fac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD57834d61ee0088890b94402f2ac09b383
SHA1620cd6b95989ae745b30da07580b5e2dd5b3595b
SHA2569e831466e6900ae772173d7dd10b86f44305a101f3be91a19a9fe9d40cc2cde2
SHA5123353af400e72c44d1ce0bb17b2af3935d42401b652396c1d315acd1df27284029799a2b136da2480d74bcdd1f1c388ab510a92e5ebb3c5a6fcfadee0303438eb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD533e691eeaa1cf130c672cf0f0aa2c408
SHA1fb5a0a66d762d16dec0da0ce6ed3adcee64d1184
SHA25636d9a2aa7c33c61828e2a24dadd89ae1acdc79336d940359fb646b9b17503a7e
SHA512bab7c2121ce21708cf55028e3e4e830f3bb865fd53cb4ed49aebe69784f12f3398d2639d9b0813e72391e37c3242852f1c21221a3be495d6757fe5cda6604a8e
-
\??\pipe\LOCAL\crashpad_2688_DJXLDFIHHJIXWWTWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e