Analysis
-
max time kernel
65s -
max time network
75s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
23-02-2024 02:10
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://envs.sh/QOG
Resource
win10v2004-20240221-en
General
-
Target
https://envs.sh/QOG
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid process 3732 msedge.exe 3732 msedge.exe 4012 msedge.exe 4012 msedge.exe 4784 identity_helper.exe 4784 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe 4012 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4012 wrote to memory of 4020 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4020 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4680 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 3732 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 3732 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4268 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4268 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4268 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4268 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4268 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4268 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4268 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4268 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4268 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4268 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4268 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4268 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4268 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4268 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4268 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4268 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4268 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4268 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4268 4012 msedge.exe msedge.exe PID 4012 wrote to memory of 4268 4012 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://envs.sh/QOG1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb621946f8,0x7ffb62194708,0x7ffb621947182⤵PID:4020
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,12582499013144227519,10546400235301243242,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:22⤵PID:4680
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,12582499013144227519,10546400235301243242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3732 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,12582499013144227519,10546400235301243242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:82⤵PID:4268
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12582499013144227519,10546400235301243242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:1452
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12582499013144227519,10546400235301243242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵PID:4480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12582499013144227519,10546400235301243242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:12⤵PID:1200
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,12582499013144227519,10546400235301243242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:82⤵PID:3580
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,12582499013144227519,10546400235301243242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4784 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12582499013144227519,10546400235301243242,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:12⤵PID:3592
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12582499013144227519,10546400235301243242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:12⤵PID:828
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12582499013144227519,10546400235301243242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵PID:4780
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12582499013144227519,10546400235301243242,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:12⤵PID:2556
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4084
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD53bde7b7b0c0c9c66bdd8e3f712bd71eb
SHA1266bd462e249f029df05311255a15c8f42719acc
SHA2562ccd4a1b56206faa8f6482ce7841636e7bb2192f4cf5258d47e209953a77a01a
SHA5125fab7a83d86d65e7c369848c5a7d375d9ad132246b57653242c7c7d960123a50257c9e8c4c9a8f22ee861fce357b018236ac877b96c03990a88de4ddb9822818
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59cafa4c8eee7ab605ab279aafd19cc14
SHA1e362e5d37d1a79e7b4a8642b068934e4571a55f1
SHA256d0817f51aa2fb8c3cae18605dbfd6ec21a6ff3f953171e7ac064648ffdee1166
SHA512eefd65ffcfb98ac8c3738eb2b3f4933d5bc5b992a1d465b8424903c8f74382ec2c95074290ddbb1001204843bfef59a32b868808a6bee4bc41ee9571515bbac6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
288B
MD5bfd0ca3400e4dda2ac24063469f46a69
SHA1f1d9be3da53bedce85aee9f4210159367b8d8d07
SHA25636b3f0e0224d2add036a22e2bab97608a30a49c7a9d60f4a9c48bff6c78d57ea
SHA512e11810d77c2518693d8e735761daf8870840844ce35df78eba9c71914be11f24e664dc5e4e28b4e2702db18d947dd5477e8c73114591f8a0725de1685a64f56e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
216B
MD531523c7d6f3636af0ebe8da9fc65266e
SHA1d2f9605aba6d7d94dc591ecabda921e677a026e7
SHA256b0ce0024fcd82ef376a08562cf3d4ef68af240c4c01ab92790314b38b98134b2
SHA512c157c01bc84e9f7aa20814de107b6e1a628ccf0a6ec9ab1adce40309fc732d5a061d1f078710ea04c03030d2fb6f108a36610dad6ffcd53acbf6e5d40fa8f98e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD54c466b854c51926d127ca5d8973d75bd
SHA136868489d01e33070fe5dc9202643d152f612dc0
SHA25684aa38bf82cffbc3303990c88d338cf444d0e653491f1acb8782d59d80ee2ac8
SHA512f6e524ccf4557f74d5a01b61ae3c5244b72dabf152ac34fd30f613861e5edfa703371dbb08a98e7defedf8b2aded12da1c8d883609fc6570b57f1b6cf5e59714
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD57ad571ca2d0adb11e6371b5563e35b3c
SHA18d5081282baae751796323751cde0838cc6b8332
SHA256088a9628f7e4122bb455b6ae9739422c54435f7f4b23647ae09f81ed8ad6f78a
SHA5120528cc78d95b787ce12784cce8c703a2f781efbfdc7eb49dc1bec7ff3c2bfbf4c52e3d8116eac1e96127a3e59fbcf92e4a72942cfd9d62f6eecf9d65d7f57252
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5445f8447b9bb3e54241719538bc6a331
SHA16bfb638742db4cf56c29e6e9d279ed7e24928e03
SHA256bdcb9ae1762415b0f6edad4e9d500fff2018d4b355a7e88244b9d2f6ac04ab4d
SHA512502fe09776f14f72b5426ee037bd6ad7102332a1c1060db62e8b5db857c0e784368bec1d3dfccd207b8bcacab1225d9d46c521a34139ed741c036a694ca35e31
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD56a1d1ec4ad1a8cd4d2e32727dd16a986
SHA1af235e7d54dd51b5e2d6f850601a2b1909872c24
SHA25698537a9bf8c3a6ebdf24437c79bb1781f436f56659ee0c16165825529a063cf2
SHA5127074600e05e4ae7afbeeacd629ae7e0bc5e1097ac0e4eec3e9556fa0dc2792c5a2dd52334d403d1c5103e4c4ac800c9e3d9f4680c300f92f5a2146af8024adbb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dicFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84