hxxps://github[.]com/enginestein/Virus-Collection

Resubmissions

23/02/2024, 09:30

240223-lgpt4aef92 1

23/02/2024, 09:26

240223-lekglaeb31 1

23/02/2024, 09:18

240223-k9y3sseb2v 10

Analysis

max time kernel
1800s
max time network
1684s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23/02/2024, 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/enginestein/Virus-Collection

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3424	msedge.exe
3424	msedge.exe
5080	msedge.exe
5080	msedge.exe
4568	identity_helper.exe
4568	identity_helper.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 1176	5080	msedge.exe	32
PID 5080 wrote to memory of 1176	5080	msedge.exe	32
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 5088	5080	msedge.exe	88
PID 5080 wrote to memory of 3424	5080	msedge.exe	87
PID 5080 wrote to memory of 3424	5080	msedge.exe	87
PID 5080 wrote to memory of 1840	5080	msedge.exe	89
PID 5080 wrote to memory of 1840	5080	msedge.exe	89
PID 5080 wrote to memory of 1840	5080	msedge.exe	89
PID 5080 wrote to memory of 1840	5080	msedge.exe	89
PID 5080 wrote to memory of 1840	5080	msedge.exe	89
PID 5080 wrote to memory of 1840	5080	msedge.exe	89
PID 5080 wrote to memory of 1840	5080	msedge.exe	89
PID 5080 wrote to memory of 1840	5080	msedge.exe	89
PID 5080 wrote to memory of 1840	5080	msedge.exe	89
PID 5080 wrote to memory of 1840	5080	msedge.exe	89
PID 5080 wrote to memory of 1840	5080	msedge.exe	89
PID 5080 wrote to memory of 1840	5080	msedge.exe	89
PID 5080 wrote to memory of 1840	5080	msedge.exe	89
PID 5080 wrote to memory of 1840	5080	msedge.exe	89
PID 5080 wrote to memory of 1840	5080	msedge.exe	89
PID 5080 wrote to memory of 1840	5080	msedge.exe	89
PID 5080 wrote to memory of 1840	5080	msedge.exe	89
PID 5080 wrote to memory of 1840	5080	msedge.exe	89
PID 5080 wrote to memory of 1840	5080	msedge.exe	89
PID 5080 wrote to memory of 1840	5080	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/enginestein/Virus-Collection
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffc1c4f46f8,0x7ffc1c4f4708,0x7ffc1c4f4718
  2⤵
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,13752304064240027946,2085890437544830136,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,13752304064240027946,2085890437544830136,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,13752304064240027946,2085890437544830136,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,13752304064240027946,2085890437544830136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,13752304064240027946,2085890437544830136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,13752304064240027946,2085890437544830136,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,13752304064240027946,2085890437544830136,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,13752304064240027946,2085890437544830136,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
  2⤵
  PID:64
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,13752304064240027946,2085890437544830136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,13752304064240027946,2085890437544830136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,13752304064240027946,2085890437544830136,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,13752304064240027946,2085890437544830136,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2624 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e189354a800c436e6cec7c07e6c0feea

SHA1
5c84fbda33c9276736ff3cb01d30ff34b032f781

SHA256
826adca1e688de79a3ec5b91c75990927fb2a33ae717f474608c68336053f427

SHA512
ceb069a5e83a634503e253846fa17b8bf7aaa539c3353ce61251633d69068e24c5eadd1b496f43058790d2b513e65d2c0b0213730813d0b58bb82a00596e05e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9e3e150cfe464e9ebf0a6db1aa5e7a2

SHA1
3cb184e2781c07ac000661bf82e3857a83601813

SHA256
2325a6292907263d1fb089a09f22fbcc6bad56f4961d427efdef1abaef097bcc

SHA512
f5eb1e76eb9441cf5000d8d4db9296077b61714ead5012779c084b37f4bba07614055738f5dce69b13b25975d9b7c03eab049b7685eee09b23fd8d4a7d71a039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3f57e7177bb9731e5c742ba02494fdef

SHA1
a619f85ee79dc73cbacc20860d7fa51c853cd8c7

SHA256
8c038e9468fb5c86d71540b6e8bdc525251903fb353940b358e3e6fa47e873a3

SHA512
b113992c1440e65bacba2cff9010103214ab3f468475531efb0e0acbf7ca39a8dfcf4f1c138f3c3dfaba4538ee1ed280ccf1a1a1a1691d366a8d45ca3018168f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
c492bad59bb1c0823974b1b57d99f25c

SHA1
033c7fe77e62a181c0ffcf0763aeeadfecc652a7

SHA256
7b53ba9fc9c102c58b3a5c42a499e13e0f5d3ea2622c4e6a479cfe59503b8355

SHA512
1bcf8cba715ac399b4f5e9129606b07d2ed79b561310e179af9be314a4ebafea6ea0e28c30dc4383dccaff76cfc85471d2ba7b49e58aa86dfea304b1f3d34e0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ce1636be0e1f90be8cdf235869edc1a9

SHA1
3b1b0fa02a98e603413b0228e75cb8d7b30d5d08

SHA256
ef2061289524fe5690b1322fedb1e2b8af01fe3c6c8acef8ebc62e8f42d6f394

SHA512
292f4b0341c553903940ca5bafc4b9d29492863b2103c972f0308aae2c1f1d43c5a49f973b26817392a1fd53fcd4c2986b20043140e0b6f299e3d6d937934795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ed4f70b58e940f5f416454a40eee405e

SHA1
0afd4b7ed7b0fc381baa647c0d3457b37a56b4a4

SHA256
3c8d9223b04a29b124e3aee9d33b139cca7ea6cb97d8d9dc86447ca45a1e83f8

SHA512
3096c14935be650546de62bf96715bf3e5fa395ee26528190cde4a1271d9852e123a4f444af1e00736f64c402a3f144e09a59740b17036ee9d4a903a73304f60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3260b6815e90f9bc5d48f92085a8abe7

SHA1
95349774418265d2af167eff126891c17bc3ab1f

SHA256
ece87c83a49e99990a3420528ddcf820f0075a4d4cacb416c7d1155de069a3a0

SHA512
739c1fc62975992fd529da8bc697beeb4d114ced6fede6d99f2253f686501ee318eccf0d8ef6a3f54fee762965b4cc97e2a15d08c46ccb389ea275de0c8a4ba1

Download Submit