hxxps://cdn-discordapp-com-attachments-png[.]vercel[.]app/api/1150 32488403195089812009140610308505808jthWYF[.]pngex=65c7e9 608is-65b57460&hm=cb2e0fe2bf22fce7667694c8345607a008ce 37de7eef62da8e18dfe3352082818

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23-02-2024 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn-discordapp-com-attachments-png.vercel.app/api/1150 32488403195089812009140610308505808jthWYF.pngex=65c7e9 608is-65b57460&hm=cb2e0fe2bf22fce7667694c8345607a008ce 37de7eef62da8e18dfe3352082818

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2216	msedge.exe
2216	msedge.exe
1928	msedge.exe
1928	msedge.exe
3892	identity_helper.exe
3892	identity_helper.exe
388	msedge.exe
388	msedge.exe
388	msedge.exe
388	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 5072	1928	msedge.exe	53
PID 1928 wrote to memory of 5072	1928	msedge.exe	53
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 3616	1928	msedge.exe	87
PID 1928 wrote to memory of 2216	1928	msedge.exe	85
PID 1928 wrote to memory of 2216	1928	msedge.exe	85
PID 1928 wrote to memory of 316	1928	msedge.exe	86
PID 1928 wrote to memory of 316	1928	msedge.exe	86
PID 1928 wrote to memory of 316	1928	msedge.exe	86
PID 1928 wrote to memory of 316	1928	msedge.exe	86
PID 1928 wrote to memory of 316	1928	msedge.exe	86
PID 1928 wrote to memory of 316	1928	msedge.exe	86
PID 1928 wrote to memory of 316	1928	msedge.exe	86
PID 1928 wrote to memory of 316	1928	msedge.exe	86
PID 1928 wrote to memory of 316	1928	msedge.exe	86
PID 1928 wrote to memory of 316	1928	msedge.exe	86
PID 1928 wrote to memory of 316	1928	msedge.exe	86
PID 1928 wrote to memory of 316	1928	msedge.exe	86
PID 1928 wrote to memory of 316	1928	msedge.exe	86
PID 1928 wrote to memory of 316	1928	msedge.exe	86
PID 1928 wrote to memory of 316	1928	msedge.exe	86
PID 1928 wrote to memory of 316	1928	msedge.exe	86
PID 1928 wrote to memory of 316	1928	msedge.exe	86
PID 1928 wrote to memory of 316	1928	msedge.exe	86
PID 1928 wrote to memory of 316	1928	msedge.exe	86
PID 1928 wrote to memory of 316	1928	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn-discordapp-com-attachments-png.vercel.app/api/1150 32488403195089812009140610308505808jthWYF.pngex=65c7e9 608is-65b57460&hm=cb2e0fe2bf22fce7667694c8345607a008ce 37de7eef62da8e18dfe3352082818
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99bed46f8,0x7ff99bed4708,0x7ff99bed4718
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,2908590975032864757,11606304678151159598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,2908590975032864757,11606304678151159598,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,2908590975032864757,11606304678151159598,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,2908590975032864757,11606304678151159598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,2908590975032864757,11606304678151159598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,2908590975032864757,11606304678151159598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,2908590975032864757,11606304678151159598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,2908590975032864757,11606304678151159598,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,2908590975032864757,11606304678151159598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,2908590975032864757,11606304678151159598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,2908590975032864757,11606304678151159598,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,2908590975032864757,11606304678151159598,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5020 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a65ab4f620efd5ba6c5e3cba8713e711

SHA1
f79ff4397a980106300bb447ab9cd764af47db08

SHA256
3964e81a3b4b582e570836837b90a0539e820886a35281b416e428e9bf25fd76

SHA512
90330661b0f38ca44d6bd13a7ea2ab08a4065ec4801695e5e7e0dea154b13ac8d9b2737e36ebe9a314d2501b5ef498d03c5617c87e36986e294c701182db41b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
854f73d7b3f85bf181d2f2002afd17db

SHA1
53e5e04c78d1b81b5e6c400ce226e6be25e0dea8

SHA256
54c176976e1c56f13af90be9b8b678f17f36a943210a30274be6a777cf9a8dc4

SHA512
de14899cfaad4c312804a7fe4dcb3e9221f430088cb8bf5a9b941ac392a0bbad4e6ca974e258e34617bbffff3bf6490fa90d8c6921616f44186e267ddaa02971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
213B

MD5
6f24bf323e31a37c8da603c7ee665b7c

SHA1
40afe15de672ae832f42e1bdd8afcf1d95570050

SHA256
7b41fd4c954253e0200060c3798e53a82f444a801db28ec40c4d7ef215461347

SHA512
3ce93edc911dfed70d74531f9c54e1b8eacd41b0375c403724e492026db5bc27b5180b609dbaf5804da05fdd58bed1f8c08aeae9d16eebf0083a21bd22248e13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
acb63d1d744cad72b4265861013f67dd

SHA1
fbaea6c7442cd8397ed4390868808f3869d24d5c

SHA256
b5d30e6951ac1bd1a0161d3696b6c485248a81cad939da230728b0bbbfe00d4f

SHA512
9ef07a1862862f0fcfc7ca149a94caf7326796df74e7f1f99fe2820d6c0b89cc45e4420dc0f1900e71bdf9423fd373026405b8aec7c4553f88dfce3e1d0e5271

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e92c8b33d35907d6ca35b34f843b6362

SHA1
1b3ad0c32e8b459feb027a903d955030e6719935

SHA256
9cdd3a11ab3d7d9ba3231953e843ab6384048c1be3d8d3c056416ff617f6847a

SHA512
0f56025dde7c7bf259b151408eec6d04fa64a78c9dc460c0eee0c4000abce2c83693d47b70a6a127c77a436be5874b4174dacd62a66d10f4fb343d4ee1e5560d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fcee42316866552a4d74356352fc3c04

SHA1
1e74b209d4cd62c23b1bda75e4af209e944cf9be

SHA256
1e8e88298855f206e6fd45f785bca57017476f3441dde725fc626043bd7ac0a3

SHA512
68cc410062e6bbd6befe10193d05af3bdca45b3ae06cb9a3dc2365a2d5d22debaef18161a7c3c994679666f8e1d8b38d2328ad4be805dc95294753b40426782b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
1604534ab0c511988f6e89a81ec084ba

SHA1
29849d4fb2243f0cfb03dfc33e3a326e50bbd8f6

SHA256
13d1b82939e1bab23e192d9bc44fee716acb0fc4c2443642bee2adabd3fecfb9

SHA512
bd039d985de408473edca08ff3426d4f650db548c2f4009ea606d70a5a8f23700eeb2eed304acb398a99198773d071c019b6a788c58c456ab875957ca5ba9ba4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d61c.TMP

Filesize
203B

MD5
a69760ac942ed9f9664c1fbd66a19c4c

SHA1
0a92d5582bb5f3d367f731d7539b8b892fa6b437

SHA256
2ef0e00a84d69d90d2e9200488bb855e7501ddedc687e14b6f9c4dfbfdf06aa2

SHA512
d20c472e25bb63b4d050f95821110ce5076e8bf6ef635bd2d237d967f68b48b899e74a2355ed091edf74859618dea4b55d522934c6ce2ad016d975023e8697f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1ee13ca6b55a7935cae524c91a26ac74

SHA1
47073ada0dfe25218d7bce1b9b2812065d7500a3

SHA256
79eb9e00d97d7d73eb2f97063a10d0b79d34bf284a10a202f8fa9a2ddf95211d

SHA512
a30bc581c0ec8963280833caf6cdd0036e0b1e010b023733097c862518e562eddf62f8f4f9f8550c1340240d0c41d3355cebc1a1c254209e8cb3616b3e46e4b6

Download Submit