hxxps://qptr[.]ru/PoaN

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://qptr.ru/PoaN

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3464	msedge.exe
3464	msedge.exe
4856	msedge.exe
4856	msedge.exe
3452	identity_helper.exe
3452	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 4380	4856	msedge.exe	58
PID 4856 wrote to memory of 4380	4856	msedge.exe	58
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 4536	4856	msedge.exe	89
PID 4856 wrote to memory of 3464	4856	msedge.exe	88
PID 4856 wrote to memory of 3464	4856	msedge.exe	88
PID 4856 wrote to memory of 4160	4856	msedge.exe	87
PID 4856 wrote to memory of 4160	4856	msedge.exe	87
PID 4856 wrote to memory of 4160	4856	msedge.exe	87
PID 4856 wrote to memory of 4160	4856	msedge.exe	87
PID 4856 wrote to memory of 4160	4856	msedge.exe	87
PID 4856 wrote to memory of 4160	4856	msedge.exe	87
PID 4856 wrote to memory of 4160	4856	msedge.exe	87
PID 4856 wrote to memory of 4160	4856	msedge.exe	87
PID 4856 wrote to memory of 4160	4856	msedge.exe	87
PID 4856 wrote to memory of 4160	4856	msedge.exe	87
PID 4856 wrote to memory of 4160	4856	msedge.exe	87
PID 4856 wrote to memory of 4160	4856	msedge.exe	87
PID 4856 wrote to memory of 4160	4856	msedge.exe	87
PID 4856 wrote to memory of 4160	4856	msedge.exe	87
PID 4856 wrote to memory of 4160	4856	msedge.exe	87
PID 4856 wrote to memory of 4160	4856	msedge.exe	87
PID 4856 wrote to memory of 4160	4856	msedge.exe	87
PID 4856 wrote to memory of 4160	4856	msedge.exe	87
PID 4856 wrote to memory of 4160	4856	msedge.exe	87
PID 4856 wrote to memory of 4160	4856	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://qptr.ru/PoaN
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb9b6646f8,0x7ffb9b664708,0x7ffb9b664718
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,18414588129253570429,10763342920236128785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,18414588129253570429,10763342920236128785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,18414588129253570429,10763342920236128785,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,18414588129253570429,10763342920236128785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,18414588129253570429,10763342920236128785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,18414588129253570429,10763342920236128785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,18414588129253570429,10763342920236128785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,18414588129253570429,10763342920236128785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,18414588129253570429,10763342920236128785,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,18414588129253570429,10763342920236128785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:3460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d62cefeb0c8fbab806b3b96c7b215c16

SHA1
dc36684019f7ac8a632f5401cc3bedd482526ed7

SHA256
752b0793cf152e9ea51b8a2dc1d7e622c1c1009677d8f29e8b88d3aa9427dd01

SHA512
9fc3968fec094be5ca10a0d927cb829f7f8157425946ebd99a346b7e63c977cb3f37560af1a4bc8f87ab19b43b3ed86fd5b37f89d1a9b2dc86e3c73142c3065b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7ee1c6757da82ca0a9ae699227f619bc

SHA1
72dcf8262c6400dcbb5228afcb36795ae1b8001f

SHA256
62320bde5e037d4ac1aa0f5ff0314b661f13bb56c02432814bffb0bd6e34ed31

SHA512
dca56a99b7463eddf0af3656a4f7d0177a43116f401a6de9f56e5c40a49676cea5c38b6c458f426c6bff11165eec21104cfa9ca3e38af39d43188b36d3f22a0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
176e7814c18b80b620b25ee32ba0551b

SHA1
87803f1922135222b8a5f859e202e7a530d66e85

SHA256
40bf1e01d00d842edb0465c9c27fbab5d83d203a5c862bb714b3c80c7a27ef88

SHA512
b40ffce5511d807f1989ddd804477f2be563af235cb7d8c119c9582ea48737d695d6c5d582fb502d352fbff525691aad8f80609ce5fb1488fef4121dbc37af7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
853B

MD5
fb1465d101e33209ca980572ab42ad1c

SHA1
86b5511f1514caaba9a7ec89342f22eaa41dd857

SHA256
2bca82f2b74e4ae22d2c15c3683af3e1e94e28f8a7837b7121ec792743113680

SHA512
091a2509ec5d1a4ebf053aacc96922d5a78358092aaacd3d4a1fba9827a1fbac9a7ead19ded867dd1ce85a8bc5300b3531c8ed7bccab4678244f46f01b3a844f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
758fe54505b479861e0a30905a36e52e

SHA1
a5b8c9a13c3f17a72e8bd0ebc369257401d4a963

SHA256
118c5017a428a4127089bdeec4df68542cc29c6a9720b269effb11967761ea95

SHA512
db7a4d59092b4449759f8bbd7ed53b0eafb58503047ddfbd1a683a2697f81f828db99082a249aa74b7872dcc3345e0909dcee006190191d2eec627342e7a3a02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
44548be26df49c6c72143faf7d244c27

SHA1
4b11408a637899e52395a4d3bb6969fbfa760358

SHA256
2e863c379b28183152bd99cce9af60e158a470bd0781786c3f26623c40d06596

SHA512
7136c28dd7a9a005d4ed98cba1015f218630664babd1f49e30b6547b9b2d93b8fbbf688d3594cfe0ecb7abee2d16a11310c1f15397e969a520f9440a21c752c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cc72fe793c8bfe13c696d0d9d41bb75f

SHA1
80a9763e6412ca11b7e4d3f24f6a33f5c949377f

SHA256
60fb046253a2bb52c629fcc8c801f08f591e2c92eb9b0418ba03fddf361c54a0

SHA512
b2c989073d49087f0ff11b10b29ddf36fe73a06bf293b9e0fd01a8c4bfdddb439d6adc4c24ae58dff717bc5f90e26e28df0ab1a45b2c2dd4f5b0f7d7b94039d2

Download Submit