hxxps://70games[.]net/thread-42720[.]htm

Analysis

max time kernel
148s
max time network
154s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
26/02/2024, 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://70games.net/thread-42720.htm

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4900	msedge.exe
4900	msedge.exe
2316	msedge.exe
2316	msedge.exe
4280	identity_helper.exe
4280	identity_helper.exe
2740	msedge.exe
2740	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 4676	2316	msedge.exe	78
PID 2316 wrote to memory of 4676	2316	msedge.exe	78
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 240	2316	msedge.exe	81
PID 2316 wrote to memory of 4900	2316	msedge.exe	79
PID 2316 wrote to memory of 4900	2316	msedge.exe	79
PID 2316 wrote to memory of 4132	2316	msedge.exe	80
PID 2316 wrote to memory of 4132	2316	msedge.exe	80
PID 2316 wrote to memory of 4132	2316	msedge.exe	80
PID 2316 wrote to memory of 4132	2316	msedge.exe	80
PID 2316 wrote to memory of 4132	2316	msedge.exe	80
PID 2316 wrote to memory of 4132	2316	msedge.exe	80
PID 2316 wrote to memory of 4132	2316	msedge.exe	80
PID 2316 wrote to memory of 4132	2316	msedge.exe	80
PID 2316 wrote to memory of 4132	2316	msedge.exe	80
PID 2316 wrote to memory of 4132	2316	msedge.exe	80
PID 2316 wrote to memory of 4132	2316	msedge.exe	80
PID 2316 wrote to memory of 4132	2316	msedge.exe	80
PID 2316 wrote to memory of 4132	2316	msedge.exe	80
PID 2316 wrote to memory of 4132	2316	msedge.exe	80
PID 2316 wrote to memory of 4132	2316	msedge.exe	80
PID 2316 wrote to memory of 4132	2316	msedge.exe	80
PID 2316 wrote to memory of 4132	2316	msedge.exe	80
PID 2316 wrote to memory of 4132	2316	msedge.exe	80
PID 2316 wrote to memory of 4132	2316	msedge.exe	80
PID 2316 wrote to memory of 4132	2316	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://70games.net/thread-42720.htm
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff9b8b3cb8,0x7fff9b8b3cc8,0x7fff9b8b3cd8
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,1480340594184140097,12759127843493049529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,1480340594184140097,12759127843493049529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2508 /prefetch:8
  2⤵
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,1480340594184140097,12759127843493049529,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,1480340594184140097,12759127843493049529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,1480340594184140097,12759127843493049529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,1480340594184140097,12759127843493049529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,1480340594184140097,12759127843493049529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,1480340594184140097,12759127843493049529,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,1480340594184140097,12759127843493049529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,1480340594184140097,12759127843493049529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,1480340594184140097,12759127843493049529,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,1480340594184140097,12759127843493049529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,1480340594184140097,12759127843493049529,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2676 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a91469041c09ba8e6c92487f02ca8040

SHA1
7207eded6577ec8dc3962cd5c3b093d194317ea1

SHA256
0fef2b2f8cd3ef7aca4d2480c0a65ed4c2456f7033267aa41df7124061c7d28f

SHA512
b620a381ff679ef45ae7ff8899c59b9e5f1c1a4bdcab1af54af2ea410025ed6bdab9272cc342ac3cb18913bc6f7f8156c95e0e0615219d1981a68922ce34230f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
601fbcb77ed9464402ad83ed36803fd1

SHA1
9a34f45553356ec48b03c4d2b2aa089b44c6532d

SHA256
09d069799186ae736e216ab7e4ecdd980c6b202121b47636f2d0dd0dd4cc9e15

SHA512
c1cb610c25effb19b1c69ddca07f470e785fd329ad4adda90fbccaec180f1cf0be796e5628a30d0af256f5c3dc81d2331603cf8269f038c33b20dbf788406220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
7e171079ba567ec04a3e64ef036ee5d9

SHA1
aa4965bc4d07d994968b7f8d9edab8511012b989

SHA256
17967e87904e7df5fc0d08e57314daff898777bb1b706a4d55e27a4811a451d0

SHA512
03358998672152c612d401c80561a43b8f55d962ce1fe1efff89b42ee413f0c0c05465640dbbb0649a45e0927bffca3927ff6baf9f70c25f9a3a16169eb5cfb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d3149ac8ace33a3edac4c0c4f1ccaa66

SHA1
9cd4f4577fe91c420a16e5009264dc32d5fb66f7

SHA256
86e908a906f77d2bc81fd8138fb24a194c09d774d7e1d6b81a8ee3df92db1efb

SHA512
e769821fe604e545dddc8a841c703aa41994bc8a6fb2b154febbac825cf409189b017bd78ba92291bd77e17521e2f18691bbaa7e29ffe815e9f87afe0a7eafa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c8b158a9f956ccb30248c65024c49f7c

SHA1
13117a4a5740efc85bc99d2e0f6b02631489d38e

SHA256
43170451d571a2131b2dbad9cb14d4e6a6a697cf5ba46d25024a15bd1fb021e1

SHA512
6b00ef738aae9d6c81f25095169fdd5685c0e43ceb486d567938389149c1fd1fbf676c73e795b3d421989035502515144d524d58b29a717ea026c38df198a850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2eb3c0f0dae8805e85d11dcb76de2e4b

SHA1
3dcf3b173355626f677d385e6ed9b591a0903974

SHA256
53ed4466e8975955e61f912c7f6ac221477c9870b0f84c223c1ceb9993ea5024

SHA512
5b7c40aed2423817e4a58ce5589a964854fbc97972e52350493cefc4d45d949642a5303a7c99ad3485aa7e7373ef475bed32c0c5bb3bee36e298b92970a4a259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f2adee8f8c205cc751e877e2e7e430e5

SHA1
5f4cb2a7736f950b0a14558151c8e5721cab8fa6

SHA256
fdfcd4d685f7b20fc60fbf7cea310553cadfb23077f6b1c0e440b7b65c30d8b8

SHA512
a52665f4a659fd467acb3b34d8893c3b0580d26acb91cbf4bc1af2468f611d77991483cc28d2e3adbb705542c5aa9e946957b276d6fdaaee49e16448bc86f7bd

Download Submit