hxxps://lihssa[.]com/protection?memo=WTNwd2RHRT0sYzJWeWRtbG9ZV0pwZEdGMExtTnZiUT09LGMyRnFjbk09LGFuSnZaSEpwWjNWbGVnPT0=

Analysis

max time kernel
145s
max time network
141s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
28/02/2024, 11:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://lihssa.com/protection?memo=WTNwd2RHRT0sYzJWeWRtbG9ZV0pwZEdGMExtTnZiUT09LGMyRnFjbk09LGFuSnZaSEpwWjNWbGVnPT0=

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1116	msedge.exe
1116	msedge.exe
4080	msedge.exe
4080	msedge.exe
1664	msedge.exe
1664	msedge.exe
540	identity_helper.exe
540	identity_helper.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 4756	4080	msedge.exe	80
PID 4080 wrote to memory of 4756	4080	msedge.exe	80
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1068	4080	msedge.exe	82
PID 4080 wrote to memory of 1116	4080	msedge.exe	83
PID 4080 wrote to memory of 1116	4080	msedge.exe	83
PID 4080 wrote to memory of 2848	4080	msedge.exe	84
PID 4080 wrote to memory of 2848	4080	msedge.exe	84
PID 4080 wrote to memory of 2848	4080	msedge.exe	84
PID 4080 wrote to memory of 2848	4080	msedge.exe	84
PID 4080 wrote to memory of 2848	4080	msedge.exe	84
PID 4080 wrote to memory of 2848	4080	msedge.exe	84
PID 4080 wrote to memory of 2848	4080	msedge.exe	84
PID 4080 wrote to memory of 2848	4080	msedge.exe	84
PID 4080 wrote to memory of 2848	4080	msedge.exe	84
PID 4080 wrote to memory of 2848	4080	msedge.exe	84
PID 4080 wrote to memory of 2848	4080	msedge.exe	84
PID 4080 wrote to memory of 2848	4080	msedge.exe	84
PID 4080 wrote to memory of 2848	4080	msedge.exe	84
PID 4080 wrote to memory of 2848	4080	msedge.exe	84
PID 4080 wrote to memory of 2848	4080	msedge.exe	84
PID 4080 wrote to memory of 2848	4080	msedge.exe	84
PID 4080 wrote to memory of 2848	4080	msedge.exe	84
PID 4080 wrote to memory of 2848	4080	msedge.exe	84
PID 4080 wrote to memory of 2848	4080	msedge.exe	84
PID 4080 wrote to memory of 2848	4080	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://lihssa.com/protection?memo=WTNwd2RHRT0sYzJWeWRtbG9ZV0pwZEdGMExtTnZiUT09LGMyRnFjbk09LGFuSnZaSEpwWjNWbGVnPT0=
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd37d3cb8,0x7fffd37d3cc8,0x7fffd37d3cd8
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1716,2171416555323067536,17125462166980789915,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1796 /prefetch:2
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1716,2171416555323067536,17125462166980789915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1716,2171416555323067536,17125462166980789915,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,2171416555323067536,17125462166980789915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,2171416555323067536,17125462166980789915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1716,2171416555323067536,17125462166980789915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,2171416555323067536,17125462166980789915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,2171416555323067536,17125462166980789915,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1716,2171416555323067536,17125462166980789915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,2171416555323067536,17125462166980789915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,2171416555323067536,17125462166980789915,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1716,2171416555323067536,17125462166980789915,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5952 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c65e704fc47bc3d9d2c45a244bb74d76

SHA1
3e7917feebea866e0909e089e0b976b4a0947a6e

SHA256
2e5d6a5eeb72575f974d5fa3cdff7ad4d87a361399ffdd4b03f93cdbdec3a110

SHA512
36c3be0e5fbc23c5c0ad2e14cfb1cf7913bea9a5aeb83f9f6fcf5dbc52a94d8ccb370cef723b0cda82b5fba1941b6a9ff57f77ff0076a2c5cf4250711e3dd909

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c3ea95e17becd26086dd59ba83b8e84

SHA1
7943b2a84dcf26240afc77459ffaaf269bfef29f

SHA256
a241c88bb86182b5998d9818e6e054d29b201b53f4f1a6b9b2ee8ba22dd238dc

SHA512
64c905e923298528783dc64450c96390dc5edbda51f553c04d88ee944b0c660b05392dc0c823d7fb47f604b04061390b285f982dfcc767c8168ccb00d7e94e21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
178B

MD5
cd7141505af1bf2371a812564bae0c46

SHA1
c301deb52a1e873b23bd56d902a953d492c57b40

SHA256
14b38117c8911f4adb10c55d89c43c570bb0b8ba0bafbae3c3036e10e1a05454

SHA512
fe9f50250bbdc5a62446854e82796c39b55ec35cfb0e1011f61c6d2bc041748115a7e7e01ff06b1e8ae19f7769d5bd3932f8ef7bf7e04da066c6d6a096bf56c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
12a598fa255352a751dbdf64f090fe2b

SHA1
8af56449fc32b2aafcf3d1006100b26a541c2d80

SHA256
ae9120540246544df34b29dd093a07cbe66cb1b3cf408a05ca052a2f890057cc

SHA512
73f36f55f52f940a69dcd227d8404782f7485590c66c2f0f97bc2ac4d988340f516a789c6c45a2183d8ecf2aa50e8d76747e26462b1ebf3ed45f50ff2001b2bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0ec79f7f64b08bf4fbb9cd874a8a4c96

SHA1
6fea8022a2404be911277dd99e1189b5a82c4986

SHA256
830b12795c5a150536d21d5493469474a11a16caa7d6594343f8f1360b4109ed

SHA512
f1b4dc21894b14097816b7e07dac46ff8d329e9b0a1edb6caecb67c43833fb70561d0a521b7e23744660a1b8147c06c30f456c474cd1f9ddba331a80abd83588

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e59ba5676ff7e8c329e8118033e9fd6e

SHA1
63edc29b362a18aa7817ae96d6fcaa500d6b75de

SHA256
14031c3f8b674715e63826c27a00c6b059b46abc9f5b347b756cf20ca7221edc

SHA512
c70bd7a667df729e4646508ecb57d6965bbdf20e46255874f13254e4dc2452ca8d591748bf0812b2924b7948859fdbd98636d1b42161603583cabf6b77e9396d

Download Submit