hxxps://envs[.]sh/hEF

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-03-2024 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://envs.sh/hEF

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
2888	msedge.exe
2888	msedge.exe
5092	msedge.exe
5092	msedge.exe
3588	identity_helper.exe
3588	identity_helper.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

2888 msedge.exe
2888 msedge.exe
2888 msedge.exe
2888 msedge.exe
2888 msedge.exe
2888 msedge.exe
2888 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2888 wrote to memory of 2404	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 2404	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 536	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 5092	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 5092	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 2096	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 2096	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 2096	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 2096	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 2096	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 2096	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 2096	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 2096	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 2096	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 2096	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 2096	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 2096	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 2096	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 2096	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 2096	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 2096	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 2096	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 2096	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 2096	2888	msedge.exe	msedge.exe
PID 2888 wrote to memory of 2096	2888	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://envs.sh/hEF
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa98c546f8,0x7ffa98c54708,0x7ffa98c54718
2⤵
PID:2404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,17628949665259512235,17013904926077051087,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
2⤵
PID:536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,17628949665259512235,17013904926077051087,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,17628949665259512235,17013904926077051087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
2⤵
PID:2096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17628949665259512235,17013904926077051087,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
2⤵
PID:112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17628949665259512235,17013904926077051087,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
2⤵
PID:1972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17628949665259512235,17013904926077051087,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
2⤵
PID:2748

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,17628949665259512235,17013904926077051087,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:8
2⤵
PID:4532

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,17628949665259512235,17013904926077051087,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17628949665259512235,17013904926077051087,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
2⤵
PID:3264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17628949665259512235,17013904926077051087,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
2⤵
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17628949665259512235,17013904926077051087,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
2⤵
PID:3872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17628949665259512235,17013904926077051087,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
2⤵
PID:2136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,17628949665259512235,17013904926077051087,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4644 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
73c8d54f775a1b870efd00cb75baf547

SHA1
33024c5b7573c9079a3b2beba9d85e3ba35e6b0e

SHA256
1ce86be0476a2a9e409fcb817126285bc4ad83efd03ee06a2f86910fe18d4d94

SHA512
191344f5830cfea68499bd49073ffa7215a42265a9629d203d07849b2417c0ffdbdbf288bf2c669e91009a0d7e8bd6a6b378c92fc283049141231ca7bf4da3b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4b206e54d55dcb61072236144d1f90f8

SHA1
c2600831112447369e5b557e249f86611b05287d

SHA256
87bf9a4c3564eb3d8bef70450da843ae6003271222734c4d28d9961c52782e0b

SHA512
c9e8d2452368873e0622b002a0c2f8a2714b5897a09475738a9f9740122d716a9f0d3841725230d58e039564c820d32a6f3a675a7bb04bd163bab53dcb4e22f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
168B

MD5
76c8766d3b447bd8f829ea433c76faad

SHA1
39850a66ef6226b643079d3aa8f30d450b8bda12

SHA256
5f0f68866b02bbe4de8521605f718f05edf17e471a8ff11906d15e2a6997f219

SHA512
aaf8d48125a04acfa596b6d5edbf1061906a61ab389c1679c864e8cad1b6809f7430378a166b6b4719694c8ecf3f15bb51567f6e6ffd08a0409443d8f3f89d23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
763B

MD5
a0f1891729079630fd047cefcb1455aa

SHA1
785807082ef81090bc3e2594602743f4310e5d6b

SHA256
8b37c4d8f88380a9af890643ea21054cccaf39472f4fb820beb10511dd7f87fb

SHA512
8e58aa3fd5592000518a295e5d876a862093087c57b3225cc95ee2fbdb43b4ddb5817f8bc6e11b3844bb3aecbcbccc0040cc3410fd3ae412d999de5ef8bbc1e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
6549c9135236bc3517b9fa7b31cb6701

SHA1
910be56c5835fee7477a0316cc82aa03c5dd85ec

SHA256
a935049e1d2e6822c0734c1b9c6cbc94a662d8576b6ae6d3b0406494251c1bde

SHA512
e959941cf1a7534fad97d9cd5a92497d62cf0ea4ae5e1de043cdd74a6debfa275e5a3924b47aec6b67e710fceb46c79839c3b652e0167bfbb3de357ef14e7e7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
4c57ef6f29a20b2d9891c260cb4a2533

SHA1
7633b726bc695bd013908b33f3e710062612415e

SHA256
5c31c7038daff87d23088efbca4327fe4ee0f5e54a8d151026bd48a0f6f3ed05

SHA512
097a1cd6babdaade7f9e08d88b4cbd69b8876c530118047d59786b6f1de24580ea8e4d8e8bf2541995c0dc97d7b5cd4f30d872716a81b333c520cc5f745f55bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
25176d9d607fae96b15c4a7d2272d128

SHA1
a3d61acdc1b24452687bdb2d07247fa811a6aeb6

SHA256
3ce53771c32855e946832c3dd4094c1a241d33321a6195cca117717fa32c0015

SHA512
c278f66894ec0fc430fd41c7cd40a9e84f008a9783bd6b3c017763d61d4a276e76ae940da4c071b1e9e0cab9fb284e97100081c11175b593d0123a8bbd431e36

Download Submit
\??\pipe\LOCAL\crashpad_2888_HATNZKQGWGQMKNNB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit