Analysis
-
max time kernel
35s -
max time network
36s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-03-2024 12:00
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://envs.sh/hEK
Resource
win10v2004-20240226-en
General
-
Target
https://envs.sh/hEK
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid process 216 msedge.exe 216 msedge.exe 1872 msedge.exe 1872 msedge.exe 4536 identity_helper.exe 4536 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe 1872 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1872 wrote to memory of 3924 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 3924 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 880 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 216 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 216 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 3320 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 3320 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 3320 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 3320 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 3320 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 3320 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 3320 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 3320 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 3320 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 3320 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 3320 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 3320 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 3320 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 3320 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 3320 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 3320 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 3320 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 3320 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 3320 1872 msedge.exe msedge.exe PID 1872 wrote to memory of 3320 1872 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://envs.sh/hEK1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd022846f8,0x7ffd02284708,0x7ffd022847182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,11662423953478123032,14524791113206113649,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,11662423953478123032,14524791113206113649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,11662423953478123032,14524791113206113649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11662423953478123032,14524791113206113649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11662423953478123032,14524791113206113649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11662423953478123032,14524791113206113649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,11662423953478123032,14524791113206113649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,11662423953478123032,14524791113206113649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11662423953478123032,14524791113206113649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11662423953478123032,14524791113206113649,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11662423953478123032,14524791113206113649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11662423953478123032,14524791113206113649,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59ffb5f81e8eccd0963c46cbfea1abc20
SHA1a02a610afd3543de215565bc488a4343bb5c1a59
SHA2563a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc
SHA5122d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e1b45169ebca0dceadb0f45697799d62
SHA1803604277318898e6f5c6fb92270ca83b5609cd5
SHA2564c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60
SHA512357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
168B
MD5473493a4c98a68aa0d9f86dd5bc71c62
SHA18a901ffb4bac5ef1700f6e7f068a1cafa354cd51
SHA256a0756898a3e4b261b362cae4a1a4ea2593a6ede4092865802296b9e8e1a75b92
SHA5129f319b42ffb7648f874484595d8cc540f208f044aae09801e696f89047fd5255ddebed774e0b33d8a66c9d859d98d390b1ec2f64ca8ca8d0228b8b1a66e576db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5efd14112660764a6018b5088633294f3
SHA1b3d9ab6be6566059aee09b69f92a8a6eec2b2e4b
SHA25645d5111088a579e7c683d082bd73847c975ce604427192e579c824e4180f2f9e
SHA51219abd049afd48fefa3039e539b1ac7de5983ac5d4c87638aa9c0a4c3d6cf8e11a0cea8babd1fad388363faacdb66a12dce86cb0347853e70e75f354898781965
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5987bec717bf3c17de0f1e50c76e23095
SHA1d83a13393b2507dfc1bfb325f7677c413cd7c28a
SHA2566d7041299cc0e5a711c3356cff8920e7ba931e5561f5f876dab0fecb0d8e160b
SHA512b9cd6f6a7ff0f99dd6d1b4b7b85a1f6ac56a77c5023a3cb56897e373ad81158ab581be0578bf5a0db62373112cbb5837d3ba0008ef9ac631d7a69e333377f722
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD58215fbf38b4da60cf1bf12164bd72f16
SHA1a9bf2a2afb7eae43660aa33af0299f9beb9c4dd8
SHA256430465e164cc17ad7d9193032048407412defa5eaa7d79684363d664ab063d0e
SHA5129cf591a7c5dbd494e2f165c784f0d3add2c9228cf8362e98240547972d8f6940d98deba74a1f9dabd9f50bd7bda5cb1c742073d6885428353892d75f1a55b65c
-
\??\pipe\LOCAL\crashpad_1872_MSKDOUAHYNWYGDRVMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e