Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03-03-2024 15:16
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://go-link.ru/jgBb0
Resource
win10v2004-20240226-en
General
-
Target
https://go-link.ru/jgBb0
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 4780 msedge.exe 4780 msedge.exe 4936 msedge.exe 4936 msedge.exe 780 identity_helper.exe 780 identity_helper.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4936 wrote to memory of 4908 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4908 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4560 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4780 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4780 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4684 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4684 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4684 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4684 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4684 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4684 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4684 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4684 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4684 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4684 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4684 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4684 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4684 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4684 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4684 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4684 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4684 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4684 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4684 4936 msedge.exe msedge.exe PID 4936 wrote to memory of 4684 4936 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go-link.ru/jgBb01⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa486546f8,0x7ffa48654708,0x7ffa486547182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,13501773319996058446,15332837527179506995,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,13501773319996058446,15332837527179506995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,13501773319996058446,15332837527179506995,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,13501773319996058446,15332837527179506995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,13501773319996058446,15332837527179506995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,13501773319996058446,15332837527179506995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,13501773319996058446,15332837527179506995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,13501773319996058446,15332837527179506995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,13501773319996058446,15332837527179506995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,13501773319996058446,15332837527179506995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,13501773319996058446,15332837527179506995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,13501773319996058446,15332837527179506995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,13501773319996058446,15332837527179506995,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1952 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD536bb45cb1262fcfcab1e3e7960784eaa
SHA1ab0e15841b027632c9e1b0a47d3dec42162fc637
SHA2567c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae
SHA51202c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51e3dc6a82a2cb341f7c9feeaf53f466f
SHA1915decb72e1f86e14114f14ac9bfd9ba198fdfce
SHA256a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c
SHA5120a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
624B
MD5c19173eef4aef47a5f05949d6f09bbbb
SHA124d1d423bdeda5e7fbfab2ec72ba5d7e0280b316
SHA2565713e9595706ff3f6818d6a16efded7480ae5a5e8d6140ae3eef13d1bbc5718c
SHA512b7fa693573472f49da0576ddf34cde5a9dd7c80a7cb907b6f7990421ed2aae892c9900d0d3ad8922d93022ca275c5ddcf063135d436752dda729df431ba6516a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD574479aaf82e772180893293e503070ff
SHA13998f8f0de3336d425e366bca4bed3e45a172b58
SHA256b95aea56f94ed6738909e2b153e08cf741ddc660e816161384263b956b2d0588
SHA5126bac0e108f91eef20ac8aa2f56caf551bf43b6af17d87ef80a7448ae65b650f02bd9d2f6189d5bd74fe1011ff3f9a12d59ceaf1b87282b0bb492f612ca4cf8e8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD54b6f235e53410a870a2ac35bfa694ebb
SHA19c695555e836fee9b50c35a157583531b16b2785
SHA2563ea9177eb9686b50f9478ba92028108bdb1ebc78070db947ad9c154225c119bb
SHA512df6d6d4fb342371501ae27c2701b4f16a18d52b6bf95fe00f4134b4497220c36594d8b6fce72c02cef77a11b7ef4302a01ba186ec406aa06b04864ab950b98fe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5fe29e03901273a26ad346362f0a833ec
SHA122d1a1773d8887519b5513e8f885365d1ca4e2f3
SHA256026b41f3f0469c236e6cb0669689fb8206a215eae655c95c9ce50accd557d4ad
SHA512c8a9dc868933c7b54329c3af3d0a29ac02f220bb1c367cfe236f39c28503540ccbd3cb804fb6b1009f180988ee831c4f63e80cdcfe590659d04042a6f878c7b3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5faa2a02e1e3063bf24ad6e0b30eae242
SHA1e19f44a9b3a4f71f401701e6307c8ff22e4e6e18
SHA25602df433c8fa92fc68fddd4dc9fed648e10d200760cbbfc48057783eb6e9eb9b0
SHA512b7b0ae723d69a7cbdbdd604caee412914dd802b00de54748c5be741e91b535db80a67608c03b29b3c1a9808b02c91646928bb6e43f0ab1d396552c4332c8c0a0
-
\??\pipe\LOCAL\crashpad_4936_IHCPDAYPOPKROGJZMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e