hxxps://bit[.]ly/smJ_ShR

Analysis

max time kernel
44s
max time network
49s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-03-2024 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bit.ly/smJ_ShR

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
880	msedge.exe
880	msedge.exe
3608	msedge.exe
3608	msedge.exe
3528	identity_helper.exe
3528	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 3944	3608	msedge.exe	88
PID 3608 wrote to memory of 3944	3608	msedge.exe	88
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 1928	3608	msedge.exe	89
PID 3608 wrote to memory of 880	3608	msedge.exe	90
PID 3608 wrote to memory of 880	3608	msedge.exe	90
PID 3608 wrote to memory of 4352	3608	msedge.exe	91
PID 3608 wrote to memory of 4352	3608	msedge.exe	91
PID 3608 wrote to memory of 4352	3608	msedge.exe	91
PID 3608 wrote to memory of 4352	3608	msedge.exe	91
PID 3608 wrote to memory of 4352	3608	msedge.exe	91
PID 3608 wrote to memory of 4352	3608	msedge.exe	91
PID 3608 wrote to memory of 4352	3608	msedge.exe	91
PID 3608 wrote to memory of 4352	3608	msedge.exe	91
PID 3608 wrote to memory of 4352	3608	msedge.exe	91
PID 3608 wrote to memory of 4352	3608	msedge.exe	91
PID 3608 wrote to memory of 4352	3608	msedge.exe	91
PID 3608 wrote to memory of 4352	3608	msedge.exe	91
PID 3608 wrote to memory of 4352	3608	msedge.exe	91
PID 3608 wrote to memory of 4352	3608	msedge.exe	91
PID 3608 wrote to memory of 4352	3608	msedge.exe	91
PID 3608 wrote to memory of 4352	3608	msedge.exe	91
PID 3608 wrote to memory of 4352	3608	msedge.exe	91
PID 3608 wrote to memory of 4352	3608	msedge.exe	91
PID 3608 wrote to memory of 4352	3608	msedge.exe	91
PID 3608 wrote to memory of 4352	3608	msedge.exe	91

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bit.ly/smJ_ShR
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff283846f8,0x7fff28384708,0x7fff28384718
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,15270011782674395405,4718718357391882890,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,15270011782674395405,4718718357391882890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,15270011782674395405,4718718357391882890,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15270011782674395405,4718718357391882890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15270011782674395405,4718718357391882890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15270011782674395405,4718718357391882890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15270011782674395405,4718718357391882890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15270011782674395405,4718718357391882890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
  2⤵
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,15270011782674395405,4718718357391882890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5884 /prefetch:8
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,15270011782674395405,4718718357391882890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5884 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15270011782674395405,4718718357391882890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15270011782674395405,4718718357391882890,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15270011782674395405,4718718357391882890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
  2⤵
  PID:5464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15270011782674395405,4718718357391882890,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:5472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1e3dc6a82a2cb341f7c9feeaf53f466f

SHA1
915decb72e1f86e14114f14ac9bfd9ba198fdfce

SHA256
a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c

SHA512
0a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5cf8d4d4c92fa4e867f7d7bf5c1e63af

SHA1
a27a21ffab5bf2b99a20670d7afcea8b68a89ca7

SHA256
8ba7f5f8678dd3882a25d4c98b7ff97dbac0d9862fe012a0aefe9b0f0bd74904

SHA512
0bf3317af2aeb638017ac2a4412f2778d04db57aa80530fe4418385bea669de22098f18477882cc6976445b215729a2e7cde9d4c3ec8a1678eb45279e49fec90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
36056608873528633420548cf8062983

SHA1
980aec81059d7d523ee916f2b82eb6a92972dfed

SHA256
621d1ff65f7aea05001b69f81aa441311318952069753f71bbbe92e155303cfc

SHA512
af87692eb31a3b297deae8c3f85dbc3fd8b395f43d6f2832a794237d05db17e39429498f380d892b6cfc229067477716bf18dd667387f24d8e7055187b881776

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e6339ceb50a78b7274b225b6051316e9

SHA1
bb7c09bd88250ee2b5e916471059b4b9026a3eac

SHA256
3eed03aa1860d53032b48f41c8bc84aacb55edc6360422def55103b6b9286328

SHA512
317fc3298bced3b44975377cac845706b64243e68df4dc3c535721d5b4f6d1f211b5cea57509e9eb51753763c4617e8af98976cc82e4335f994dcb09d97101d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
406cd90308c48beba8a58e572e415b17

SHA1
216634a7c85a68a513a53fef3291e4dd9b52ce65

SHA256
1fbab1a5310072c02ba42c7596fb295cf37e12671b1ddbfb69372872b7d496ef

SHA512
b73c60948736541b59065291ce469c583488d1d7735995e2f9ff19be9f6d0769bc90abc512ed1e514950d3cc3a4d72327456d0a9e424071315eb40ae7aa0eb6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fc42.TMP

Filesize
537B

MD5
35719d7f6a5c9fb1dde1ef5f2699646a

SHA1
c01c1b8a4f6738845c45c3ffd58a06067b0b6bb7

SHA256
cd9554b3ce39d215ed72f67c23621770a2471cad4db7966b1bace134ba7827a2

SHA512
f939f3a06e560b1f149df57ba47b391b9faff9860c204191af7e521c7f2df275afdf4cfa957d3e63767be2c1218b730b426a5e68715b2a996c5b31012b754dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
952d6194b7c4112e9aa135c42c2d7eef

SHA1
d0e643e955f17ec1f5a4d2fad404250e30e298b9

SHA256
b19059d3ac3f0587f0137f06cca819289547b0aec72bd4e7bfd49577d1302104

SHA512
966ca098de6cf312f4e001f1c1d1332d8e6fc996e6bd1f686b3fa78ed2c02e54170172e02883d60187ad2cc6fe84ba603da4fb3adb799ade6639d7845cfc2e8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0b0efb2d270007d8b0736c671d38d1a5

SHA1
c38912d13e9f1b30c27cbcc8de4b531a029a0307

SHA256
5a90832c01aa9f8b53c5942761406bbb2e1b53df13f862933ca5b550a1832490

SHA512
e7f1ce76b5add262882190dedee0da9b88b2fc9362e62a22bbc56f2346c40c36956ffe9045ddebd23676ec0071fcbf87e4da341a0ebdfd571e3720e23001bb3d

Download Submit