Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-03-2024 16:03
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://gateway.ipfs.io/ipfs/bafybeicnmnlycrtiqjgt2xpjbxv7fqv4ea2aeu7tre4lgob5p6ndg564s4/chiw12.html#
Resource
win10v2004-20240226-en
General
-
Target
https://gateway.ipfs.io/ipfs/bafybeicnmnlycrtiqjgt2xpjbxv7fqv4ea2aeu7tre4lgob5p6ndg564s4/chiw12.html#
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 100 msedge.exe 100 msedge.exe 1488 msedge.exe 1488 msedge.exe 1020 identity_helper.exe 1020 identity_helper.exe 5912 msedge.exe 5912 msedge.exe 5912 msedge.exe 5912 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe 1488 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1488 wrote to memory of 1212 1488 msedge.exe 89 PID 1488 wrote to memory of 1212 1488 msedge.exe 89 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 2188 1488 msedge.exe 90 PID 1488 wrote to memory of 100 1488 msedge.exe 91 PID 1488 wrote to memory of 100 1488 msedge.exe 91 PID 1488 wrote to memory of 4472 1488 msedge.exe 92 PID 1488 wrote to memory of 4472 1488 msedge.exe 92 PID 1488 wrote to memory of 4472 1488 msedge.exe 92 PID 1488 wrote to memory of 4472 1488 msedge.exe 92 PID 1488 wrote to memory of 4472 1488 msedge.exe 92 PID 1488 wrote to memory of 4472 1488 msedge.exe 92 PID 1488 wrote to memory of 4472 1488 msedge.exe 92 PID 1488 wrote to memory of 4472 1488 msedge.exe 92 PID 1488 wrote to memory of 4472 1488 msedge.exe 92 PID 1488 wrote to memory of 4472 1488 msedge.exe 92 PID 1488 wrote to memory of 4472 1488 msedge.exe 92 PID 1488 wrote to memory of 4472 1488 msedge.exe 92 PID 1488 wrote to memory of 4472 1488 msedge.exe 92 PID 1488 wrote to memory of 4472 1488 msedge.exe 92 PID 1488 wrote to memory of 4472 1488 msedge.exe 92 PID 1488 wrote to memory of 4472 1488 msedge.exe 92 PID 1488 wrote to memory of 4472 1488 msedge.exe 92 PID 1488 wrote to memory of 4472 1488 msedge.exe 92 PID 1488 wrote to memory of 4472 1488 msedge.exe 92 PID 1488 wrote to memory of 4472 1488 msedge.exe 92
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gateway.ipfs.io/ipfs/bafybeicnmnlycrtiqjgt2xpjbxv7fqv4ea2aeu7tre4lgob5p6ndg564s4/chiw12.html#1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe7f2346f8,0x7ffe7f234708,0x7ffe7f2347182⤵PID:1212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,7835260586148834955,2697113049784294903,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:22⤵PID:2188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,7835260586148834955,2697113049784294903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,7835260586148834955,2697113049784294903,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:82⤵PID:4472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7835260586148834955,2697113049784294903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:4768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7835260586148834955,2697113049784294903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:1776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,7835260586148834955,2697113049784294903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:82⤵PID:4628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,7835260586148834955,2697113049784294903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7835260586148834955,2697113049784294903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:12⤵PID:3136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7835260586148834955,2697113049784294903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:12⤵PID:2940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7835260586148834955,2697113049784294903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:12⤵PID:2416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7835260586148834955,2697113049784294903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:12⤵PID:4736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,7835260586148834955,2697113049784294903,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4836 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5912
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4136
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD536bb45cb1262fcfcab1e3e7960784eaa
SHA1ab0e15841b027632c9e1b0a47d3dec42162fc637
SHA2567c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae
SHA51202c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456
-
Filesize
152B
MD51e3dc6a82a2cb341f7c9feeaf53f466f
SHA1915decb72e1f86e14114f14ac9bfd9ba198fdfce
SHA256a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c
SHA5120a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD51ff05ffaa9b552a212987207f740729d
SHA10b6ee852c968bcfa0c19a11a4f5046c0efb2b349
SHA2568011717ad333252d017f6ecc3cd8b4570ba941729dec0db022b945827b451f07
SHA512ca6cf06ebfb16f2783cba5c5ffd4913a9339f05fc2bdd43de4a6eebaed17cfcabffe0fc836a9aee482642908108ec2d0810380b5850d5e49bc9d299d7be6cbc8
-
Filesize
537B
MD50b5697b3a56598d1aae051e500208925
SHA10dc8713eda16ed75f4414df13c2dd3ca2508ba14
SHA25660b083056561b373fa3a0d974a64eae975e6b673ed288c6a745e5cceddac8e32
SHA5122e1d1491461c96ec3172b803a037631832270f76d4dfdd01d65563a4e0c9440aa31f1dfbe42469de2f1e92113c3f5f46333bcbd8c52711e649437b684bc81d55
-
Filesize
6KB
MD5aee1b44b28850a6c95879bc0af4ec6db
SHA1fc9ff069b9cca565294ff0c71104c8cf409b1531
SHA256bc4ff096c81a0cc0efcf68db129f0b7e9d30cc729b634fff0ae2f8c7dbf47e10
SHA5122a86a08dd5d74b05be4524b18eed60664437c998cc5676f50f0c0e1b14d29b5a269d40b6ceebd73629c81863bb0ad28c750d918299e70033d42403fe04c6ce98
-
Filesize
6KB
MD59b0c4d99b5a23ca4470f7f71ef8aa638
SHA1038699e9e5313d1b3701be6474669da81f1cef5b
SHA256849dd507df92c57f6c7dbceee25cfdab9e242dae9076f60cf4d65d4c1a889919
SHA5123ce2116d24c6aaf71774a48bde9aa8e1691e682ac58ffa342092e3680f08650a63bf8725023f853d8ac7ba9c219bc09a9af30a4270b8ad8e8957ca584562468d
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD5bf137b9b023dd0971478961351ac797d
SHA1b3998d152201c423feb4e26525b34db69ee29822
SHA256d1df6f6c0760eb8ea3f4935bb28aa4a3038d95314347a683f5f6f480d6944b34
SHA51222b1bb42ce2c02f4942374e444561cc688ff0815adea0cb3637e58392ef892913dc2f9ea0bd3a1600fb20836457a580d5a0f207552efb41b4ea720cae7cd5768