Analysis
-
max time kernel
113s -
max time network
125s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
05-03-2024 20:24
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://gofile.io/d/QSTG2B
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
https://gofile.io/d/QSTG2B
Resource
win11-20240221-en
General
-
Target
https://gofile.io/d/QSTG2B
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exepid Process 4824 msedge.exe 4824 msedge.exe 1924 msedge.exe 1924 msedge.exe 2884 msedge.exe 2884 msedge.exe 3496 identity_helper.exe 3496 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid Process 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid Process 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid Process 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid Process procid_target PID 1924 wrote to memory of 2508 1924 msedge.exe 80 PID 1924 wrote to memory of 2508 1924 msedge.exe 80 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 3492 1924 msedge.exe 81 PID 1924 wrote to memory of 4824 1924 msedge.exe 82 PID 1924 wrote to memory of 4824 1924 msedge.exe 82 PID 1924 wrote to memory of 4972 1924 msedge.exe 83 PID 1924 wrote to memory of 4972 1924 msedge.exe 83 PID 1924 wrote to memory of 4972 1924 msedge.exe 83 PID 1924 wrote to memory of 4972 1924 msedge.exe 83 PID 1924 wrote to memory of 4972 1924 msedge.exe 83 PID 1924 wrote to memory of 4972 1924 msedge.exe 83 PID 1924 wrote to memory of 4972 1924 msedge.exe 83 PID 1924 wrote to memory of 4972 1924 msedge.exe 83 PID 1924 wrote to memory of 4972 1924 msedge.exe 83 PID 1924 wrote to memory of 4972 1924 msedge.exe 83 PID 1924 wrote to memory of 4972 1924 msedge.exe 83 PID 1924 wrote to memory of 4972 1924 msedge.exe 83 PID 1924 wrote to memory of 4972 1924 msedge.exe 83 PID 1924 wrote to memory of 4972 1924 msedge.exe 83 PID 1924 wrote to memory of 4972 1924 msedge.exe 83 PID 1924 wrote to memory of 4972 1924 msedge.exe 83 PID 1924 wrote to memory of 4972 1924 msedge.exe 83 PID 1924 wrote to memory of 4972 1924 msedge.exe 83 PID 1924 wrote to memory of 4972 1924 msedge.exe 83 PID 1924 wrote to memory of 4972 1924 msedge.exe 83
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/QSTG2B1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8d5093cb8,0x7ff8d5093cc8,0x7ff8d5093cd82⤵PID:2508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1972 /prefetch:22⤵PID:3492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:82⤵PID:4972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:12⤵PID:592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵PID:260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:12⤵PID:852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:12⤵PID:2624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:12⤵PID:804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:12⤵PID:4124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:12⤵PID:4648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:12⤵PID:1316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:12⤵PID:3528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:12⤵PID:3892
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3328
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5caaacbd78b8e7ebc636ff19241b2b13d
SHA14435edc68c0594ebb8b0aa84b769d566ad913bc8
SHA256989cc6f5cdc43f7bac8f6bc10624a47d46cbc366c671c495c6900eabc5276f7a
SHA512c668a938bef9bbe432af676004beb1ae9c06f1ba2f154d1973e691a892cb39c345b12265b5996127efff3258ebba333847df09238f69e95f2f35879b5db7b7fc
-
Filesize
152B
MD57c194bbd45fc5d3714e8db77e01ac25a
SHA1e758434417035cccc8891d516854afb4141dd72a
SHA256253f8f4a60bdf1763526998865311c1f02085388892f14e94f858c50bf6e53c3
SHA512aca42768dcc4334e49cd6295bd563c797b11523f4405cd5b4aeb41dec9379d155ae241ce937ec55063ecbf82136154e4dc5065afb78d18b42af86829bac6900d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize336B
MD51b76987ca4675050bd5311670c446543
SHA10549d015509ec23ebeb6fdf1a85e1cf96ccf43b6
SHA2564433acd632cc24eb03a7d99c051153dfd615b6ce95be80d48aada483ace7c29e
SHA5125762099149b8fbbaa3e8e24168ac670f742ea7712fdab57af1bb7231c766cf66dda52efcb3533ab022a59ec1ce0bbca48f9a07ef1075e2b5612f3b76cd4510bc
-
Filesize
317B
MD5f7882637afc8b3a8573ee92354ac52fd
SHA157f51eab9658e1b2125ceb9f2542b238638210ca
SHA256f283cbe13d4f8e24cbcab3dd49e62a50d45ca40080cccdb55d2b7e0ec2d90ae9
SHA51225dc3f0569e9e4e01d11b8362e068f19590b4f81dfec23c89beba2edca96436a150d31f4c747622ff9484939ad98bb2e7a0b3553fe7388f49b0d3fb24c4a6baa
-
Filesize
5KB
MD5d0e775893e0b812e5c03e0dbe253fb60
SHA1671cf9071de1d120d78ce9a2c598ec9472695880
SHA25623b9a6df5292853cd2a99ea89ad27ffb5b61598754f554213a552d79f1e4bf76
SHA5126f166052f9ec69b9b1e647feb4c8fd897d788660ef836d78e2120004ef69f18ae83be6a301e13bd8e4cde61c6752a256917f0f2364a57090498cd3de15cdbed0
-
Filesize
6KB
MD55c0da63409804070b1855349d287b33b
SHA17b20151d07325e4da1cf4e64fed76f6bcedaa442
SHA256ebcf0f52341f015a9c92301a8a1467c42894879fda0febfbc792f97a46f7e3c4
SHA512a29dbae6756d558b5328c3ec37232751c76dec673995abf80b2e196518e775400574a39c63cb4749dba3e3c81bb5f3d25129e310f65fa2a005821e57e88ce55c
-
Filesize
6KB
MD52135c5cc614c81871227d7eaf4d5ae74
SHA19bdfb8d8ed0a6cbf04327bad23667a0aadd3843d
SHA2569a1bb9a2e55c2f6f0561646f9a451bffaaddaf2741128f5fa9895509fa0a28b4
SHA512bbfeb25b20fabeef7ded557ae373ac943804f482364901c233a6ae4045f1cef1bf615c2b01a16d3eb04f83ff51cf39b7d2a75b35dd6d24813544087ecbd7a888
-
Filesize
6KB
MD5463ca84d59512cd4653c827c4ed17bb0
SHA1d54c797c1253582be266bab8044a87953f06a91d
SHA256a0013c78abf9022fafbf2c6c8ce463a5225333e6128721e8df12d9eec6026193
SHA512ab19f2e03460db8477386aab0423ae5b4d7bd4a70d19b5ae27be50f9410cf5f46f05b8dd4bd43f6c87f4f72cb0d99e370e4644fcc8db7b8c3e951deffe35e517
-
Filesize
370B
MD59a9cbb3ee4377e307f078bee862af0b8
SHA161b6c5160cd28a9bb851b5698cf6df2f8b03984b
SHA256688e441778e170142bfe738f57cdc6cd5eceaba17e4d11610b2241d96a2dc6f0
SHA512683496f7e51cd66abb0e025a077f49ce934a67ff9a3128852e5c1a8979d6987234887a297f9b08b2e6626106c52d2ada6d09d3ba7f6ede84b8c31bee16ffe6fa
-
Filesize
203B
MD520c1319df928e0cd5d59c83df3dfdd09
SHA180658fb0b767c5c65bd9b2ee7ffb3f48d56f2d3b
SHA256adfa4940bd600240188d0c78ce4fcfcdc6a2796e3820486f1c97903c005c87c6
SHA51209857be60d785053f60e64c1c71807a571858e154e8f14e25fcb7550e0048d113f196233b5a84b90ff1b64a0f0a1a60d4d69e0c347e0ad3d1a07c16488d3e945
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD59f0fb826cefcf6a1ed0a05bcb3f2bd8c
SHA1069cfb2f32a95904d7e30e32c442fb7b7c46ea77
SHA2567a18201c69eb00a7475a23581f433e212541b68dad0d1a3e7293b24108fb65af
SHA512f2a223bb5a0ef7cbc6c3cf0566e0d6e36a1d996f02fb64623c622c3fdcbd620e30ae322bcaa34eafbdca49fe8ab90d335d5e9ae6ae21a0fcec47ff22d77126cb