hxxps://dosya[.]co/9pmcc5n5syz7/eclaussms[.]rar[.]html

Analysis

max time kernel
1171s
max time network
1174s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
07/03/2024, 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dosya.co/9pmcc5n5syz7/eclaussms.rar.html

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4140	msedge.exe
4140	msedge.exe
4904	msedge.exe
4904	msedge.exe
1540	msedge.exe
1540	msedge.exe
3000	identity_helper.exe
3000	identity_helper.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 5104	4904	msedge.exe	79
PID 4904 wrote to memory of 5104	4904	msedge.exe	79
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4888	4904	msedge.exe	80
PID 4904 wrote to memory of 4140	4904	msedge.exe	81
PID 4904 wrote to memory of 4140	4904	msedge.exe	81
PID 4904 wrote to memory of 1992	4904	msedge.exe	82
PID 4904 wrote to memory of 1992	4904	msedge.exe	82
PID 4904 wrote to memory of 1992	4904	msedge.exe	82
PID 4904 wrote to memory of 1992	4904	msedge.exe	82
PID 4904 wrote to memory of 1992	4904	msedge.exe	82
PID 4904 wrote to memory of 1992	4904	msedge.exe	82
PID 4904 wrote to memory of 1992	4904	msedge.exe	82
PID 4904 wrote to memory of 1992	4904	msedge.exe	82
PID 4904 wrote to memory of 1992	4904	msedge.exe	82
PID 4904 wrote to memory of 1992	4904	msedge.exe	82
PID 4904 wrote to memory of 1992	4904	msedge.exe	82
PID 4904 wrote to memory of 1992	4904	msedge.exe	82
PID 4904 wrote to memory of 1992	4904	msedge.exe	82
PID 4904 wrote to memory of 1992	4904	msedge.exe	82
PID 4904 wrote to memory of 1992	4904	msedge.exe	82
PID 4904 wrote to memory of 1992	4904	msedge.exe	82
PID 4904 wrote to memory of 1992	4904	msedge.exe	82
PID 4904 wrote to memory of 1992	4904	msedge.exe	82
PID 4904 wrote to memory of 1992	4904	msedge.exe	82
PID 4904 wrote to memory of 1992	4904	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dosya.co/9pmcc5n5syz7/eclaussms.rar.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbd4a43cb8,0x7ffbd4a43cc8,0x7ffbd4a43cd8
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,3257196629661452981,2279058505911471314,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,3257196629661452981,2279058505911471314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,3257196629661452981,2279058505911471314,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,3257196629661452981,2279058505911471314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,3257196629661452981,2279058505911471314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,3257196629661452981,2279058505911471314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,3257196629661452981,2279058505911471314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,3257196629661452981,2279058505911471314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,3257196629661452981,2279058505911471314,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,3257196629661452981,2279058505911471314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,3257196629661452981,2279058505911471314,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,3257196629661452981,2279058505911471314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,3257196629661452981,2279058505911471314,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6084 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3b1e59e67b947d63336fe9c8a1a5cebc

SHA1
5dc7146555c05d8eb1c9680b1b5c98537dd19b91

SHA256
7fccd8c81f41a2684315ad9c86ef0861ecf1f2bf5d13050f760f52aef9b4a263

SHA512
2d9b8f574f7f669c109f7e0d9714b84798e07966341a0200baac01ed5939b611c7ff75bf1978fe06e37e813df277b092ba68051fae9ba997fd529962e2e5d7b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0e10a8550dceecf34b33a98b85d5fa0b

SHA1
357ed761cbff74e7f3f75cd15074b4f7f3bcdce0

SHA256
5694744f7e6c49068383af6569df880eed386f56062933708c8716f4221cac61

SHA512
fe6815e41c7643ddb7755cc542d478814f47acea5339df0b5265d9969d02c59ece6fc61150c6c75de3f4f59b052bc2a4f58a14caa3675daeb67955b4dc416d3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
c5f432838c802c55cad4003388b2c2a8

SHA1
5c1b80235599b0b833e18edcd1116e017e3b0bf9

SHA256
ad044eb2e615b7f8ffd6588c15fdc57179b84e457c5cd74c452092f3bb2f8f7b

SHA512
a599d5752c67f102c606a4507160cc3fd1bd049d3b74ad59de4b2f2821c5fccbd2fe6b1ae477d0b861c141169987529b9f44c162b1b15e228374338f193bc7f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
5bd36756ffaf6c2f8ae2be7eca5402cf

SHA1
a1ce4ecfb03cc129bd5015ae8433d4fab76b868e

SHA256
d1e29c900e93d8054439cf9d1338a293828784f357ee1f49f599c8fd1cfac4b6

SHA512
93602e28ca7b8a8455b7e3378e3a29f001aa139ca76f9b67f10fc9d9b819ad96dd1953aa7d9902fd52ef646eddae424690ccec65fea2b0311958d6881ffd8a9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e8066e368ece5da246bad14e8fd4c0ed

SHA1
a8ef75e045a949d061a1f1922fc8ff6a68778ebc

SHA256
c5073266c2a2b81631764368d79a7846ec953f260d2158c405b0888444b4b53b

SHA512
03591f96d838d871706aafcbdf3cde8e5ef9745e19941159cb8c6151fc01ee00a8dac49df32200befde2dc1b76ff434538974e6385c63b27661984fc1d35e3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e2e2315ff8547b80332b981496b60086

SHA1
ce426ad9447059f057eae58c389d3cd0a228c17e

SHA256
2578648c1eb2d85dbc7d2b6708c6234e6f63e3c6da678bcb37273005c4e7dd9e

SHA512
d4182f1f04d5069361a9d4d8165d3bf7c605cf7f62b387e8f1429ba88be4bf23530bb7d5339019be367c2b9a9c69deb185e7298129c28f3d52d9ee6f29f0dfe6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e9a225529a45351609185b6fc9578e13

SHA1
5c2151dc1b34981c4497aa139ee4d05b6ae56871

SHA256
01beb1ffc216d48cbd602d662cb16e2d0d7c921937ec0a00400f607326f54768

SHA512
c8b69280f7b338d6721e8b536200d88970dfbb2edbddd4bb9074545a1a0f0e067e841c0427ecbedef490fe0d22bcafa124e65ade0e23350a4126d85cb7a0b07a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cdcef1372d91e1f1f6782542fec910d4

SHA1
4f3c5719faceb9348f352c256aa06fc80f13a8fd

SHA256
b61f1aff27443d203599147efa4b140c1fcddad0637aeb7f0a4fcbaec77cb8f1

SHA512
b8232beb3d8230b994905ade9aaa420ae766c861ed602a91ca5eb54c7a23b1a482dd4fb7915762470500b07aad18fe7c11f25afac43559c5087670fcf7de3edc

Download Submit