hxxps://steamcomumity[.]com/gift/activation/id=6723574616

Resubmissions

10-03-2024 20:01

240310-yrwfvaba54 10

10-03-2024 19:58

240310-yp33xabc81 1

Analysis

max time kernel
62s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-03-2024 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://steamcomumity.com/gift/activation/id=6723574616

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exe

pid process

2648 msedge.exe
2648 msedge.exe
3744 msedge.exe
3744 msedge.exe
1504 identity_helper.exe
1504 identity_helper.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

3744 msedge.exe
3744 msedge.exe
3744 msedge.exe
3744 msedge.exe
3744 msedge.exe
3744 msedge.exe
3744 msedge.exe

pid	process
2648	msedge.exe
2648	msedge.exe
3744	msedge.exe
3744	msedge.exe
1504	identity_helper.exe
1504	identity_helper.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3744 wrote to memory of 3460	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 3460	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 4208	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 2648	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 2648	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 3736	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 3736	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 3736	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 3736	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 3736	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 3736	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 3736	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 3736	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 3736	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 3736	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 3736	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 3736	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 3736	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 3736	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 3736	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 3736	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 3736	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 3736	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 3736	3744	msedge.exe	msedge.exe
PID 3744 wrote to memory of 3736	3744	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcomumity.com/gift/activation/id=6723574616
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee1e246f8,0x7ffee1e24708,0x7ffee1e24718
2⤵
PID:3460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,4492391889482740778,3198940956621705660,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
2⤵
PID:4208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,4492391889482740778,3198940956621705660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,4492391889482740778,3198940956621705660,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
2⤵
PID:3736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4492391889482740778,3198940956621705660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
2⤵
PID:3180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4492391889482740778,3198940956621705660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
2⤵
PID:3544

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,4492391889482740778,3198940956621705660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
2⤵
PID:4768

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,4492391889482740778,3198940956621705660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4492391889482740778,3198940956621705660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
2⤵
PID:1120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4492391889482740778,3198940956621705660,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
2⤵
PID:2580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4492391889482740778,3198940956621705660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
2⤵
PID:692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4492391889482740778,3198940956621705660,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
2⤵
PID:3180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4492391889482740778,3198940956621705660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
2⤵
PID:5348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4424

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
cbec32729772aa6c576e97df4fef48f5

SHA1
6ec173d5313f27ba1e46ad66c7bbe7c0a9767dba

SHA256
d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e

SHA512
425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
279e783b0129b64a8529800a88fbf1ee

SHA1
204c62ec8cef8467e5729cad52adae293178744f

SHA256
3619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932

SHA512
32730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
168B

MD5
a2bb61ea5774ebf34bb673fb48f7187d

SHA1
3c7d7e8a5f097e81c5583d4237f440f758cd85ea

SHA256
554abaa1c892155fea77e459a6a7c694ff495eeba4d5adf9323029211f3e5a06

SHA512
3a90d3242e97ad02f2479fad2c94a81c0da48aba7be17b5a9f5c792faf2df825dcf9df18dbbe1e340bc6621fc8bc08ff6da20d61cf667d5feea5ef99a47b7126

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
5debca7c6f4895af808a0583bc425860

SHA1
28dade485a968685927c1bb9b5c82845f69a399f

SHA256
acc1a2355c7675b1d76ac8e4865c419c80a53aa233b0bce2d53cff985ee5d573

SHA512
a17a1f1aba1f8df3fd6850cd6a015ecfb7bd981a6ab99cae35e152dd10f9e1c9dcc526063543c4d696fdfc4ebe9a49ef5b93edfe1dce5ca083cdd3c613e40114

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
fe7dbff725a0d8c9fe5f03431bbd7f1d

SHA1
f4ecbcbc9ce9636d2542a93aac6655ed64811689

SHA256
36c6cb43dd5a4c727bc25f161305e50bc69efab1c661b994a5c1b82352ed832a

SHA512
75fbc68d6ede94cc82d4ea12a92af8ec2fd58723632a1635025e46671168f091337d654c6b3fc3f65eaa136dbab25ebcf1a703ab8147aa7b44de97e957859a8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
b8b26d7a57cf74eaaba0b21fc351d49e

SHA1
040528ce1f64908de1349df658974551d0962856

SHA256
2d848634d9b8ce18bc857b35fe721e06b5a410e7675cbbb32d514a352dd71560

SHA512
b6d6da7b5b36f1df7e7b17753419b1263a537527740fdad3c3777b3590d90d1695371e6b3ac7cd4e10d6a514081fa38c12c06f9331ab041fbb92c76454ebb3f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
f0909ea787123b9ee532cb657c143f94

SHA1
1d8042d99067b2062725488d2f811a6289a0e9df

SHA256
fcd6ff2233447ab6a8c55eff10162fad471e3fb24b01242ab1228f84e9cc3991

SHA512
3d72c9dc69bca517afb90d72c2fded1d7457e2ffc126d3dfe3a1f54ee1a0a2ca1519177fd460b68bd880894304b6e1f3c3c0f1e6fe36398a1d01677d8f19c872

Download Submit
\??\pipe\LOCAL\crashpad_3744_JJQVXGLGPZZDHUSB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit