Analysis
-
max time kernel
62s -
max time network
64s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-03-2024 19:58
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://steamcomumity.com/gift/activation/id=6723574616
Resource
win10v2004-20240226-en
General
-
Target
https://steamcomumity.com/gift/activation/id=6723574616
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid process 2648 msedge.exe 2648 msedge.exe 3744 msedge.exe 3744 msedge.exe 1504 identity_helper.exe 1504 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3744 wrote to memory of 3460 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 3460 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 4208 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 2648 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 2648 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 3736 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 3736 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 3736 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 3736 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 3736 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 3736 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 3736 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 3736 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 3736 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 3736 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 3736 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 3736 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 3736 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 3736 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 3736 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 3736 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 3736 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 3736 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 3736 3744 msedge.exe msedge.exe PID 3744 wrote to memory of 3736 3744 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcomumity.com/gift/activation/id=67235746161⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee1e246f8,0x7ffee1e24708,0x7ffee1e247182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,4492391889482740778,3198940956621705660,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,4492391889482740778,3198940956621705660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,4492391889482740778,3198940956621705660,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4492391889482740778,3198940956621705660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4492391889482740778,3198940956621705660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,4492391889482740778,3198940956621705660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,4492391889482740778,3198940956621705660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4492391889482740778,3198940956621705660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4492391889482740778,3198940956621705660,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4492391889482740778,3198940956621705660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4492391889482740778,3198940956621705660,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4492391889482740778,3198940956621705660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5cbec32729772aa6c576e97df4fef48f5
SHA16ec173d5313f27ba1e46ad66c7bbe7c0a9767dba
SHA256d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e
SHA512425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5279e783b0129b64a8529800a88fbf1ee
SHA1204c62ec8cef8467e5729cad52adae293178744f
SHA2563619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932
SHA51232730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
168B
MD5a2bb61ea5774ebf34bb673fb48f7187d
SHA13c7d7e8a5f097e81c5583d4237f440f758cd85ea
SHA256554abaa1c892155fea77e459a6a7c694ff495eeba4d5adf9323029211f3e5a06
SHA5123a90d3242e97ad02f2479fad2c94a81c0da48aba7be17b5a9f5c792faf2df825dcf9df18dbbe1e340bc6621fc8bc08ff6da20d61cf667d5feea5ef99a47b7126
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD55debca7c6f4895af808a0583bc425860
SHA128dade485a968685927c1bb9b5c82845f69a399f
SHA256acc1a2355c7675b1d76ac8e4865c419c80a53aa233b0bce2d53cff985ee5d573
SHA512a17a1f1aba1f8df3fd6850cd6a015ecfb7bd981a6ab99cae35e152dd10f9e1c9dcc526063543c4d696fdfc4ebe9a49ef5b93edfe1dce5ca083cdd3c613e40114
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5fe7dbff725a0d8c9fe5f03431bbd7f1d
SHA1f4ecbcbc9ce9636d2542a93aac6655ed64811689
SHA25636c6cb43dd5a4c727bc25f161305e50bc69efab1c661b994a5c1b82352ed832a
SHA51275fbc68d6ede94cc82d4ea12a92af8ec2fd58723632a1635025e46671168f091337d654c6b3fc3f65eaa136dbab25ebcf1a703ab8147aa7b44de97e957859a8f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5b8b26d7a57cf74eaaba0b21fc351d49e
SHA1040528ce1f64908de1349df658974551d0962856
SHA2562d848634d9b8ce18bc857b35fe721e06b5a410e7675cbbb32d514a352dd71560
SHA512b6d6da7b5b36f1df7e7b17753419b1263a537527740fdad3c3777b3590d90d1695371e6b3ac7cd4e10d6a514081fa38c12c06f9331ab041fbb92c76454ebb3f1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5f0909ea787123b9ee532cb657c143f94
SHA11d8042d99067b2062725488d2f811a6289a0e9df
SHA256fcd6ff2233447ab6a8c55eff10162fad471e3fb24b01242ab1228f84e9cc3991
SHA5123d72c9dc69bca517afb90d72c2fded1d7457e2ffc126d3dfe3a1f54ee1a0a2ca1519177fd460b68bd880894304b6e1f3c3c0f1e6fe36398a1d01677d8f19c872
-
\??\pipe\LOCAL\crashpad_3744_JJQVXGLGPZZDHUSBMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e