Analysis
-
max time kernel
36s -
max time network
30s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
11-03-2024 22:41
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://rmanaubrtal.blob.core.windows.net/rmanaubrtal/url.html
Resource
win11-20240221-en
General
-
Target
https://rmanaubrtal.blob.core.windows.net/rmanaubrtal/url.html
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exepid process 3848 msedge.exe 3848 msedge.exe 2124 msedge.exe 2124 msedge.exe 8 msedge.exe 8 msedge.exe 4676 identity_helper.exe 4676 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe 2124 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2124 wrote to memory of 2720 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 2720 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4804 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 3848 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 3848 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4800 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4800 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4800 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4800 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4800 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4800 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4800 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4800 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4800 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4800 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4800 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4800 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4800 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4800 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4800 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4800 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4800 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4800 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4800 2124 msedge.exe msedge.exe PID 2124 wrote to memory of 4800 2124 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://rmanaubrtal.blob.core.windows.net/rmanaubrtal/url.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc3afc3cb8,0x7ffc3afc3cc8,0x7ffc3afc3cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,846157945188977232,7833714605531405263,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,846157945188977232,7833714605531405263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,846157945188977232,7833714605531405263,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,846157945188977232,7833714605531405263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,846157945188977232,7833714605531405263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,846157945188977232,7833714605531405263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,846157945188977232,7833714605531405263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4336 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,846157945188977232,7833714605531405263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,846157945188977232,7833714605531405263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,846157945188977232,7833714605531405263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,846157945188977232,7833714605531405263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,846157945188977232,7833714605531405263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,846157945188977232,7833714605531405263,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,846157945188977232,7833714605531405263,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5caaacbd78b8e7ebc636ff19241b2b13d
SHA14435edc68c0594ebb8b0aa84b769d566ad913bc8
SHA256989cc6f5cdc43f7bac8f6bc10624a47d46cbc366c671c495c6900eabc5276f7a
SHA512c668a938bef9bbe432af676004beb1ae9c06f1ba2f154d1973e691a892cb39c345b12265b5996127efff3258ebba333847df09238f69e95f2f35879b5db7b7fc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57c194bbd45fc5d3714e8db77e01ac25a
SHA1e758434417035cccc8891d516854afb4141dd72a
SHA256253f8f4a60bdf1763526998865311c1f02085388892f14e94f858c50bf6e53c3
SHA512aca42768dcc4334e49cd6295bd563c797b11523f4405cd5b4aeb41dec9379d155ae241ce937ec55063ecbf82136154e4dc5065afb78d18b42af86829bac6900d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\65321132-8697-45df-8dfa-34c9e89a992c.tmpFilesize
5KB
MD567a80048afa30499e29d436bb0612387
SHA1328d91ce94ef3484357ab1bfe8606b43fffe60e9
SHA25644a3221b90a9355bf07ac4faa4f1c2de0e1e0101678b54c03f7b78ec58c6f25b
SHA5127f3180218474c4633348bd9a685cb555c779e620794f2aea23e94a53c43a8efe7895535d08497cad1dc3fcdb2a875a4ee6ea8fa90a9d528d3139904479ccf462
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD517699d285d5b0c84f9b74b304af9a08f
SHA1c2609e02c596d4d0dea0644b1b0f2a5a6a4825b8
SHA25616c6da10b08dbc1007dd71f34a1eb19860007f545e61efb0e9da5dd4a5adeecc
SHA5121fad40d82beee0667cae060f05c433b566f450cffeea7674c74ec990682ca5a2bc01bf28fe74628dbda67d08c79b8416bb91e1127ccb83516602ef5689438bbb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5679a78c50525902de629eca08f9fe72c
SHA12e99b541397f2dfc94bc0f09d3cf8dee3ab0fcae
SHA256976fc687f41f09e7c2090e11b19d41ec8c181ef1ef96bf7fed02dd4654835351
SHA51284b8aa8be0d885a86d55183ded670620557d3d3537ca69cf0f5df5f91a4b595442e989c61d8bbd532cc421e4803cc0aed16869f741bc99288bf6b7700e9eadd4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD54bb347997aa9598068ac2a3e746a7653
SHA1c0e7b39ed0993e8b51831686d320a2c608130f51
SHA256c9a10715d52e113e8293fb34a2acabf1e9ee4cca9c1fe8e3785a9e248acf5ab2
SHA512825ee02058805e4628ef0a094e451679eb4178623968d288ce0398d614a2936623decb639410cf0e9213f2e71c77dfd391312e272433046f774f955ed85d1bce
-
\??\pipe\LOCAL\crashpad_2124_EEDQHINHOMAWHRMGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e