Analysis
-
max time kernel
139s -
max time network
143s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
11-03-2024 12:14
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://envs.sh/h2v
Resource
win11-20240221-en
General
-
Target
https://envs.sh/h2v
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 744 msedge.exe 744 msedge.exe 1392 msedge.exe 1392 msedge.exe 3956 identity_helper.exe 3956 identity_helper.exe 420 msedge.exe 420 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1392 wrote to memory of 2068 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2068 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 2584 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 744 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 744 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 1652 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 1652 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 1652 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 1652 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 1652 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 1652 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 1652 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 1652 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 1652 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 1652 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 1652 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 1652 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 1652 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 1652 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 1652 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 1652 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 1652 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 1652 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 1652 1392 msedge.exe msedge.exe PID 1392 wrote to memory of 1652 1392 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://envs.sh/h2v1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffffd653cb8,0x7ffffd653cc8,0x7ffffd653cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,1570101606291138404,13700625007161205894,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,1570101606291138404,13700625007161205894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,1570101606291138404,13700625007161205894,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1570101606291138404,13700625007161205894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1570101606291138404,13700625007161205894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1570101606291138404,13700625007161205894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,1570101606291138404,13700625007161205894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1570101606291138404,13700625007161205894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1570101606291138404,13700625007161205894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1570101606291138404,13700625007161205894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1570101606291138404,13700625007161205894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,1570101606291138404,13700625007161205894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,1570101606291138404,13700625007161205894,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5912 /prefetch:22⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a0407c5de270b9ae0ceee6cb9b61bbf1
SHA1fb2bb8184c1b8e680bf873e5537e1260f057751e
SHA256a56989933628f6a677ad09f634fc9b7dd9cf7d06c72a76ddbb8221bc4a62ffcd
SHA51265162bf07705dfdd348d4eaf0a3feba08dc2c0942a3a052b4492d0675ab803b104c03c945f5608fac9544681e0fe8b81d1aaca859663e79aa87fcb591ddb8136
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ded21ddc295846e2b00e1fd766c807db
SHA1497eb7c9c09cb2a247b4a3663ce808869872b410
SHA25626025f86effef56caa2ee50a64e219c762944b1e50e465be3a6b454bc0ed7305
SHA512ddfaa73032590de904bba398331fdbf188741d96a17116ada50298b42d6eb7b20d6e50b0cfae8b17e2f145997b8ebce6c8196e6f46fbe11f133d3d82ce3656db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
384B
MD5954a02c9cfb4502b8dafbe57eff9a482
SHA10e2d3ba87e45eaa07fa7125e14a623fa814d7e54
SHA25633186424c39a283e9fd94d0206aed07ee8ecdedfd9a4aad129e0e8539a9607ba
SHA5121998fa1b90c2eb96655a76e35435c496596b7e504b34238bdf8b50d8a4ccd0551b632a88689b99a1dd099ef4224e34b0f6cc40d99cf6c7cd99bf2014aedce5f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
408B
MD51f1b65aa95949723d4431d2dc27c5e30
SHA13e3b6f4bdca9713f7d9aec47e8700732908af9ac
SHA256cef197edb8b56753a91f7a41d9c1aef424b6e4118586944cfd93338a546091a5
SHA5120fadfa2c6214e465a8e81c5dbbb5c2d2a3d0bf5ef09454ac0c53d78e554d6d0e9316ee0fc1f804567ad9efefcea1a23851bbcbd49a7f95c1d352208a4e7dad25
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
866B
MD516785085362dde0d606553b5c8d81832
SHA12f309b0e911829b9e717f6e4bdf0bf3988d4311f
SHA25627e7d6e092aa7b66d8c7a5eab53f249dbfe74003154e74406edaae95b7422bab
SHA51209923e31b9b40c891ffa12e8f33ecbf23702840be56f6c4bfb80a065b6791dee621c93f3da0c6430de0d0324865df4611fb25be2cf2afd1baeaa1104d8feb801
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5a487cb779a51fa882f4da05223ec321c
SHA1973e533a9fa30621c63f49f16e2e57439d668c15
SHA2564bcd326cf1de9e441ceb710f9ff48ac25ddc2baf1faf5e29cf152f694ae9fb4d
SHA51229618451e62002efbc805add3d56da0fe0d0ac03b204d22347d035cf1d43d645e1c9c9d551f3363ee38732134c47973071c98fd0f1678f2bfc6c62b9540be8dc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5490c8fe9579322679f6740cf1f327064
SHA159355d46b7a9e2dff1650f77c640b62787951f8f
SHA2567f64b1f401edb2d35087ca0c6737f64bea606b7c92f051398c911380e33dfe8a
SHA512c060e1753a41d7efd5b9fbd5a0393b62401e9466acd349c915059914bec9a4382f527de8454749c3dc742320f75e974d5e81e0a3e6db3d29c1f11148c349fb11
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5f2bd6105943813b0e7095e3f6928f0b7
SHA1e2d267f093a1cce0a1eb528e212500dd927ffd57
SHA256a874933264aaedcd782674774d3c9b2260d69c1be6be1f238dbd70c406e19721
SHA512c82eb40dc0d419fb605be3b7cfa67a5c09ae7246587dc434246d04fc23e4549dc16fe8983bfbfdf16e7de627f71049f3f7a1eb5071c9f70bafb976384f05f570