hxxp://balt-go[.]lv

Analysis

max time kernel
38s
max time network
44s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://balt-go.lv

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2348	msedge.exe
2348	msedge.exe
2112	msedge.exe
2112	msedge.exe
3836	identity_helper.exe
3836	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 4516	2112	msedge.exe	87
PID 2112 wrote to memory of 4516	2112	msedge.exe	87
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 1864	2112	msedge.exe	88
PID 2112 wrote to memory of 2348	2112	msedge.exe	89
PID 2112 wrote to memory of 2348	2112	msedge.exe	89
PID 2112 wrote to memory of 4816	2112	msedge.exe	90
PID 2112 wrote to memory of 4816	2112	msedge.exe	90
PID 2112 wrote to memory of 4816	2112	msedge.exe	90
PID 2112 wrote to memory of 4816	2112	msedge.exe	90
PID 2112 wrote to memory of 4816	2112	msedge.exe	90
PID 2112 wrote to memory of 4816	2112	msedge.exe	90
PID 2112 wrote to memory of 4816	2112	msedge.exe	90
PID 2112 wrote to memory of 4816	2112	msedge.exe	90
PID 2112 wrote to memory of 4816	2112	msedge.exe	90
PID 2112 wrote to memory of 4816	2112	msedge.exe	90
PID 2112 wrote to memory of 4816	2112	msedge.exe	90
PID 2112 wrote to memory of 4816	2112	msedge.exe	90
PID 2112 wrote to memory of 4816	2112	msedge.exe	90
PID 2112 wrote to memory of 4816	2112	msedge.exe	90
PID 2112 wrote to memory of 4816	2112	msedge.exe	90
PID 2112 wrote to memory of 4816	2112	msedge.exe	90
PID 2112 wrote to memory of 4816	2112	msedge.exe	90
PID 2112 wrote to memory of 4816	2112	msedge.exe	90
PID 2112 wrote to memory of 4816	2112	msedge.exe	90
PID 2112 wrote to memory of 4816	2112	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://balt-go.lv
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c8fb46f8,0x7ff8c8fb4708,0x7ff8c8fb4718
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,13528789144912835032,8167488268651881110,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,13528789144912835032,8167488268651881110,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,13528789144912835032,8167488268651881110,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13528789144912835032,8167488268651881110,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13528789144912835032,8167488268651881110,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13528789144912835032,8167488268651881110,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13528789144912835032,8167488268651881110,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,13528789144912835032,8167488268651881110,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,13528789144912835032,8167488268651881110,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13528789144912835032,8167488268651881110,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13528789144912835032,8167488268651881110,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13528789144912835032,8167488268651881110,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13528789144912835032,8167488268651881110,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:1380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c6136bc98a5aedca2ea3004e9fbe67d

SHA1
74318d997f4c9c351eef86d040bc9b085ce1ad4f

SHA256
50c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2

SHA512
2d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c6aef82e50d05ffc0cf52a6c6d69c91

SHA1
c203efe5b45b0630fee7bd364fe7d63b769e2351

SHA256
d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32

SHA512
77ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003e

Filesize
194KB

MD5
f5b4137b040ec6bd884feee514f7c176

SHA1
7897677377a9ced759be35a66fdee34b391ab0ff

SHA256
845aa24ba38524f33f097b0d9bae7d9112b01fa35c443be5ec1f7b0da23513e6

SHA512
813b764a5650e4e3d1574172dd5d6a26f72c0ba5c8af7b0d676c62bc1b245e4563952bf33663bffc02089127b76a67f9977b0a8f18eaef22d9b4aa3abaaa7c40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
30f8b7b8523c7fd1f15e1aceb6ec0dcb

SHA1
6fbdf1fb943993ee9af722e68d330d4e46f2c15b

SHA256
40db9d1deb886678545ac5269f0f4ee3e2de2a82a722af9f5f718e86b4514f8a

SHA512
577f5aa59d635586f560f565dd0c9329ef384a7d72e049e49ff73737b680a3350c628dfd5f4fe071c4904e2d9e41a1848f8c14582ed7fd47fde91a6e24a18682

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ab16d8482b98c64d8114c32e523e6f44

SHA1
3ecdf2b5b576931aa7a96eb2b518cb50a82c8cf3

SHA256
0e7d0f672676e25a167796e55b6888c2f173ce179b99d6f6bbf8a36469f01e05

SHA512
138e410d9be1748d0cefb6cca7f752635c7834d739d0395ffa7121e980d4df33a3e957c74b8117554ba26a38d8b7fdc49b6d785c4d9f65917a32f232bb83c21a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3e3d9c420b28efa8f50dac7cc2d4333e

SHA1
be4230876eb9568b21075398e1b31c513337e634

SHA256
34a7ad543c0b76b8f7b16b1bbcf1b759b3f92781570bb3e49770a8c0e7bfe657

SHA512
be35440db8388600916dfefe237a54a362eab0e9100a5b3f27597f530689d3b297420ccca6957367eeeb0bd0c2e0e3e0cfbeb1ee70e553183cd80d5451d8ef2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cce64383b5814936f044717fdeb20fa7

SHA1
c1e297163cc76b6319f3fa4b34382c162197eab6

SHA256
3897e429c37e7e57167f1ace2da2253b22f085f291e72800d51d82af9e6c4273

SHA512
402e72d068aac0f570f19976f722958c61a2a90d4430d1bbd0e1eeae969fdea604fc48b92cf47a216c5913030a1c73e8957096ed901a1e5a34a0158f13d2e81c

Download Submit