Analysis
-
max time kernel
581s -
max time network
521s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12/03/2024, 08:54
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://biurokarier.edu.pl
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
http://biurokarier.edu.pl
Resource
macos-20240214-en
General
-
Target
http://biurokarier.edu.pl
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1688 msedge.exe 1688 msedge.exe 5044 msedge.exe 5044 msedge.exe 4368 identity_helper.exe 4368 identity_helper.exe 2860 msedge.exe 2860 msedge.exe 2860 msedge.exe 2860 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 1684 svchost.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5044 wrote to memory of 3560 5044 msedge.exe 86 PID 5044 wrote to memory of 3560 5044 msedge.exe 86 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 3464 5044 msedge.exe 91 PID 5044 wrote to memory of 1688 5044 msedge.exe 92 PID 5044 wrote to memory of 1688 5044 msedge.exe 92 PID 5044 wrote to memory of 5084 5044 msedge.exe 93 PID 5044 wrote to memory of 5084 5044 msedge.exe 93 PID 5044 wrote to memory of 5084 5044 msedge.exe 93 PID 5044 wrote to memory of 5084 5044 msedge.exe 93 PID 5044 wrote to memory of 5084 5044 msedge.exe 93 PID 5044 wrote to memory of 5084 5044 msedge.exe 93 PID 5044 wrote to memory of 5084 5044 msedge.exe 93 PID 5044 wrote to memory of 5084 5044 msedge.exe 93 PID 5044 wrote to memory of 5084 5044 msedge.exe 93 PID 5044 wrote to memory of 5084 5044 msedge.exe 93 PID 5044 wrote to memory of 5084 5044 msedge.exe 93 PID 5044 wrote to memory of 5084 5044 msedge.exe 93 PID 5044 wrote to memory of 5084 5044 msedge.exe 93 PID 5044 wrote to memory of 5084 5044 msedge.exe 93 PID 5044 wrote to memory of 5084 5044 msedge.exe 93 PID 5044 wrote to memory of 5084 5044 msedge.exe 93 PID 5044 wrote to memory of 5084 5044 msedge.exe 93 PID 5044 wrote to memory of 5084 5044 msedge.exe 93 PID 5044 wrote to memory of 5084 5044 msedge.exe 93 PID 5044 wrote to memory of 5084 5044 msedge.exe 93
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://biurokarier.edu.pl1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbce1d46f8,0x7ffbce1d4708,0x7ffbce1d47182⤵PID:3560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,9275802308273882194,16389905545400027210,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:22⤵PID:3464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,9275802308273882194,16389905545400027210,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,9275802308273882194,16389905545400027210,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:82⤵PID:5084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9275802308273882194,16389905545400027210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:12⤵PID:4540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9275802308273882194,16389905545400027210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:12⤵PID:2232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9275802308273882194,16389905545400027210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:12⤵PID:1044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,9275802308273882194,16389905545400027210,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:82⤵PID:1616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,9275802308273882194,16389905545400027210,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9275802308273882194,16389905545400027210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:12⤵PID:2904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9275802308273882194,16389905545400027210,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:12⤵PID:2612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9275802308273882194,16389905545400027210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:12⤵PID:4280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9275802308273882194,16389905545400027210,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:12⤵PID:2644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,9275802308273882194,16389905545400027210,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4816 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2860
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4832
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4036
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:5436
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD527160ead31b9a911bab1e352ec90bebb
SHA119af756dfa8d587d170c259e29d5b6a3eb25ed2b
SHA256d2b9b310edc77cbe493a0df30c4cdb104b998c233c39aca6b275458165819d29
SHA51270668c788809976d608069ce5a8dd461b1fb1bd77ceecf5eaff9fb865a42c7f069ace003b70d123ca721f40c6bdb3604cf6fd162fd0871bd682b502cfc4d6b00
-
Filesize
152B
MD547b2c6613360b818825d076d14c051f7
SHA17df7304568313a06540f490bf3305cb89bc03e5c
SHA25647a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac
SHA51208d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac
-
Filesize
152B
MD5e0811105475d528ab174dfdb69f935f3
SHA1dd9689f0f70a07b4e6fb29607e42d2d5faf1f516
SHA256c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c
SHA5128374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize456B
MD52513a8012a001525bb0f1262eef1b122
SHA1c607b5628b28bb6170edf221626d7e213d1194c7
SHA256bc7697ff22e684b031cec9a898f0d3c3188c71a1dffbfd6efde231f7a1dc1106
SHA5123989b4bfcd3d7d789df2b3c4e0a47f01902edb272efa1ca67f75738de0a92f6b543afc4fbfd199b4c60d5c14d27cf1eef558dfdd1cdad48172353e627a4b2697
-
Filesize
187B
MD5b1b3bcf554a532b06f3f335abd3af86f
SHA155ef914a0e7b070018842df982e24a004d1ff68e
SHA256c9d7056b9f0edb3f27914d5e40e4fe7235098895971a84287307e47e7bb12c66
SHA512607024ac53a908ec4feb087066811ad9899ea9c910c3b84f1313c190c9342289f38316f0e0e6a9cd368791f3ed25019109a0565dd87101ff517f5859914a6a57
-
Filesize
6KB
MD5b0d4218f55e2a9c6610d985c7cac310f
SHA134380906f4004a92d2c0543400db6b344ad4f897
SHA25682c7eac5197daa247b9ab2390ba2309f69d01e026c90a06c7eff050aebf85c30
SHA512f440befb0c1bc90b0b2abf2e9541d87e1386e877b02d388e8f671f74693109566b3ec88bfc4534c38a423aad486e94ce041a1a79193d48efce7b2fe98c939d59
-
Filesize
6KB
MD58e3a6a0516d742935d0003f7082748f9
SHA1ffb20bf5094ea6d952ae47046510873983e795ac
SHA2562146ab753da19c0ed7d6c6570899c1cbe5f6de5df34013f5ec55160f9c64bc8d
SHA512bd770f94ebefbc8c005f7f1923fba7053983640ec2db73114d7fcde33752803954cfdad43726b0c020a9fee57232d20aac466e70a2f1041e95bdc7ec5a1dab3a
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5c0fc0d5bbf1dca874881e94667daaf76
SHA16e90e74cf5252801122611a676e5746e1b3acadb
SHA25639cf994b127b5f08d0523ce23cd8ad80749c0af439df5ab83afb308776c9bcf3
SHA51215e6e707dd4f3c5f107b4f676dbfb553a9e1355811bcb77de823e741aeb59add3632924936ac16e19027632783030fd692e1c524d664fe4732e75ee7dd19f487