hxxps://internalcs[.]icu/

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-03-2024 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://internalcs.icu/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4724	msedge.exe
4724	msedge.exe
4528	msedge.exe
4528	msedge.exe
4492	identity_helper.exe
4492	identity_helper.exe
5344	msedge.exe
5344	msedge.exe
5344	msedge.exe
5344	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe
4528	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 832	4528	msedge.exe	89
PID 4528 wrote to memory of 832	4528	msedge.exe	89
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 572	4528	msedge.exe	90
PID 4528 wrote to memory of 4724	4528	msedge.exe	91
PID 4528 wrote to memory of 4724	4528	msedge.exe	91
PID 4528 wrote to memory of 1000	4528	msedge.exe	92
PID 4528 wrote to memory of 1000	4528	msedge.exe	92
PID 4528 wrote to memory of 1000	4528	msedge.exe	92
PID 4528 wrote to memory of 1000	4528	msedge.exe	92
PID 4528 wrote to memory of 1000	4528	msedge.exe	92
PID 4528 wrote to memory of 1000	4528	msedge.exe	92
PID 4528 wrote to memory of 1000	4528	msedge.exe	92
PID 4528 wrote to memory of 1000	4528	msedge.exe	92
PID 4528 wrote to memory of 1000	4528	msedge.exe	92
PID 4528 wrote to memory of 1000	4528	msedge.exe	92
PID 4528 wrote to memory of 1000	4528	msedge.exe	92
PID 4528 wrote to memory of 1000	4528	msedge.exe	92
PID 4528 wrote to memory of 1000	4528	msedge.exe	92
PID 4528 wrote to memory of 1000	4528	msedge.exe	92
PID 4528 wrote to memory of 1000	4528	msedge.exe	92
PID 4528 wrote to memory of 1000	4528	msedge.exe	92
PID 4528 wrote to memory of 1000	4528	msedge.exe	92
PID 4528 wrote to memory of 1000	4528	msedge.exe	92
PID 4528 wrote to memory of 1000	4528	msedge.exe	92
PID 4528 wrote to memory of 1000	4528	msedge.exe	92

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://internalcs.icu/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffffaa846f8,0x7ffffaa84708,0x7ffffaa84718
  2⤵
  PID:832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,12296483337267070503,13565025964651497500,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,12296483337267070503,13565025964651497500,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,12296483337267070503,13565025964651497500,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
  2⤵
  PID:1000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12296483337267070503,13565025964651497500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12296483337267070503,13565025964651497500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12296483337267070503,13565025964651497500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12296483337267070503,13565025964651497500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,12296483337267070503,13565025964651497500,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,12296483337267070503,13565025964651497500,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12296483337267070503,13565025964651497500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12296483337267070503,13565025964651497500,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
  2⤵
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12296483337267070503,13565025964651497500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12296483337267070503,13565025964651497500,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,12296483337267070503,13565025964651497500,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4824 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5344

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7740a919423ddc469647f8fdd981324d

SHA1
c1bc3f834507e4940a0b7594e34c4b83bbea7cda

SHA256
bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221

SHA512
7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f44d6f922f830d04d7463189045a5a3

SHA1
2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c

SHA256
0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a

SHA512
7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
194KB

MD5
f5b4137b040ec6bd884feee514f7c176

SHA1
7897677377a9ced759be35a66fdee34b391ab0ff

SHA256
845aa24ba38524f33f097b0d9bae7d9112b01fa35c443be5ec1f7b0da23513e6

SHA512
813b764a5650e4e3d1574172dd5d6a26f72c0ba5c8af7b0d676c62bc1b245e4563952bf33663bffc02089127b76a67f9977b0a8f18eaef22d9b4aa3abaaa7c40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
2b80d30e4115a49b182ae0a7f6189046

SHA1
7b4a26cf70e67ef48cf28f8e932c64fa23e5085f

SHA256
198cd5d5412e06bd3a37f0155bcda21ac4ca7726ff1c7ec2da6e1d7cad45de23

SHA512
2da52e4caa34eeff0d9f166363186aa75e0337e14cab81e3dcfb194ae323b775b965a2a600838e99e2f5600cef91b98dcce75720f2c7c5ce4dd05e4456e72679

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
5d418a30408fb39abf8b6d1188a61b66

SHA1
a485fe0101611449967a554541db4f938317868e

SHA256
1159251558921e6632f0e8e4be5b6155d3a66eeb393d58b79d757a34e8b6d274

SHA512
cb1bcd2b148f8d9effacc0cffb7b31af8a49f2f09d4c9f4461b08af2dd667ac566ced8e728827698b967fbecdce8a0eca76343b9c00e9695e70d68b7c02e8797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
145eee9b51ce080b1841724c231fd6fd

SHA1
0301e52b5bc9cb069277184454b593e7639a27f5

SHA256
1420355220c11cba9c6bf2f4094efa214db82ddc9bff15650bcbe637f8a4d6f8

SHA512
b0a17c54db1ea4609dfdee9992fff8f5a3b06688582bf8a91da0ae95024bb6da76246c6776131bacfa93ef1229d4fbd4c28d0080664e2c23ee492b3a6420079e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f9a678ed33ed4703c042f88ea92f602d

SHA1
54481455b5a4ad627e79371d0414111e81430cae

SHA256
63fe37026b23034e91f45113f2a3a70d67438399b9115e42f0c7ec87bc70452d

SHA512
e4ed5c2c1b29199d3a15478fc4c01e6c86b93ffbe802ea847d47f20b4ce283c6f29226f81c0ce9c42edf8d0503a786bb290afdfa5754e71323723a7a63ddf1f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\eedbc920-c198-40fd-8854-78b912c317b9.tmp

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c85cb8043afcf49cc84b4bce890b855e

SHA1
154563d0aabe8395843fb89dff46294ccc8551d5

SHA256
8d54d4c810c523da2d8a985397dc0c1696f9928cdbe05fe82b3fa7facb9fa2da

SHA512
1892d587afadacba4f1bb1a8bcace04c28f91dfefe78ee4053159bd73a9f9c3ddfba9a66569f73ab414aa6f8adb5cf465d1dade6ee22d8b32be033ae6bd89f9c

Download Submit