Analysis
-
max time kernel
40s -
max time network
43s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
17-03-2024 19:09
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://steamcommujity.com/gift/906353439838
Resource
win10v2004-20231215-en
General
-
Target
https://steamcommujity.com/gift/906353439838
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid process 4316 msedge.exe 4316 msedge.exe 1720 msedge.exe 1720 msedge.exe 432 identity_helper.exe 432 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.exepid process 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1720 wrote to memory of 4656 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4656 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4164 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4316 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 4316 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 996 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 996 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 996 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 996 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 996 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 996 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 996 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 996 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 996 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 996 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 996 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 996 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 996 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 996 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 996 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 996 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 996 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 996 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 996 1720 msedge.exe msedge.exe PID 1720 wrote to memory of 996 1720 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommujity.com/gift/9063534398381⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9bc5246f8,0x7ff9bc524708,0x7ff9bc5247182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,7786768300322075176,16366470910089709421,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,7786768300322075176,16366470910089709421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,7786768300322075176,16366470910089709421,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7786768300322075176,16366470910089709421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7786768300322075176,16366470910089709421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,7786768300322075176,16366470910089709421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,7786768300322075176,16366470910089709421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7786768300322075176,16366470910089709421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7786768300322075176,16366470910089709421,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7786768300322075176,16366470910089709421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7786768300322075176,16366470910089709421,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54d6e17218d9a99976d1a14c6f6944c96
SHA19e54a19d6c61d99ac8759c5f07b2f0d5faab447f
SHA25632e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93
SHA5123fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
672B
MD5b709e53041511bd029490179a6ad390c
SHA1fd0243682f0721bc7c9c5ff4bf2637924be31995
SHA2567e22ff6a45081d78f68b989f6308256d8b85ff90cd380255c47a655459debf75
SHA51236c745813854d550d960670915e3236c8deb25738ffa6cf53c614690defcbef9b35924768b47a63e7ba4538826f5e8dd768565503e864217b191af42cf372c64
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
990B
MD549020556410220144962ada20f44dcf4
SHA1d8b03eaa0c8e3cc63dedc11c32a8f5d46d184efe
SHA256e48068626061777e61dbfd40230048b8fb57cc0859e27dab47dc168b009d79d6
SHA5129d13e6df61a06abe32deaeb352bffa428b60e0725022014bb3e79fcdad89143773f998d542f323b28033cd53bfd0a27bfa058f9d6dfb2ffc5a60ce964e810097
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5614954a16086f15f30f40cce45d955d9
SHA10d3461a9ab10f424f4f2fc8fe6f7403b0e3f53aa
SHA2562f4e04fdd2b7eac6b6d56c5608d21a1da0ab08e1d7d55cb3b427339dd0ff6499
SHA5127a4e142b1862e39e59b0f638281506f2406868891838af8045bc1cd775362cad36704fd373240990bb1fd2d59c5ed4c7a7d2093af7bbdd0d2d5d4cd145e3a87b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD502ed73dd79233ba555802176f41efa7e
SHA1c7e0863d797e239432ab78104e9231aa8717f10c
SHA256ac405ee283883583ad0bb9c1a32911339407949255cb6449ba054c67e4a9e113
SHA5121c9b3f98fc4661e3f812fc08612dca9017f13f542225ecf65f4d2ef7812300de9068134eb406d87a44f6b9f0cfccd4bfff08f5e21707ea237991d1b307d12725
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD524b2fa7a2db41c5d1a0ed23b725e1df5
SHA1ab4620f3643b71d7580e819146c594b85dc0914d
SHA25644858be7e1165e7d02dd25ccb70caedcc61bc5bc12269d5579c5abba9d887723
SHA512976fcb3e0339a4571d8a54e077f73e8c4b6ad46eefa90cba005c349f143f2a8e7fe66f5ff720c151eeed4151aeb0aed911e8cc08ae7c4b325c0fef3b3e1a735a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5a17b625e4b37de117b76e60aa56dfe15
SHA17c7f9fda1fc6beb1f4b22a092456592838c28c34
SHA2569b31a6586392ccce33e8aa55a8299f54604147c7042ce3ee7c4b1cb31fa197db
SHA512be4464698e37a6f7384fc6cab4659da05fc45b4eae9a58f14ba5b55b48d0d759613d52246534d8ef20c1b1335350783e27ceb69677695f998c8b0753628f8ae3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD5c2ef1d773c3f6f230cedf469f7e34059
SHA1e410764405adcfead3338c8d0b29371fd1a3f292
SHA256185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521
SHA5122ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5b7c3aff3b958886d67297773cefe56d9
SHA1e61c7f682288f47d9ac9e7c46505729011b681af
SHA256eb0a73bca5df3772e6417f86a9da6c96840b805291acfcbf76b44506d887e3a3
SHA512925eeb7de2df8725bc417816410e4bd67b22dcd47130b666e680c16b1638e22b6a5cc535c54818a9e0a224bf53c2423d02214aabccf4a094acc22042b162385b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD52722a0f86b71275bfff67722225dde77
SHA126db2066c664378c886a26be666f63407684fbc3
SHA2561bfb84f9cfd594a60b3ef60bd7c8e4529e62f300beff23c64443b89551f5a741
SHA512278b76c9051b34b6569fc4e56c3154f66f50628bd7abdbb9da52df5eb035555fa2a5d18639b5ea96db83f42035116f2dc77464b470c17dfb8cbe7df03229f87a
-
\??\pipe\LOCAL\crashpad_1720_XVMEPGZRTIELKHVSMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e