Analysis
-
max time kernel
294s -
max time network
314s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19/03/2024, 00:52
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://click.pstmrk.it/3s/i.prefinery.com%2Fprojects%2Fvlppyaez%2Fusers%2Finstant%3Femail%3Dcajulian790%2540hotmail.com/ahc/6hG0AQ/AQ/bf37e917-1b3c-4145-87fa-2427c2915286/1/jzdV63uqUt
Resource
win10v2004-20240226-en
General
-
Target
https://click.pstmrk.it/3s/i.prefinery.com%2Fprojects%2Fvlppyaez%2Fusers%2Finstant%3Femail%3Dcajulian790%2540hotmail.com/ahc/6hG0AQ/AQ/bf37e917-1b3c-4145-87fa-2427c2915286/1/jzdV63uqUt
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2196 msedge.exe 2196 msedge.exe 560 msedge.exe 560 msedge.exe 2432 identity_helper.exe 2432 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe 560 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 560 wrote to memory of 3680 560 msedge.exe 89 PID 560 wrote to memory of 3680 560 msedge.exe 89 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 1896 560 msedge.exe 90 PID 560 wrote to memory of 2196 560 msedge.exe 91 PID 560 wrote to memory of 2196 560 msedge.exe 91 PID 560 wrote to memory of 2732 560 msedge.exe 92 PID 560 wrote to memory of 2732 560 msedge.exe 92 PID 560 wrote to memory of 2732 560 msedge.exe 92 PID 560 wrote to memory of 2732 560 msedge.exe 92 PID 560 wrote to memory of 2732 560 msedge.exe 92 PID 560 wrote to memory of 2732 560 msedge.exe 92 PID 560 wrote to memory of 2732 560 msedge.exe 92 PID 560 wrote to memory of 2732 560 msedge.exe 92 PID 560 wrote to memory of 2732 560 msedge.exe 92 PID 560 wrote to memory of 2732 560 msedge.exe 92 PID 560 wrote to memory of 2732 560 msedge.exe 92 PID 560 wrote to memory of 2732 560 msedge.exe 92 PID 560 wrote to memory of 2732 560 msedge.exe 92 PID 560 wrote to memory of 2732 560 msedge.exe 92 PID 560 wrote to memory of 2732 560 msedge.exe 92 PID 560 wrote to memory of 2732 560 msedge.exe 92 PID 560 wrote to memory of 2732 560 msedge.exe 92 PID 560 wrote to memory of 2732 560 msedge.exe 92 PID 560 wrote to memory of 2732 560 msedge.exe 92 PID 560 wrote to memory of 2732 560 msedge.exe 92
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://click.pstmrk.it/3s/i.prefinery.com%2Fprojects%2Fvlppyaez%2Fusers%2Finstant%3Femail%3Dcajulian790%2540hotmail.com/ahc/6hG0AQ/AQ/bf37e917-1b3c-4145-87fa-2427c2915286/1/jzdV63uqUt1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffe7f2346f8,0x7ffe7f234708,0x7ffe7f2347182⤵PID:3680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,8097021307585869825,17699187987682329268,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:22⤵PID:1896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,8097021307585869825,17699187987682329268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,8097021307585869825,17699187987682329268,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:82⤵PID:2732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8097021307585869825,17699187987682329268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:12⤵PID:224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8097021307585869825,17699187987682329268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:12⤵PID:3436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,8097021307585869825,17699187987682329268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:82⤵PID:4588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,8097021307585869825,17699187987682329268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8097021307585869825,17699187987682329268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:12⤵PID:2396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8097021307585869825,17699187987682329268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:12⤵PID:4560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8097021307585869825,17699187987682329268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:12⤵PID:4372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8097021307585869825,17699187987682329268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:12⤵PID:3476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8097021307585869825,17699187987682329268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:12⤵PID:2236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8097021307585869825,17699187987682329268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:12⤵PID:4940
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2944
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD536bb45cb1262fcfcab1e3e7960784eaa
SHA1ab0e15841b027632c9e1b0a47d3dec42162fc637
SHA2567c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae
SHA51202c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456
-
Filesize
152B
MD51e3dc6a82a2cb341f7c9feeaf53f466f
SHA1915decb72e1f86e14114f14ac9bfd9ba198fdfce
SHA256a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c
SHA5120a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize96B
MD52c18bc50f167abfc723c4b171c50a935
SHA184dbce87e28f9fbc98f715ba7d71dcbf8554e480
SHA2560811aac3353a8fdfd4f7456dc257dd8cccb43d964dd18bc02f4f0091d9744d4f
SHA512a55658fd97f4395c433b04166d5e479b9d418d1be514944b1fd1895fe8a7810a4a92b3462ac89139e566bf36e5d93cb9cd19347893fd7b17b9aa0ecd61be27f1
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
333B
MD5c823d0d147d65a816d36143dc3b84573
SHA1eb3115dfa4787ba4868e918894c52e1597b000e1
SHA2561ded28f24bedd28e7aaf300b8d23a34b305af6b5d8ced5546fd946000f3d12bf
SHA512a9ce0933881560e352f36fd7d71355e02bc5aa4670f4013341f6bfff18cf1f7ae28404668d08d7d97dbcccaf9d580160cbfdf0aa63a884152d22ae52d92e22b2
-
Filesize
6KB
MD549b6abd9ec3d918089310baf3603eb94
SHA15da2e70ba5ae84ad2fedb2428b5c992f1138efa7
SHA25664dd5e1966fd4a08622a6356f845e261cb5ed282cc22a02e4c3c67ef8bbaaefc
SHA5120ca86ad12fd837df5b95c8b0197ecff8f09fd5c9cc18d676db3c3171e8f1438b0593c9989d53203c059d3b871870cbb9851e95c091309ac84306351a9ff398ac
-
Filesize
6KB
MD518b4d2c26a8106ef77b8f409fabb31bf
SHA1db8951cf1258e05b130d9dbb1dcee3560aa67f59
SHA2560374733e5b20a21843315a332fa24b47da9b2958a66809b17423691873103b5e
SHA512cf5bfd0ae468c2c93c4eb61914c099c27b9444b6029d195f64139852295ce2ba7e550c6869530e1e969c20c699b17c138e6cfd6a33e815d30826209afe55c9f3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bc19dc8c-ea38-43eb-95a0-2a68f7de66a8.tmp
Filesize6KB
MD54be2fcadd2b357eac6d64b289b32c4fc
SHA1a862ffef8a2a90b8cc85d437d8022a8b72d040ee
SHA256e2bfb19f838e60f928480b3aad0497975cb60448c126ea9f34ec793ffc5d5ab1
SHA512726175fe10d130f6ee0c1eadbd9048303175648033d36e74937e68b7c0703d1fc6e53c015b6274434bfc28c63665ef95c1f6987a43726664a48a2d68a57a8197
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD59eb92ff445af7b240acc6a0522423ae4
SHA11d15700d75bfae10837a9fb2ab05489b963c1b86
SHA256be05c8dd14d66924a07704172db39c78e91236f4fd26be9aadc2de5e8d633e8a
SHA51209766ca93acb1fab8d3017677119c88f6f6206c610741f95da48d298761386087a0deabcf332e836a18118c61859548805ff9def3f74cb74d47a64d4bf7073fc
-
Filesize
12KB
MD562512b099b20fc2803f062ac2f745c04
SHA11234b3516a0826f3d85fb31c7ae2ff6c7128ed09
SHA256986a604b54ae3674014db6d43bd9db914f1e4fcdccf81528845701710222ed26
SHA51275bd2c58251224bbbc5acf2f744f8beb87dd455b0f6b697a120ccb8d9549d460d54d556e7fecb8acf9cdf21053950f0450cc2e61ae4fcdc144afac47685da14a
-
Filesize
12KB
MD5659e04e65b25aa6dcbc72ed03413d9a5
SHA19c6423a77b0f611a096e266c32a9db6d586872f5
SHA256a711d47dda24e1acb438412acbc411ee2a44fdb089cbbc7bf9406855588b88f7
SHA512ac4d7e94eabb62feb18aa3070db8e5c3a5c95525d0862c815ff27f08a5f5ca51c59a8f06a774ae229182fb2a3da009839413ffe2c2c570edde232345dab741db