Analysis
-
max time kernel
90s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-03-2024 21:29
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://steamcomunnitlly.com/gift/activation/feor37569hFvrb1a
Resource
win10v2004-20231215-en
General
-
Target
https://steamcomunnitlly.com/gift/activation/feor37569hFvrb1a
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid process 460 msedge.exe 460 msedge.exe 2480 msedge.exe 2480 msedge.exe 3644 identity_helper.exe 3644 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2480 wrote to memory of 1116 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 1116 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 460 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 460 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4192 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4192 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4192 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4192 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4192 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4192 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4192 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4192 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4192 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4192 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4192 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4192 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4192 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4192 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4192 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4192 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4192 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4192 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4192 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4192 2480 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcomunnitlly.com/gift/activation/feor37569hFvrb1a1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb48a146f8,0x7ffb48a14708,0x7ffb48a147182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,10543618267415230190,8375669135736061436,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,10543618267415230190,8375669135736061436,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,10543618267415230190,8375669135736061436,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10543618267415230190,8375669135736061436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10543618267415230190,8375669135736061436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,10543618267415230190,8375669135736061436,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,10543618267415230190,8375669135736061436,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10543618267415230190,8375669135736061436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10543618267415230190,8375669135736061436,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4244 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10543618267415230190,8375669135736061436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10543618267415230190,8375669135736061436,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54d6e17218d9a99976d1a14c6f6944c96
SHA19e54a19d6c61d99ac8759c5f07b2f0d5faab447f
SHA25632e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93
SHA5123fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
384B
MD55c4b9136a010c2c84ac7cc09bbc484d8
SHA139ec365b1d54ffc5c2d4476b93ef105aa66cef77
SHA256cf0b75c3d9100ff45efd266302def2c6e5b0ff3189420b3e2ea61d548a8c94f2
SHA5121c36aaa7cc39c898e2d974e02aff399123feef4fc037ddd155fb00e0b24245c458510673cfe7b570258fb0a83581b90306e8aa7c5cc4ab680a965439f20e60b7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
456B
MD5283cff567fafbc28eac42d100e46740c
SHA1c2cc6ab57e6fbc7e339eb1706fa3b39d6a6fbedb
SHA256231bd1f9d59fdf302ae05dd098f439fa86a7a245f98f0e063a9b48cc5005b6a2
SHA512c3c992873f9d7147468fa0e4ffeb4a6b1a138c334d6c950daf3b5b6c8de3ed3de0628a3b0e45992af4a79d7adbc156f91c0a4420b367041e77ad66f94e7d5fbe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
544B
MD53a3903f3bcd42dba0e1b2a453f78d718
SHA1e236a4d8ef906cc2e042053ba17f5062aad161e2
SHA256fe42238218a7efad7dd29a433122fcdda1b5edab215d55b9e02ebd36268c8803
SHA51297caf20336da9819a332cb334ded0a7e33df6367224585901065c857fa4eb0108c331d3b68ecd6698ea26671c1b55a0251ff6392b1d418c4f5c1541cca4965d5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD52746dbf7cc463d00b292ddf3becb42ae
SHA156cc07c96f219122cad45e63b6d0c4b033967398
SHA256d35d4f7d022df39cd0050beb1638d3437bba5ffba198f58ee5b0b2826b0d0f32
SHA512e642bb392fe7403a17a147f5e0276ad91bbebecb28ba5cdd96a1a6ebff535c972ea2d95980179f0d74bec84c66ae931d6f21436dbbc522b084cb441d2fe203ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD535d3b949d0d02cf492a8b8f026cce3f4
SHA1b996dcad475e6961c0aedd5d033163261b4e8766
SHA25625c44662366c9416ff49b6d3065fa27cb99ee8fb25f775c3390ccaadd7cc5afd
SHA512a0057f335f443ee489cde2f8cfe9710a8b3d4e219b57daa382751564edfc48319083c66787bc3c8235d7124f91c7e77943b4f02f621a6688cea6e5d1e6555e64
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5066b2318e1af83a8b7ebb5b34d7efb11
SHA1d6ccc9158f1c4e521e4fc1b1a37b218cb1d3e207
SHA256b05bc63852c0a5baf26f2168c4367dbd9082aa4d9ea209c2bfd37721df814701
SHA512c5ccd6d02a13b6da3c26b4fe40ee4ad8d82a26902706b8c0367c18bcb362a720586c8baecf32274602e6b4f793530f5584ed2b2f7f23e8ab2ab724d987ef1a41
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5421ff58b7ef3398346c109d9fd5af038
SHA1b35fadcd31b2f42f2412ac05b2850e5d2afc2e65
SHA256c39c07001d59ea48bdc3b2c382a1e5de3feeb4009da4f8586725dcab80430012
SHA512c9010f488a58f8e5edfc2f35a372ffc526e594292c43747e92cf188700fb1bca37369630524ab0eeaf4d78840c4371816c1d88cb6785704a613adecb5621620e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD5c2ef1d773c3f6f230cedf469f7e34059
SHA1e410764405adcfead3338c8d0b29371fd1a3f292
SHA256185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521
SHA5122ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5b083030e533487461492cc81dd8c69da
SHA12be52b57bc96dc8cf059c90aaf66b01d1b061d81
SHA25699cdbafc6150e15074f5ac6470a17f99dd693450721e4376ab06b4a22942430e
SHA512b35068f6e5c31bd532114ed2c87f4679fb1dc96219ee809916a5bba9fe57acb9dc0ddc2c0f580594558223e932ca002627b77af5bc8fa1da62420281f8aaab16
-
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dicFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
\??\pipe\LOCAL\crashpad_2480_BQZEXRJWXOBTRREHMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e