Analysis
-
max time kernel
14s -
max time network
20s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25-03-2024 21:39
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://sreamconnmunity.ru/id/765611982540767
Resource
win10v2004-20240226-en
General
-
Target
https://sreamconnmunity.ru/id/765611982540767
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msedge.exemsedge.exepid process 4480 msedge.exe 4480 msedge.exe 3024 msedge.exe 3024 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
msedge.exepid process 3024 msedge.exe 3024 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3024 wrote to memory of 2992 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 2992 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4660 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4480 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 4480 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 1988 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 1988 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 1988 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 1988 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 1988 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 1988 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 1988 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 1988 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 1988 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 1988 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 1988 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 1988 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 1988 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 1988 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 1988 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 1988 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 1988 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 1988 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 1988 3024 msedge.exe msedge.exe PID 3024 wrote to memory of 1988 3024 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://sreamconnmunity.ru/id/7656119825407671⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ff9d16646f8,0x7ff9d1664708,0x7ff9d16647182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,11188803198831683714,16500216368810863195,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,11188803198831683714,16500216368810863195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,11188803198831683714,16500216368810863195,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11188803198831683714,16500216368810863195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11188803198831683714,16500216368810863195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,11188803198831683714,16500216368810863195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,11188803198831683714,16500216368810863195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11188803198831683714,16500216368810863195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11188803198831683714,16500216368810863195,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD536bb45cb1262fcfcab1e3e7960784eaa
SHA1ab0e15841b027632c9e1b0a47d3dec42162fc637
SHA2567c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae
SHA51202c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51e3dc6a82a2cb341f7c9feeaf53f466f
SHA1915decb72e1f86e14114f14ac9bfd9ba198fdfce
SHA256a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c
SHA5120a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b7d6e5a8674a6c0cc2553da418a9e1ac
SHA12c47fc905b754e08ec991e67e95a6bf668ba7e36
SHA256664ba837780978ce4c661d0442356bfe575fa613240aa12fa35b1619c35bf3bf
SHA5124d672f90e915d66b5b5d33a6fd69927c996c69d5ef79cc7d7f68bd09a4ff579ae726a193a3e1c2fb8e5d695cc5504c2227a526cd2fd9e2d308d6a47e0f975c05
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5630916f1ae937489816618987467ee4e
SHA1435d63b79216e7cddcc02a0058c23a7e12561bbd
SHA2565cf5bc9c2f0ee6e828d77e73e4539b0041a70ab97f1d5b553151d27cff5cf197
SHA512b066e6e106d3520edccc18be6d2e247b159e6d0f7b278c9b23479f1f65c5723b282c1b5f11be84199ed727271ac122a4ee8769bffac78a64d646bae3efc7d382
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD59097357c1ff969fcd0886c70b634feef
SHA137c15191d1a68a05d0d4bd706ede74e470cf3721
SHA256b46ae80c429f1123024ec1caa3b220cf5a67e7b07152a332447b737d4f8eeb7b
SHA51230a590fd26bb501f8238ee1b60bc9074bc28e9ac856d35f6773c23e8472e34b85b474ccf1efb5fc15c80d2c6d8c614efb2f5da4dd271bcb6b11b74d54c50a0c5