hxxps://sreamconnmunity[.]ru/id/765611982540767

General

Target

https://sreamconnmunity.ru/id/765611982540767

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msedge.exemsedge.exe

pid process

4480 msedge.exe
4480 msedge.exe
3024 msedge.exe
3024 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

3024 msedge.exe
3024 msedge.exe

pid	process
4480	msedge.exe
4480	msedge.exe
3024	msedge.exe
3024	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3024 wrote to memory of 2992	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2992	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4660	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4480	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4480	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 1988	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 1988	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 1988	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 1988	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 1988	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 1988	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 1988	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 1988	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 1988	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 1988	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 1988	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 1988	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 1988	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 1988	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 1988	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 1988	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 1988	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 1988	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 1988	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 1988	3024	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://sreamconnmunity.ru/id/765611982540767
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ff9d16646f8,0x7ff9d1664708,0x7ff9d1664718
2⤵
PID:2992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,11188803198831683714,16500216368810863195,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
2⤵
PID:4660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,11188803198831683714,16500216368810863195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,11188803198831683714,16500216368810863195,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
2⤵
PID:1988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11188803198831683714,16500216368810863195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
2⤵
PID:4472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11188803198831683714,16500216368810863195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
2⤵
PID:4232

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,11188803198831683714,16500216368810863195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:8
2⤵
PID:3612

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,11188803198831683714,16500216368810863195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:8
2⤵
PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11188803198831683714,16500216368810863195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
2⤵
PID:4656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11188803198831683714,16500216368810863195,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
2⤵
PID:3412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1488

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
36bb45cb1262fcfcab1e3e7960784eaa

SHA1
ab0e15841b027632c9e1b0a47d3dec42162fc637

SHA256
7c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae

SHA512
02c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1e3dc6a82a2cb341f7c9feeaf53f466f

SHA1
915decb72e1f86e14114f14ac9bfd9ba198fdfce

SHA256
a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c

SHA512
0a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b7d6e5a8674a6c0cc2553da418a9e1ac

SHA1
2c47fc905b754e08ec991e67e95a6bf668ba7e36

SHA256
664ba837780978ce4c661d0442356bfe575fa613240aa12fa35b1619c35bf3bf

SHA512
4d672f90e915d66b5b5d33a6fd69927c996c69d5ef79cc7d7f68bd09a4ff579ae726a193a3e1c2fb8e5d695cc5504c2227a526cd2fd9e2d308d6a47e0f975c05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
630916f1ae937489816618987467ee4e

SHA1
435d63b79216e7cddcc02a0058c23a7e12561bbd

SHA256
5cf5bc9c2f0ee6e828d77e73e4539b0041a70ab97f1d5b553151d27cff5cf197

SHA512
b066e6e106d3520edccc18be6d2e247b159e6d0f7b278c9b23479f1f65c5723b282c1b5f11be84199ed727271ac122a4ee8769bffac78a64d646bae3efc7d382

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
9097357c1ff969fcd0886c70b634feef

SHA1
37c15191d1a68a05d0d4bd706ede74e470cf3721

SHA256
b46ae80c429f1123024ec1caa3b220cf5a67e7b07152a332447b737d4f8eeb7b

SHA512
30a590fd26bb501f8238ee1b60bc9074bc28e9ac856d35f6773c23e8472e34b85b474ccf1efb5fc15c80d2c6d8c614efb2f5da4dd271bcb6b11b74d54c50a0c5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads