Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25-03-2024 21:02
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://u.to/AMaFIA
Resource
win10v2004-20240226-en
General
-
Target
https://u.to/AMaFIA
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 1360 msedge.exe 1360 msedge.exe 2328 msedge.exe 2328 msedge.exe 3844 identity_helper.exe 3844 identity_helper.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeManageVolumePrivilege 792 svchost.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2328 wrote to memory of 3040 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 3040 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 2028 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 1360 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 1360 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 3836 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 3836 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 3836 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 3836 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 3836 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 3836 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 3836 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 3836 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 3836 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 3836 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 3836 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 3836 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 3836 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 3836 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 3836 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 3836 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 3836 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 3836 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 3836 2328 msedge.exe msedge.exe PID 2328 wrote to memory of 3836 2328 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://u.to/AMaFIA1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa3f2146f8,0x7ffa3f214708,0x7ffa3f2147182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,8010788176140306833,4406152392797272295,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,8010788176140306833,4406152392797272295,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,8010788176140306833,4406152392797272295,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8010788176140306833,4406152392797272295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8010788176140306833,4406152392797272295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8010788176140306833,4406152392797272295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8010788176140306833,4406152392797272295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8010788176140306833,4406152392797272295,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,8010788176140306833,4406152392797272295,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,8010788176140306833,4406152392797272295,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8010788176140306833,4406152392797272295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8010788176140306833,4406152392797272295,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,8010788176140306833,4406152392797272295,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3184 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57c6136bc98a5aedca2ea3004e9fbe67d
SHA174318d997f4c9c351eef86d040bc9b085ce1ad4f
SHA25650c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2
SHA5122d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD55c6aef82e50d05ffc0cf52a6c6d69c91
SHA1c203efe5b45b0630fee7bd364fe7d63b769e2351
SHA256d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32
SHA51277ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
456B
MD5fe6c9f3237dd3414065e57bd3d6bac3f
SHA180e32df3d7bb20e87c8a24bdf55dfcbcadde03b2
SHA2566afe4ed0e1b9396d6d5257f0b3cb1f389821f47c648d786b1e626651846e73f1
SHA512ef4103e3b46967895f1932c20185f61b8ac1a4e0be7e9ddea85645375f44d152a31f5c86aa31b8bee4e2d8aab8cad7f67f0bd886257e5d12c0f01283f489847e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD509dec2ec294e4d82cbbd7fe6d683b26c
SHA1b0bddfe7abb0b6fdd6f550dd17768900863886ec
SHA2565d6b8e8e0342d3657a623c92c36997c56be720169cd02c19823dd97032923e7f
SHA5126847af90b27d03cfb31358c27d37f58d141d4e26e6713136e10cf4b1ea82d4ad34fc104464bb676ac772133f1a3328fc3d4a4041b1015119f8930e3b12783ee3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD52cac8f8ef3a5f446298d05481c4e1306
SHA13d6b3463862a771f7fd71b213918c40bc5cc5ca1
SHA25613b019bcf3b42dcd64f3080ded1019479ea55021f0ac75df2eb186efc029102f
SHA512a1e017ed62adc5f9889be90c4e67a3aeb0dfa8cf7fef1a01fcfac7d942a3816dc3f04a467d4cba9e271e8b21a3650a3ab5899172dddeeb2a9feb879715926e88
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD507498be87229b5eceee0ae924677d05d
SHA1d3dbc7cf49c317afd065b6cb2d90171954434156
SHA256fff7ca29376adb5c32dc5189d29cc45132f1b6c6744de284fba56f809d119a9c
SHA512caff00796b7dd378a40106864b9c9b5240a5349712dddfd590d831113b80359d6e48f2060d68698fa57a730c8379ac7fc7d6f2f28fadb1631d2f7fe412ceef58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5bc36f01c64170dcb2ca6d721ae54eb66
SHA166dba34a0010500268c6a9235d422d6bdc376582
SHA256b937838143d45c01e9a9e4b20a3aca0952ebcf2e874cbf766cf716317afed36d
SHA51237ddc8418eb37603c790e44b54658a7f3024ed966b33d3f3b6a937234e2de204c471cc90d3877ff70a566f9444ae85145cebf0c1641cda99e22af8254670a0ec
-
memory/792-189-0x000002266C6B0000-0x000002266C6C0000-memory.dmpFilesize
64KB
-
memory/792-205-0x000002266C7B0000-0x000002266C7C0000-memory.dmpFilesize
64KB
-
memory/792-221-0x0000022674B20000-0x0000022674B21000-memory.dmpFilesize
4KB
-
memory/792-223-0x0000022674B50000-0x0000022674B51000-memory.dmpFilesize
4KB
-
memory/792-224-0x0000022674B50000-0x0000022674B51000-memory.dmpFilesize
4KB
-
memory/792-225-0x0000022674C60000-0x0000022674C61000-memory.dmpFilesize
4KB