hxxps://steamcommunivy[.]com/gjft/738135

Resubmissions

27-03-2024 14:52

240327-r8pw3ahf8v 10

27-03-2024 14:50

240327-r7v2paed86 10

Analysis

max time kernel
145s
max time network
145s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
27-03-2024 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://steamcommunivy.com/gjft/738135

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
5028	msedge.exe
5028	msedge.exe
2976	msedge.exe
2976	msedge.exe
684	msedge.exe
684	msedge.exe
2252	identity_helper.exe
2252	identity_helper.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

2976 msedge.exe
2976 msedge.exe
2976 msedge.exe
2976 msedge.exe
2976 msedge.exe
2976 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2976 wrote to memory of 5104	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 5104	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 648	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 5028	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 5028	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 3388	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 3388	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 3388	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 3388	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 3388	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 3388	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 3388	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 3388	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 3388	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 3388	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 3388	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 3388	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 3388	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 3388	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 3388	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 3388	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 3388	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 3388	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 3388	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 3388	2976	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunivy.com/gjft/738135
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff0e7f3cb8,0x7fff0e7f3cc8,0x7fff0e7f3cd8
2⤵
PID:5104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,1646957100883017467,15279574595414420715,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1956 /prefetch:2
2⤵
PID:648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,1646957100883017467,15279574595414420715,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,1646957100883017467,15279574595414420715,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
2⤵
PID:3388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1646957100883017467,15279574595414420715,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
2⤵
PID:2392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1646957100883017467,15279574595414420715,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
2⤵
PID:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1944,1646957100883017467,15279574595414420715,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:684

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,1646957100883017467,15279574595414420715,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1646957100883017467,15279574595414420715,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
2⤵
PID:2336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1646957100883017467,15279574595414420715,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
2⤵
PID:244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1646957100883017467,15279574595414420715,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
2⤵
PID:464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1646957100883017467,15279574595414420715,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
2⤵
PID:1564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,1646957100883017467,15279574595414420715,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5268 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:992

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d459a8c16562fb3f4b1d7cadaca620aa

SHA1
7810bf83e8c362e0c69298e8c16964ed48a90d3a

SHA256
fa31bc49a2f9af06d325871104e36dd69bfe3847cd521059b62461a92912331a

SHA512
35cb00c21908e1332c3439af1ec9867c81befcc4792248ee392080b455b1f5ce2b0c0c2415e344d91537469b5eb72f330b79feb7e8a86eeb6cf41ec5be5dfd2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
656bb397c72d15efa159441f116440a6

SHA1
5b57747d6fdd99160af6d3e580114dbbd351921f

SHA256
770ed0fcd22783f60407cdc55b5998b08e37b3e06efb3d1168ffed8768751fab

SHA512
5923db1d102f99d0b29d60916b183b92e6be12cc55733998d3da36d796d6158c76e385cef320ec0e9afa242a42bfb596f7233b60b548f719f7d41cb8f404e73c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
456B

MD5
6fa65d581e2425b4ea206006b4c1875d

SHA1
2eb7b33e655fd07226d6216c0b955ca017495e7a

SHA256
30a200b50c503e76cdae966c7d72476edca3653b69629799a2aed9a59a9ce393

SHA512
6537c46f49f3579505dc3c539274dbfaddb4a3411be8f2d49fd12dec97f4e0b77eeea7f0c7463af17b5bb63cca8bde1c690d4856f3d9972cf9baade7c6f3db9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
787B

MD5
e919cd1a8e07880d7840ec27aa5b98a1

SHA1
8a9a0d38a1d99eaabf737e47d74f5a844c36ab0a

SHA256
c543fe642340626db7f3840c8b71dd5b9be50b845dfa71b8c3a4702b8f600be1

SHA512
e04271087871ecc8d2cf753ef0bb38efd5fe414960ea11a6ecc5547d94adcd92e0f0bf013c7d2f64a623b4037b6a096eca8a3b9bfea3ebb11e5fbe945b1d211f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
b61362e436646796504de3337e3daedc

SHA1
8d6f9f5ae615a01b12783a398cbbdb15e3ff311a

SHA256
eae67a727626f99954098eddeedf672d3487e9d320d595b0f811fcd37e843fca

SHA512
6f2964814a1ccd87384f565dc46432f0a43a01eda53a0c925f8ceedc12c353cbc4a8a8706a6713ab2701245e79e93fcd17621ce753d5a803096547441bb22414

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
bcbf660951f2eaf4c34510a0d7b902ae

SHA1
b4379d020a068ed8af52e05b34f50736f85b57a8

SHA256
244b3e52e08482269607e26b7ab744a9bae703989e5b512011ef2065841a5a15

SHA512
55953ad7c1949872094f1d7e0f024520cccb49e852bd3b5311c6dfb10421b31cdeca73dec7965075c43bf831a849f288b8f95de118a6a0f0ca8c370f35737a43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
43e3d8c29fcb5abfc3d1a566fbc5af09

SHA1
377f3753996fc7bfc73a08bc435370efcfff267b

SHA256
edf4ba83cce310f2887ad93bfd6f186cb2122c249cc23f56c8eed26fe8dc3d0d

SHA512
9f5b8769e26c4f8ab76bcc9af3ef51f3486cc7011ad10b0fb4e480552d22b327c5391ba03cfb103b1159fef53e2a5d8bc76333caa14ddc24a4c2bf98b7a6e340

Download Submit
\??\pipe\LOCAL\crashpad_2976_HUJSGHEGDZHODGUE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit