Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/04/2024, 01:01
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://pub-20a8d8deebe04a65985e3e02d12b6a53.r2.dev/secure-portal.html
Resource
win11-20240221-en
General
-
Target
https://pub-20a8d8deebe04a65985e3e02d12b6a53.r2.dev/secure-portal.html
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 396 msedge.exe 396 msedge.exe 72 msedge.exe 72 msedge.exe 4248 identity_helper.exe 4248 identity_helper.exe 2988 msedge.exe 2988 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe 72 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 72 wrote to memory of 3536 72 msedge.exe 78 PID 72 wrote to memory of 3536 72 msedge.exe 78 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 5008 72 msedge.exe 79 PID 72 wrote to memory of 396 72 msedge.exe 80 PID 72 wrote to memory of 396 72 msedge.exe 80 PID 72 wrote to memory of 4544 72 msedge.exe 81 PID 72 wrote to memory of 4544 72 msedge.exe 81 PID 72 wrote to memory of 4544 72 msedge.exe 81 PID 72 wrote to memory of 4544 72 msedge.exe 81 PID 72 wrote to memory of 4544 72 msedge.exe 81 PID 72 wrote to memory of 4544 72 msedge.exe 81 PID 72 wrote to memory of 4544 72 msedge.exe 81 PID 72 wrote to memory of 4544 72 msedge.exe 81 PID 72 wrote to memory of 4544 72 msedge.exe 81 PID 72 wrote to memory of 4544 72 msedge.exe 81 PID 72 wrote to memory of 4544 72 msedge.exe 81 PID 72 wrote to memory of 4544 72 msedge.exe 81 PID 72 wrote to memory of 4544 72 msedge.exe 81 PID 72 wrote to memory of 4544 72 msedge.exe 81 PID 72 wrote to memory of 4544 72 msedge.exe 81 PID 72 wrote to memory of 4544 72 msedge.exe 81 PID 72 wrote to memory of 4544 72 msedge.exe 81 PID 72 wrote to memory of 4544 72 msedge.exe 81 PID 72 wrote to memory of 4544 72 msedge.exe 81 PID 72 wrote to memory of 4544 72 msedge.exe 81
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pub-20a8d8deebe04a65985e3e02d12b6a53.r2.dev/secure-portal.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:72 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaf0513cb8,0x7ffaf0513cc8,0x7ffaf0513cd82⤵PID:3536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,7379434758766110264,3152634637313373935,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:22⤵PID:5008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,7379434758766110264,3152634637313373935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1852,7379434758766110264,3152634637313373935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:82⤵PID:4544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,7379434758766110264,3152634637313373935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:12⤵PID:4348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,7379434758766110264,3152634637313373935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵PID:2536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1852,7379434758766110264,3152634637313373935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,7379434758766110264,3152634637313373935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:12⤵PID:3884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,7379434758766110264,3152634637313373935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:12⤵PID:3668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,7379434758766110264,3152634637313373935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:4904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,7379434758766110264,3152634637313373935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵PID:5092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1852,7379434758766110264,3152634637313373935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,7379434758766110264,3152634637313373935,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4692 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4712
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3992
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2236
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD53b1e59e67b947d63336fe9c8a1a5cebc
SHA15dc7146555c05d8eb1c9680b1b5c98537dd19b91
SHA2567fccd8c81f41a2684315ad9c86ef0861ecf1f2bf5d13050f760f52aef9b4a263
SHA5122d9b8f574f7f669c109f7e0d9714b84798e07966341a0200baac01ed5939b611c7ff75bf1978fe06e37e813df277b092ba68051fae9ba997fd529962e2e5d7b0
-
Filesize
152B
MD50e10a8550dceecf34b33a98b85d5fa0b
SHA1357ed761cbff74e7f3f75cd15074b4f7f3bcdce0
SHA2565694744f7e6c49068383af6569df880eed386f56062933708c8716f4221cac61
SHA512fe6815e41c7643ddb7755cc542d478814f47acea5339df0b5265d9969d02c59ece6fc61150c6c75de3f4f59b052bc2a4f58a14caa3675daeb67955b4dc416d3a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize168B
MD5195e3f8abb175fb24991377a20b211f1
SHA1293e557700010cd58ef00c86139cf42dd913ce56
SHA25664603b23bdc5a7b113996e29b5a8473a28d4bc993397bcc18534a03b2d5426a6
SHA5127ea686a5c109cd7f89d60be80e56d3df4330023083295f6aa9a6687a16c04a018c35f8112e3d28fde7c406aa006f77dfc535d3aa03df9b602066954fbb952b36
-
Filesize
820B
MD5cc9b0cb6a570c07a0ea2186261735656
SHA1b287e2e26c3d89c9166d043b9234688d0f116ea3
SHA2560cf3bd6544fdc16bdc5ca13630274d8ed58bef32d1a14c74a2018572c5f1b122
SHA51225639bc9b7abca55abc4b75973be81fb723f3206432cb607b76bbc2be978cfd5609960be219eac76e4469273980d766042be638e6b72a0f60c24c0160632f29c
-
Filesize
5KB
MD5c9af56ae15bc713a51cad6d2fa4015f1
SHA12d4427ad8af895bea0b225ae5fe79d3c96490353
SHA256c5f76c07a5d9e82ff34c9159704a1bbe61791d5a2a9fc076e345cd0d9c90979b
SHA512d2f3b1ee36b988f066b22ac2f7697b71bb7f73d8fa9e08e070de8a426595e67cd81bc989f50acdb895fda246580c06e1c0631f7992bad563e16a232d7a2df0d6
-
Filesize
6KB
MD593e7adeae9ba5ea1ce1edbbdf91b9c91
SHA16a3f2f35d32bede8921055b8e941ec53ad459cfd
SHA2568a32b3806b1742d976e0abe56f7ccebda1434fe73c51bc08b1a1eaac24a047e5
SHA5120cd2a6ac2b76df7542217f3ab2ef932f238dd884a8694a0f2cbaf01b64a79683a65408fa8ffa8e8230aeb44a0a90dd1341a6bfe7fd13e9a1bbe6e512ca7c587d
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD58a70de989cfeda872c458b348fbeedc2
SHA1b0667e066a12ada8f8d34d25287855e90d3118f4
SHA256dd4bb20a5fb00c5dccd036385af899709e57079fa31fe5e43ebcb79d0b5385ff
SHA512ff50c0755de00c051549c2a598111ff97d3473d48769234a115d49440e9d222c21d1ce58676c2257c1cce4769a2e12afc7b7ace5127b95c7d9c24c29a7d1f62b