Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/04/2024, 01:05
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://pub-7f308c9ae5b5492298cd1fac16258be6.r2.dev/webalizer.html
Resource
win11-20240221-en
General
-
Target
https://pub-7f308c9ae5b5492298cd1fac16258be6.r2.dev/webalizer.html
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3932 msedge.exe 3932 msedge.exe 1364 msedge.exe 1364 msedge.exe 1816 msedge.exe 1816 msedge.exe 4352 identity_helper.exe 4352 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe 1364 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1364 wrote to memory of 1632 1364 msedge.exe 80 PID 1364 wrote to memory of 1632 1364 msedge.exe 80 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 2568 1364 msedge.exe 81 PID 1364 wrote to memory of 3932 1364 msedge.exe 82 PID 1364 wrote to memory of 3932 1364 msedge.exe 82 PID 1364 wrote to memory of 4540 1364 msedge.exe 83 PID 1364 wrote to memory of 4540 1364 msedge.exe 83 PID 1364 wrote to memory of 4540 1364 msedge.exe 83 PID 1364 wrote to memory of 4540 1364 msedge.exe 83 PID 1364 wrote to memory of 4540 1364 msedge.exe 83 PID 1364 wrote to memory of 4540 1364 msedge.exe 83 PID 1364 wrote to memory of 4540 1364 msedge.exe 83 PID 1364 wrote to memory of 4540 1364 msedge.exe 83 PID 1364 wrote to memory of 4540 1364 msedge.exe 83 PID 1364 wrote to memory of 4540 1364 msedge.exe 83 PID 1364 wrote to memory of 4540 1364 msedge.exe 83 PID 1364 wrote to memory of 4540 1364 msedge.exe 83 PID 1364 wrote to memory of 4540 1364 msedge.exe 83 PID 1364 wrote to memory of 4540 1364 msedge.exe 83 PID 1364 wrote to memory of 4540 1364 msedge.exe 83 PID 1364 wrote to memory of 4540 1364 msedge.exe 83 PID 1364 wrote to memory of 4540 1364 msedge.exe 83 PID 1364 wrote to memory of 4540 1364 msedge.exe 83 PID 1364 wrote to memory of 4540 1364 msedge.exe 83 PID 1364 wrote to memory of 4540 1364 msedge.exe 83
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pub-7f308c9ae5b5492298cd1fac16258be6.r2.dev/webalizer.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffec21f3cb8,0x7ffec21f3cc8,0x7ffec21f3cd82⤵PID:1632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,4047751974828573816,9650951918316596136,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:22⤵PID:2568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,4047751974828573816,9650951918316596136,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,4047751974828573816,9650951918316596136,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:82⤵PID:4540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,4047751974828573816,9650951918316596136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:5068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,4047751974828573816,9650951918316596136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:2620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,4047751974828573816,9650951918316596136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:12⤵PID:1340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,4047751974828573816,9650951918316596136,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:12⤵PID:3812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,4047751974828573816,9650951918316596136,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,4047751974828573816,9650951918316596136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:12⤵PID:2980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,4047751974828573816,9650951918316596136,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:12⤵PID:4240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,4047751974828573816,9650951918316596136,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,4047751974828573816,9650951918316596136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:12⤵PID:3228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,4047751974828573816,9650951918316596136,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:12⤵PID:4592
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4740
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3448
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5341f6b71eb8fcb1e52a749a673b2819c
SHA16c81b6acb3ce5f64180cb58a6aae927b882f4109
SHA25657934852f04cef38bb4acbe4407f707f137fada0c36bab71b2cdfd58cc030a29
SHA51257ecaa087bc5626752f89501c635a2da8404dbda89260895910a9cc31203e15095eba2e1ce9eee1481f02a43d0df77b75cb9b0d77a3bc3b894fdd1cf0f6ce6f9
-
Filesize
152B
MD588e9aaca62aa2aed293699f139d7e7e1
SHA109d9ccfbdff9680366291d5d1bc311b0b56a05e9
SHA25627dcdb1cddab5d56ac53cff93489038de93f61b5504f8595b1eb2d3124bbc12c
SHA512d90dabe34504dde422f5f6dec87851af8f4849f521759a768dfa0a38f50827b099dfde256d8f8467460c289bdb168358b2678772b8b49418c23b882ba21d4793
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize192B
MD53774c992da8e867eec4232e5baa8aa4d
SHA100f825b47cc6ff0510da29a153e8266b0bb71adc
SHA256302a0bfeb80768abc82a9ca57ce32c1e395b0659923324ddf5218e124ca9c757
SHA512e88ab3f4aca8e4bf8470fc8dd3bc3cf31cd865f1835cbb834af3ba229294037911831c1d1aa7384e11f55d6590ee6526e623bc68249e14ffdb36b4340cefd6e8
-
Filesize
819B
MD5cf0a4cec7f36329b8179e36de00837bf
SHA1c80465e0461bfbf1745a487badca4e1868bfa189
SHA256ad82ebb600a73a9c6b7a4cd952e091cc9c7f35b6b9960e41287eb71510302dc3
SHA512193f40debf18db459caed84468277bbc605d338a13c1e02d57793cc6dfcc52a9c3f2b5c4c6de2effcdd511375261f178191737685046bb69519dc31be5913dbf
-
Filesize
6KB
MD57af9d40e31a914854c60ad3b29f1275f
SHA1bcc09eb91f4de047b9dd59afcd53406d253ae56d
SHA256eeb3ed6abcff5fc527dd741f80ac175b98d7f49bbf37d8f59c3b00952bd25273
SHA51286cb75accdde27b5bce38c3fa0f0f04a8dc7eefd03243a13934aaef28e2045c50c99c51e6f103da122fdce40028fac2dc5cbd80867be9d565c9a1218318a2b30
-
Filesize
6KB
MD57033b8056853e9e2ca5c8b5b23377f73
SHA1ac2659e60db087635a2827704fc53f768b839cdb
SHA25688e01c5b31b7967816e492c3d19c62d82d34001bb2d1f8ba563daa76c0ed30d8
SHA5126dd26aa31fca2f2519ba7327395c801ea74666533f0cdfaca20c991d538fba73d4aaf72143190e995b2fdec8eefe70cbb30e0c8a30099019c1379e294bc3e241
-
Filesize
5KB
MD5ec36db26ba2daa361e7f599f5c9e7186
SHA1cedb40ca7f773af5871b2abc2930f549bfa45aaf
SHA256db7ab6c16c90092f0df16d91556e35bc196aae232804d0cc693228af6e7f680b
SHA512555d6d208c419e28575bc05944f9fa52d1ff37070339cb6789a27e8e1b5aa2f1d6823dbb660e73483465b421cb0d92ff74f86b06a1999cfda5a798a4535fd870
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5686cb28dd1f0485f19286667899fd1c8
SHA1fe86fcf850e6cce30e1f2a7d84739bdcec740cde
SHA2562ba32ad9078f5a134864cb733c39259ae60ec8e81c86dce30c11d17f2876c428
SHA51291a406ab453fea013d36ceff0a49686b82cbec280a080dc1afaea6173c60b640c611ae247727c2cc1aa8925201da8c704cee1e4aedd88dae051043d3e608e822
-
Filesize
11KB
MD5af4ac02ea6ead62897c034d1592fe423
SHA1091c6925e61b4ff6ab47850f5242b7bc0a794880
SHA25681ff111976edabfbf70d106374c94c9d51497f1906d9a005dceef9ad3fb99e8f
SHA512b5ff96e5da308f2ef5091c13083f012d9cc9921a832247e608c19112dbec240204ab1d6f1d15658f31e4d238188ecf7b2ff9998083f8ba8ffc11dc7f265a13dc
-
Filesize
11KB
MD53b63529b80df1a691dac385b5b61cfcd
SHA13c79e6a6838132e8dcdd5daa9a7b86914e5c1b46
SHA2567983dc0c936b3a7e70673796cff1107d617c988e892f62b25ebd8d8a1dfbf11a
SHA512d90ce904b48210c8bc520dd6ae77818098cea7abfd473bc1754b703c843e446fbc76855dcfec571df7fcff0c604f77238b70ce3ed6cdda1993bf8035e39c778e