Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    05/04/2024, 19:38

General

  • Target

    http://https;//fbi.bet/

Score
10/10

Malware Config

Signatures

  • Detected phishing page
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://https;//fbi.bet/
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3448
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffac73c3cb8,0x7ffac73c3cc8,0x7ffac73c3cd8
      2⤵
        PID:3436
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,7581547474338973580,14097244073450926736,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
        2⤵
          PID:4348
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,7581547474338973580,14097244073450926736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4352
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,7581547474338973580,14097244073450926736,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
          2⤵
            PID:4176
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7581547474338973580,14097244073450926736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
            2⤵
              PID:3676
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7581547474338973580,14097244073450926736,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
              2⤵
                PID:4556
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7581547474338973580,14097244073450926736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
                2⤵
                  PID:3300
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7581547474338973580,14097244073450926736,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:1
                  2⤵
                    PID:2168
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,7581547474338973580,14097244073450926736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4040 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1208
                  • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,7581547474338973580,14097244073450926736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3332 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1860
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7581547474338973580,14097244073450926736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1
                    2⤵
                      PID:1848
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7581547474338973580,14097244073450926736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
                      2⤵
                        PID:2380
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1908,7581547474338973580,14097244073450926736,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5016 /prefetch:8
                        2⤵
                          PID:4680
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7581547474338973580,14097244073450926736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
                          2⤵
                            PID:72
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7581547474338973580,14097244073450926736,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
                            2⤵
                              PID:576
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7581547474338973580,14097244073450926736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
                              2⤵
                                PID:3640
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7581547474338973580,14097244073450926736,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
                                2⤵
                                  PID:1324
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,7581547474338973580,14097244073450926736,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5404 /prefetch:2
                                  2⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:1976
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:2284
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:2340
                                  • C:\Windows\system32\AUDIODG.EXE
                                    C:\Windows\system32\AUDIODG.EXE 0x00000000000004F0 0x00000000000004E4
                                    1⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2584
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
                                    1⤵
                                      PID:3480

                                    Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                            Filesize

                                            152B

                                            MD5

                                            d4604cbec2768d84c36d8ab35dfed413

                                            SHA1

                                            a5b3db6d2a1fa5a8de9999966172239a9b1340c2

                                            SHA256

                                            4ea5e5f1ba02111bc2bc9320ae9a1ca7294d6b3afedc128717b4c6c9df70bde2

                                            SHA512

                                            c8004e23dc8a51948a2a582a8ce6ebe1d2546e4c1c60e40c6583f5de1e29c0df20650d5cb36e5d2db3fa6b29b958acc3afd307c66f48c168e68cbb6bcfc52855

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                            Filesize

                                            152B

                                            MD5

                                            577e1c0c1d7ab0053d280fcc67377478

                                            SHA1

                                            60032085bb950466bba9185ba965e228ec8915e5

                                            SHA256

                                            1d2022a0870c1a97ae10e8df444b8ba182536ed838a749ad1e972c0ded85e158

                                            SHA512

                                            39d3fd2d96aee014068f3fda389a40e3173c6ce5b200724c433c48ddffe864edfc6207bb0612b8a811ce41746b7771b81bce1b9cb71a28f07a251a607ce51ef5

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

                                            Filesize

                                            1024KB

                                            MD5

                                            214b2fa780663e5b1778c56a8c0c63fd

                                            SHA1

                                            2a82b012c67b9f595eb9d236514bdc5fd69f99e1

                                            SHA256

                                            916ba93a76b04c7ba7dd845ba5df93b495016834581ea315af3b99207251cf47

                                            SHA512

                                            6d1b74be3c6db291094fd464f4a6e9495e5d88eae0ab98cd94c27c2d201cc002c5dbac312157693ffb97504b14b1137f6faece68e5bce762a215d58466555ec7

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

                                            Filesize

                                            168B

                                            MD5

                                            0532e26d3f55da7c9394df5f284dbc0c

                                            SHA1

                                            6bd6c30e3893e3ca05d5011edcc4f943785231a6

                                            SHA256

                                            5c4a84db8ed0b05b5927f9f8b981afdbb6bb275e22088aa84888eac8f253707a

                                            SHA512

                                            df0ec4c9cb4327a915e9e95ca255aa8eb683553e8e49ef014af091f661ec7f7f78b5aace03916b3db136ba74c9062826470a3cf62f373bf02cec733414dd3cf1

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                            Filesize

                                            467B

                                            MD5

                                            e2595ecfcd3989b1b758ffc69129b7a0

                                            SHA1

                                            ad0be3535b21d3a89e399a3e818153248ecbd2cd

                                            SHA256

                                            cd11be11cb84bf9706a08292e2f9e51218992fcb9d9096926347266378a87be3

                                            SHA512

                                            484271d63bda72a261ffd97e86a139a5db43c7bd071d520a359c76bd1e1d5a8950520eee6ade491c16e269d2520d5c3d51cebba9f2614b8ba9b027adc5634c22

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                            Filesize

                                            5KB

                                            MD5

                                            2f89e7f3ccdc22628a8415d0c223ee04

                                            SHA1

                                            4d5dc593fdcaa8935b15cfcf8f78a91c94400320

                                            SHA256

                                            5a30b97314d2867be75c0e568d663314aea4b3a89ef8d1a815c651a8e73e3ec8

                                            SHA512

                                            f2f79610d33052d3be9a18ee078dd5b0debf3368b3acbc469ea35d3bec1bef13c745ae60259d6a9befaf562cb8d01b825bad9eb7a367250d4dcfed70707bf358

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                            Filesize

                                            5KB

                                            MD5

                                            185228b0c709f08833ccc916001f7eac

                                            SHA1

                                            52ea63449bc989e8cb07e0b561293b150fb881fd

                                            SHA256

                                            a67f05a332b938bf8e580150ab4fc1448841e67383f1712f51a33d6dce71dc92

                                            SHA512

                                            382969b3f8553f9a344fa71af4a39711463b6bb0ea3bfff4b7e22ff1088a301796fe94879d5cb62149bb8700b58f6a75f099d5310187bb08fc762010eb53bb4e

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                            Filesize

                                            6KB

                                            MD5

                                            c7a895bbbb8c0f2c77f035130c1e0a84

                                            SHA1

                                            796150843bb9bb516ebdec3f2a1d936e89ddcc48

                                            SHA256

                                            9023cc6e50ede124d6e7b6fcfe673684a98ce48a9b44f3179b8a1a396dd12819

                                            SHA512

                                            1115d369c28a4eab401af9a282f815941b9ef99d5057da8c5f9abfe30f29269224bd3966a6f056eb4a7d45de2856608545898dc76b8baaa1716d6b8ba902d50c

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                            Filesize

                                            6KB

                                            MD5

                                            f942f42080e3a25bf0611310941d4669

                                            SHA1

                                            100c56cc3863fb416c480dc4a499c980c4857c39

                                            SHA256

                                            455df48aae7a94e9dcd747c065261856a089dc404199d517902069ac02b12dfe

                                            SHA512

                                            d8bfc0029241f0d430fe86967226a852c5aa124e8e698bacfe40499d98ce79b56473a35a5f70cf6ba5ebd6e3215a1bc9f3b1c43b8311166df022370f2466d66f

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                            Filesize

                                            16B

                                            MD5

                                            6752a1d65b201c13b62ea44016eb221f

                                            SHA1

                                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                            SHA256

                                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                            SHA512

                                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                            Filesize

                                            11KB

                                            MD5

                                            fd1c925b8880f434e40b161158cadcc8

                                            SHA1

                                            c606d9a29d6c6396c1fcb3e5541441fb08702342

                                            SHA256

                                            25912b6ef96de33dae095d473a55f90bd40d05cbbb47bed6da1f6f3f95a8e52e

                                            SHA512

                                            d4eeb942c81be9bc4ca9b5715fbb5e1c133f1f5aae53e87d2f73dcc66bd1cfaa0a7c0add1ad5c1bee7a091b6a2665b54a84bb001ee0a05d050ef31770c487af5