hxxps://moonreborn[.]com/attachments/steal_31[.]03[.]24_v2[.]20[.]zip

Resubmissions

06/04/2024, 10:50

240406-mxnseahb85 1

06/04/2024, 10:50

240406-mxff2age8z 1

Analysis

max time kernel
1681s
max time network
1693s
platform
windows11-21h2_x64
resource
win11-20240319-en
resource tags

arch:x64arch:x86image:win11-20240319-enlocale:en-usos:windows11-21h2-x64system
submitted
06/04/2024, 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://moonreborn.com/attachments/steal_31.03.24_v2.20.zip

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\steal_31.03.24_v2.20.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2120	msedge.exe
2120	msedge.exe
1052	msedge.exe
1052	msedge.exe
3232	identity_helper.exe
3232	identity_helper.exe
4304	msedge.exe
4304	msedge.exe
2672	msedge.exe
2672	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 1420	1052	msedge.exe	82
PID 1052 wrote to memory of 1420	1052	msedge.exe	82
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 1728	1052	msedge.exe	83
PID 1052 wrote to memory of 2120	1052	msedge.exe	84
PID 1052 wrote to memory of 2120	1052	msedge.exe	84
PID 1052 wrote to memory of 1272	1052	msedge.exe	85
PID 1052 wrote to memory of 1272	1052	msedge.exe	85
PID 1052 wrote to memory of 1272	1052	msedge.exe	85
PID 1052 wrote to memory of 1272	1052	msedge.exe	85
PID 1052 wrote to memory of 1272	1052	msedge.exe	85
PID 1052 wrote to memory of 1272	1052	msedge.exe	85
PID 1052 wrote to memory of 1272	1052	msedge.exe	85
PID 1052 wrote to memory of 1272	1052	msedge.exe	85
PID 1052 wrote to memory of 1272	1052	msedge.exe	85
PID 1052 wrote to memory of 1272	1052	msedge.exe	85
PID 1052 wrote to memory of 1272	1052	msedge.exe	85
PID 1052 wrote to memory of 1272	1052	msedge.exe	85
PID 1052 wrote to memory of 1272	1052	msedge.exe	85
PID 1052 wrote to memory of 1272	1052	msedge.exe	85
PID 1052 wrote to memory of 1272	1052	msedge.exe	85
PID 1052 wrote to memory of 1272	1052	msedge.exe	85
PID 1052 wrote to memory of 1272	1052	msedge.exe	85
PID 1052 wrote to memory of 1272	1052	msedge.exe	85
PID 1052 wrote to memory of 1272	1052	msedge.exe	85
PID 1052 wrote to memory of 1272	1052	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://moonreborn.com/attachments/steal_31.03.24_v2.20.zip
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffce5c43cb8,0x7ffce5c43cc8,0x7ffce5c43cd8
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1768,9552819454187545524,12049295114392134902,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1768,9552819454187545524,12049295114392134902,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1768,9552819454187545524,12049295114392134902,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,9552819454187545524,12049295114392134902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,9552819454187545524,12049295114392134902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,9552819454187545524,12049295114392134902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,9552819454187545524,12049295114392134902,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
  2⤵
  PID:5664
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1768,9552819454187545524,12049295114392134902,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,9552819454187545524,12049295114392134902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,9552819454187545524,12049295114392134902,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,9552819454187545524,12049295114392134902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1768,9552819454187545524,12049295114392134902,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1768,9552819454187545524,12049295114392134902,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1768,9552819454187545524,12049295114392134902,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4500 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4113e45804b7888f88ae2a78482d0951

SHA1
4c59bba45c65ba65aa920cbd4eb0d7ccf517a220

SHA256
174195025b51f69ece21274cd7a97fff9f3d9a4bf57185ff3b1297bf2da6d1db

SHA512
16355c4c575a162396cf2ca377f586b3659a70e8c1708cad66b74bb3ef66cbf9ed33d9376730325d95420e5f4f558b2bdb6b5b7595b8b822eb6d2449a83c3f95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e521eb4a4c2bbe4898150cf066ee0cb0

SHA1
c2b311b8b78c677b55a356b8274197fdcbae8ab5

SHA256
1f947cf3be3f525e3039b9c363bb7d7bc0dd2b70da434149e0f0cbbc5d13dbe3

SHA512
59e1b52a41dad2e7f36e0343e330b00bc33a7ba88f616928fd2b6cc526cac6effed76b006cb8a23ff45e85be27647114c7a8376ef3ba53d38ccb9ed4de9a5ea8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
182B

MD5
34d3c7eedd812bf91f64a28979e1c909

SHA1
6d917f399407b95c15e13f9c85814f53fa31a9b2

SHA256
0941722a22e2bc40bcd75f012df08cbac1ed9c94d5414a1a9d5a49f7ab9766a6

SHA512
1413723251a1bdbbd57cc6a3dcfb14c160a3d76033be8041f0f0ad06f8bfd1b7a1b3c1132e01d75d47b9f1840fa4d23aa460a1bf886de452ffd8234a8e80e02d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c011c1e7bcd3b2de52d279e874ad3934

SHA1
b93204ca7939d103bc24100b5da30452a2736be3

SHA256
e19c4c3e30abf871c47cd7e2681165718c560ad36eefdad2c51c521c19d838f8

SHA512
f7e6c0355586a8b8a3d288afbc84f502f53cd78ffc73e16dbe30b5f903123f5612b3a6cf7f0380ac1e279ff16046ad9084d884d46f2df1feffdfad469d46dcb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
358746895585262efe3dce4f69eb9a36

SHA1
66c9b5901cf784d61a8049c1a878c5d35362fef9

SHA256
57f59a6d1d79d24b92c62f992de455a1682fb4c5f370a47d4572af7a862bf195

SHA512
18643c39aa0685166584c1563205612c2d0e93889b31bd7a94661769a90c225bff012b2159d31029102e36718bd8f80af718436be5fd7c12db36238700413683

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f76cecbdb3182f0acc76f096193b3b1a

SHA1
dcc6b3523d479d951d685f63300d8d01f6a6c96d

SHA256
55cdd864c422c4bc9e762cabcf1265789a626c6acceff32ddc3853a0a72a1d37

SHA512
bcb52ff39189549cd6c8217988307ef31991894d88b9fd73d6e3fb3e3324e86e348cf17a37a6ad18c10d3fca031992e9df5e47b0a1cfd1b09ce445ed4183faf7

Download Submit
C:\Users\Admin\Downloads\steal_31.03.24_v2.20.zip

Filesize
7.2MB

MD5
7ab279d65fc88039691b88f55418c01e

SHA1
832945bca7b88ed4c71fdb41aaad4d3964a4d8ec

SHA256
d12c8945721b71c972cb2f6180b768180a80419f113ab3f92fdfa640ba6d626d

SHA512
3af409ed630dd2d625a8b15c8afb72bc610a94590dc7bd57fd059ab555504faf8eb441b5d452eb7ceb73b3db72ca17ea8986c3ec9f75deafb409636b32bb70d0

Download Submit
C:\Users\Admin\Downloads\steal_31.03.24_v2.20.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit