Analysis
-
max time kernel
45s -
max time network
48s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
09-04-2024 14:03
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://qptr.ru/EDcn
Resource
win10v2004-20231215-en
General
-
Target
https://qptr.ru/EDcn
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid process 3272 msedge.exe 3272 msedge.exe 3604 msedge.exe 3604 msedge.exe 3136 identity_helper.exe 3136 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3604 wrote to memory of 2980 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 2980 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3844 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3272 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 3272 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 1204 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 1204 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 1204 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 1204 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 1204 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 1204 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 1204 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 1204 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 1204 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 1204 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 1204 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 1204 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 1204 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 1204 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 1204 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 1204 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 1204 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 1204 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 1204 3604 msedge.exe msedge.exe PID 3604 wrote to memory of 1204 3604 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://qptr.ru/EDcn1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffc7bd46f8,0x7fffc7bd4708,0x7fffc7bd47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,12354789678577967028,13726880961348735784,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,12354789678577967028,13726880961348735784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,12354789678577967028,13726880961348735784,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,12354789678577967028,13726880961348735784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,12354789678577967028,13726880961348735784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,12354789678577967028,13726880961348735784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,12354789678577967028,13726880961348735784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,12354789678577967028,13726880961348735784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,12354789678577967028,13726880961348735784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,12354789678577967028,13726880961348735784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,12354789678577967028,13726880961348735784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,12354789678577967028,13726880961348735784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54d6e17218d9a99976d1a14c6f6944c96
SHA19e54a19d6c61d99ac8759c5f07b2f0d5faab447f
SHA25632e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93
SHA5123fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
384B
MD5fb77ac06e694c884d7b370f72d15a55e
SHA1c4c2ffb8706cd2b68c1212db3441ea769237ad7c
SHA25651f0be3be8616d501af2179363389d83b73be6bcc3913eba0533687fb238cfd2
SHA51244ba10f852955cc6837e10966f7ad9c6c389db2ce0f8bd604d447afdd3bd173a13b59657ecf535a1ee261e2ae61ee13e9f81c00575c47509aa8fbcf8bf1ea886
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
456B
MD59f50ea8019e8d4ff66ba6148a598a1ed
SHA1f7ea09477439cd4903967b99598566d7b5bac524
SHA256a1366d044643a16260e1fb6089082dee2eb2838e04e55ec242894be210b13071
SHA5124b159c9d2ef4d03623ea79ef8f7ae3320313bddd662ec22d3d4891a9f8b0fcd86c9c9c88b815284af5a3fc945cba2b3e8260837d5c68e02c2b3829982c5c09fe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5442791191ff4371e59e6aacf0722aeae
SHA14e9df360e0e18d35850032b5f8fc3e367e6df34c
SHA256cd6164e61bc553cb8f103ae780a21e4205859ac0cd400be40af85c4600941183
SHA5124ecc08a1876e0fae4c779985bdd64133abf742b50021e7b0ba66a24ba52ac74a179cc73217bea82a92e092b27ab1d7fd6e3fb43b60de639bf31366971c4bc137
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5ec67a66429d28df7aa6b1df509f6e798
SHA177fabfb75607f79934ea45f82f12cd75e02348e7
SHA2560ba2d65521ffafd86e34328d532f566403f11eb527ab29317ec6e6d44e16f2a4
SHA512e48f78e44ba1cc911466df7808474803af57ede4dcdc0f56e9dff6a2ba662ccf480c80c587839a51c5ca16273bb94e4c873f8fc4bbfe0806a3d594a4d53343a9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5baad6e4c580808c47df552bf7db49ffa
SHA19912df07ef5bd949b51585228a3b82b42a9380e1
SHA25625faef4535d61831a943099f6ecafa1c5e102ba3d9fa979e37ed441687ad9524
SHA51298df8bdc7871e6069b6c69e3a712b4eb882165f5c576935565431e011b17de05322665e47ed98849c514aa6c9e4f4a09cbc0f8923d5b8b1c6f5640a0a03077c9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD5c2ef1d773c3f6f230cedf469f7e34059
SHA1e410764405adcfead3338c8d0b29371fd1a3f292
SHA256185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521
SHA5122ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD51f00335839d6b209688d91ad478376ec
SHA1bf2f705ed9fc500990559ccef3dae6add5545909
SHA256379ebe13f17745c2d29bdf822ef24ced270d0f60676f156efc3be03ed71039db
SHA512de9f6699bc70fe87304b11020c8b2584c1940e5c4c0b03cc2d42a07e1501fc3e149ea89754537116d305d006696cc07e902c61567d4c1256c3bdc5d159c69b52
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5684b83c66b0df5217fec34caf572da72
SHA1bbb38189c91c4eb5d2c21452714a7829f0c06947
SHA2569e031bd15b6d771b6f9406b0b922bf5fc2611787b3e63133609d6d11c669a160
SHA5125beb8154d62e36e363b9535abdbe6869ce34a8e55e58af4852cd1ae1fb7ff49bdf5c6f53ec6b9d6e8fe22104e80af3e39b2cdab56ad5bc48e0843429671b86b7
-
\??\pipe\LOCAL\crashpad_3604_OBFDAEROCTYRECOYMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e