hxxp://wearevaporatewhip[.]com

Analysis

max time kernel
145s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://wearevaporatewhip.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2912	msedge.exe
2912	msedge.exe
804	msedge.exe
804	msedge.exe
4732	identity_helper.exe
4732	identity_helper.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 2840	804	msedge.exe	87
PID 804 wrote to memory of 2840	804	msedge.exe	87
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2040	804	msedge.exe	88
PID 804 wrote to memory of 2912	804	msedge.exe	89
PID 804 wrote to memory of 2912	804	msedge.exe	89
PID 804 wrote to memory of 4056	804	msedge.exe	90
PID 804 wrote to memory of 4056	804	msedge.exe	90
PID 804 wrote to memory of 4056	804	msedge.exe	90
PID 804 wrote to memory of 4056	804	msedge.exe	90
PID 804 wrote to memory of 4056	804	msedge.exe	90
PID 804 wrote to memory of 4056	804	msedge.exe	90
PID 804 wrote to memory of 4056	804	msedge.exe	90
PID 804 wrote to memory of 4056	804	msedge.exe	90
PID 804 wrote to memory of 4056	804	msedge.exe	90
PID 804 wrote to memory of 4056	804	msedge.exe	90
PID 804 wrote to memory of 4056	804	msedge.exe	90
PID 804 wrote to memory of 4056	804	msedge.exe	90
PID 804 wrote to memory of 4056	804	msedge.exe	90
PID 804 wrote to memory of 4056	804	msedge.exe	90
PID 804 wrote to memory of 4056	804	msedge.exe	90
PID 804 wrote to memory of 4056	804	msedge.exe	90
PID 804 wrote to memory of 4056	804	msedge.exe	90
PID 804 wrote to memory of 4056	804	msedge.exe	90
PID 804 wrote to memory of 4056	804	msedge.exe	90
PID 804 wrote to memory of 4056	804	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://wearevaporatewhip.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa92ff46f8,0x7ffa92ff4708,0x7ffa92ff4718
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,10614941941446170062,11806426790091470360,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,10614941941446170062,11806426790091470360,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,10614941941446170062,11806426790091470360,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10614941941446170062,11806426790091470360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2812 /prefetch:1
  2⤵
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10614941941446170062,11806426790091470360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10614941941446170062,11806426790091470360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,10614941941446170062,11806426790091470360,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,10614941941446170062,11806426790091470360,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10614941941446170062,11806426790091470360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10614941941446170062,11806426790091470360,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10614941941446170062,11806426790091470360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10614941941446170062,11806426790091470360,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,10614941941446170062,11806426790091470360,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4856 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e36b219dcae7d32ec82cec3245512f80

SHA1
6b2bd46e4f6628d66f7ec4b5c399b8c9115a9466

SHA256
16bc6f47bbfbd4e54c3163dafe784486b72d0b78e6ea3593122edb338448a27b

SHA512
fc539c461d87141a180cf71bb6a636c75517e5e7226e76b71fd64e834dcacc88fcaaa92a9a00999bc0afc4fb93b7304b068000f14653c05ff03dd7baef3f225c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
559ff144c30d6a7102ec298fb7c261c4

SHA1
badecb08f9a6c849ce5b30c348156b45ac9120b9

SHA256
5444032cb994b90287c0262f2fba16f38e339073fd89aa3ab2592dfebc3e6f10

SHA512
3a45661fc29e312aa643a12447bffdab83128fe5124077a870090081af6aaa4cf0bd021889ab1df5cd40f44adb055b1394b31313515c2929f714824c89fd0f04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
336B

MD5
e61c65168e5fbe51bcc66f5bb749365e

SHA1
9cac0cb073eef69c3ca13f783de1cf9dfd42044d

SHA256
d544ab9a73773779f44ea37e0b309e852ed3481c416b404fb98eaca1254426ec

SHA512
460f9d7d6d7ea1facffb0371be08c267ff9941fa9460d5f3449b79ae6444278be73e5691c7787956f4d8f1f9e91a74029138c7922260db468cda3dabd3d348f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
650d8a2f1301f47fed8c1ce71b0a8198

SHA1
06b3429b117a537a6f694f34b93cab36daaf231c

SHA256
e35144e3088701bf4737c3df10148d600b43dc2ae3b88b6778eebc379f8b19f8

SHA512
eb56b2650b5117a1bc3a4e1ec0212a00d087c5ba5802a630c1d475687e5d187d1a81acd29883ce4d834e72a85aba7a2eb80f45eab0f054e7645567def3619ebb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a913fddc-95da-43d3-a4c8-01b796d04ffd.tmp

Filesize
6KB

MD5
6479adc429680d3497652afe36f8d9ed

SHA1
3acb5d4017235439079dfa9e741aa241649e9f8d

SHA256
257d9c8213e17fdd2b17e66908614d27c273d545d475ed82937481ecae8603f0

SHA512
d73f4f3a22968a78e041f68e828de5632b70f611c45c948dcc05f18e76aa118927c4f85b805bcb38d49c3fa9fa793cab91b537908953017f13165311592cab3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ca1a3a24-798e-41b2-b90b-345683d1cbd8.tmp

Filesize
6KB

MD5
866ff1f51dd2b19b07bf493e48d9cfa8

SHA1
a2e826b842c39f6fc3718284e626028a818317a9

SHA256
4de3718bfdd5aab3bb8b48458510b36c46727809f462b371b3811906948c654e

SHA512
8457f1194fd84e0b75f52c7842a85c1e7efb955bf9d236062443d6b1d3038b8d84df421656e6799dfcdf8002c68d9ea7ede5a9d8440cf8939a454532a64ff6ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f9a68454-37f5-41c7-bd30-ea55819eb49e.tmp

Filesize
1KB

MD5
fabf4b7e0eb78d77bb9b719fbc005062

SHA1
3f582290cfc4aa48ed04e6140e4855f6e63ff7bf

SHA256
30b0385799dccede06bc77ed94e74004c3d021fb462b5259f384938e8348a524

SHA512
9dcd8737111d5d6ebc8e2c6ef0a261b5b0a02a1024d283fd7768dc658ad61d32fb2140e7a4617432c1a02bdf600ed6621414a09c1c75a8a326bb872cee9def58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
047ed7600ea6357c600a36463cab4e0b

SHA1
44ff987eedeb2df1ece649ae5e3fd219699469d8

SHA256
ce10e9427bd99992d2300adbc215f19bc84a4baaebb20e50ace8892256e04013

SHA512
224a94dae9147a346fe7f857c7f6a101cd840e1dee24bb5788b610f79eb742df766166f9ddba215f43ecf9a7aae4edd1aaaf1dba8472968b703d5d5fb53297e8

Download Submit