hxxp://mygovau-inboxview[.]sbs

Analysis

max time kernel
147s
max time network
158s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
17/04/2024, 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://mygovau-inboxview.sbs

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2092	msedge.exe
2092	msedge.exe
1208	msedge.exe
1208	msedge.exe
2872	identity_helper.exe
2872	identity_helper.exe
3416	msedge.exe
3416	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 3352	1208	msedge.exe	80
PID 1208 wrote to memory of 3352	1208	msedge.exe	80
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 4832	1208	msedge.exe	81
PID 1208 wrote to memory of 2092	1208	msedge.exe	82
PID 1208 wrote to memory of 2092	1208	msedge.exe	82
PID 1208 wrote to memory of 4052	1208	msedge.exe	83
PID 1208 wrote to memory of 4052	1208	msedge.exe	83
PID 1208 wrote to memory of 4052	1208	msedge.exe	83
PID 1208 wrote to memory of 4052	1208	msedge.exe	83
PID 1208 wrote to memory of 4052	1208	msedge.exe	83
PID 1208 wrote to memory of 4052	1208	msedge.exe	83
PID 1208 wrote to memory of 4052	1208	msedge.exe	83
PID 1208 wrote to memory of 4052	1208	msedge.exe	83
PID 1208 wrote to memory of 4052	1208	msedge.exe	83
PID 1208 wrote to memory of 4052	1208	msedge.exe	83
PID 1208 wrote to memory of 4052	1208	msedge.exe	83
PID 1208 wrote to memory of 4052	1208	msedge.exe	83
PID 1208 wrote to memory of 4052	1208	msedge.exe	83
PID 1208 wrote to memory of 4052	1208	msedge.exe	83
PID 1208 wrote to memory of 4052	1208	msedge.exe	83
PID 1208 wrote to memory of 4052	1208	msedge.exe	83
PID 1208 wrote to memory of 4052	1208	msedge.exe	83
PID 1208 wrote to memory of 4052	1208	msedge.exe	83
PID 1208 wrote to memory of 4052	1208	msedge.exe	83
PID 1208 wrote to memory of 4052	1208	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://mygovau-inboxview.sbs
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe47c43cb8,0x7ffe47c43cc8,0x7ffe47c43cd8
  2⤵
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,13589599315247845410,16657658491683309466,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1668 /prefetch:2
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,13589599315247845410,16657658491683309466,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,13589599315247845410,16657658491683309466,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,13589599315247845410,16657658491683309466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,13589599315247845410,16657658491683309466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,13589599315247845410,16657658491683309466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,13589599315247845410,16657658491683309466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,13589599315247845410,16657658491683309466,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,13589599315247845410,16657658491683309466,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,13589599315247845410,16657658491683309466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4484 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,13589599315247845410,16657658491683309466,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,13589599315247845410,16657658491683309466,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,13589599315247845410,16657658491683309466,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4900 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7554e30cbebbfe1aba35488a485a9166

SHA1
1312cb8e5027ef37ca2e3e9a8689e3bc23f44f80

SHA256
0180b897f28fb36a3f005962f6e83fc855fe91a65dfd291124d4d8f8badd1d6f

SHA512
350bde3084974b5b17c7b5b05dd1365687cec55ef21e73f1c12754a93a6a4addaee4dd93ab849a2374325c1a60c73eac9ab5adb90d72c03195f5946a03a47540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b7fc16380cbf29a5dec23030995e553e

SHA1
62e7fe0fcf81ab250469ee6c5a89393856dcc3c1

SHA256
6f7e137ea862e054ace2561adfc7c65312b0fbe5b13f51dcec8a303049403b9a

SHA512
f18c70f701d070846bf1e7ad995fb5a959144122ce1fa9f1719952309c6195f39b3c699cf9d59e3c26f7b41a3b697f275bb89c03ac325beacc5fce60a4b45ac4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
d64be8a1821e3f3270d14ffd413a0bf7

SHA1
a5316e11327d6a5368a7d5edf9a8e2891254ab74

SHA256
27d3ec854c0142d7a68fabeebbf8d9a490847d50f9cb4ca692b3804cf02b46c5

SHA512
740fb79f45a5fac6f104656fb8d33eab970158bf35701f27947c5f376cc66e406cd172d41c48fce646dfab55ff026bc6ab228b6be6a16b08824eab8d538083c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
478B

MD5
d45086f6bd5ffff7d00f14124a0ee6ea

SHA1
322c9bfabc27680a22ecc651b3878cda2aeede0d

SHA256
027cdc0ce0d5f0bb525e31a61e293bb2d49eb39db0824bafa59003bc48a8ebb9

SHA512
e97f6372d6eff03a93791c7de1249dd95e3e497cef176c87b5823b8a3f56cf3ebc9e097b13121a12f2ef2045e066b8278e594b351bd45540a1bbeff578dafe58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b1543b96f69710bf4a91012d3dd060d9

SHA1
4d44ea1ea9d2588228ca5ffd0449e55265316743

SHA256
e7ff0969fa2ccadc43e0662b856aef8f61a8e3cb0db5f458d862fa4d30ea69b9

SHA512
fc393e45aa005c8dfbbf17d2fda352a3f90385d3c18d9abd02c50715f4303e81388bfc6e2918b8aea0663162293042c508df56d96f3eeffa4ae265d2edb14324

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d232de8a969ad51c18e30d6b3f3685ab

SHA1
e05d3782d3f61cacc8181e331a1d7d50f6b243f4

SHA256
0e3fd120118ac85077701e740b470eede3fac0161f64c08a8139168c137a8dc9

SHA512
b70ca078b8d0a84651b86da47df345cf4325a6c545ba6422d8998abe5f611214d1c740f6a691db34639e1c8eb67322d47e859a4605c002df8318fa2dea34e6b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0e202187425c50c569954d96615708ea

SHA1
3ab4858008324253bbc8927484b458f07c32636b

SHA256
a1a96ab429b65838733dc96c800da37e3de965382ea7a7070354a8309fe1d46c

SHA512
2d93ea3846929566eff034701afffa92aef19db1136034561e5762c33c96c6f2b70cda24a6a2544e66bef510c34382a22b052b7b0407e16efd2fa0212624820f

Download Submit