hxxp://c[.]awdelectricallimited[.]uk/C-2b-7hn-36vym-h9t-hf3be-76abd1boa

Analysis

max time kernel
145s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://c.awdelectricallimited.uk/C-2b-7hn-36vym-h9t-hf3be-76abd1boa

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4396	msedge.exe
4396	msedge.exe
4920	msedge.exe
4920	msedge.exe
4508	identity_helper.exe
4508	identity_helper.exe
6108	msedge.exe
6108	msedge.exe
6108	msedge.exe
6108	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 1964	4920	msedge.exe	87
PID 4920 wrote to memory of 1964	4920	msedge.exe	87
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4940	4920	msedge.exe	88
PID 4920 wrote to memory of 4396	4920	msedge.exe	89
PID 4920 wrote to memory of 4396	4920	msedge.exe	89
PID 4920 wrote to memory of 2912	4920	msedge.exe	90
PID 4920 wrote to memory of 2912	4920	msedge.exe	90
PID 4920 wrote to memory of 2912	4920	msedge.exe	90
PID 4920 wrote to memory of 2912	4920	msedge.exe	90
PID 4920 wrote to memory of 2912	4920	msedge.exe	90
PID 4920 wrote to memory of 2912	4920	msedge.exe	90
PID 4920 wrote to memory of 2912	4920	msedge.exe	90
PID 4920 wrote to memory of 2912	4920	msedge.exe	90
PID 4920 wrote to memory of 2912	4920	msedge.exe	90
PID 4920 wrote to memory of 2912	4920	msedge.exe	90
PID 4920 wrote to memory of 2912	4920	msedge.exe	90
PID 4920 wrote to memory of 2912	4920	msedge.exe	90
PID 4920 wrote to memory of 2912	4920	msedge.exe	90
PID 4920 wrote to memory of 2912	4920	msedge.exe	90
PID 4920 wrote to memory of 2912	4920	msedge.exe	90
PID 4920 wrote to memory of 2912	4920	msedge.exe	90
PID 4920 wrote to memory of 2912	4920	msedge.exe	90
PID 4920 wrote to memory of 2912	4920	msedge.exe	90
PID 4920 wrote to memory of 2912	4920	msedge.exe	90
PID 4920 wrote to memory of 2912	4920	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://c.awdelectricallimited.uk/C-2b-7hn-36vym-h9t-hf3be-76abd1boa
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9ae6946f8,0x7ff9ae694708,0x7ff9ae694718
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,17925708253830686704,10755611022169761915,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,17925708253830686704,10755611022169761915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,17925708253830686704,10755611022169761915,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17925708253830686704,10755611022169761915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17925708253830686704,10755611022169761915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17925708253830686704,10755611022169761915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17925708253830686704,10755611022169761915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,17925708253830686704,10755611022169761915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,17925708253830686704,10755611022169761915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17925708253830686704,10755611022169761915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17925708253830686704,10755611022169761915,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17925708253830686704,10755611022169761915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17925708253830686704,10755611022169761915,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,17925708253830686704,10755611022169761915,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4868 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cff358b013d6f9f633bc1587f6f54ffa

SHA1
6cb7852e096be24695ff1bc213abde42d35bb376

SHA256
39205cdf989e3a86822b3f473c5fc223d7290b98c2a3fb7f75e366fc8e3ecbe9

SHA512
8831c223a1f0cf5f71fa851cdd82f4a9f03e5f267513e05b936756c116997f749ffa563623b4724de921d049de34a8f277cc539f58997cda4d178ea205be2259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc629a750e345390344524fe0ea7dcd7

SHA1
5f9f00a358caaef0321707c4f6f38d52bd7e0399

SHA256
38b634f3fedcf2a9dc3280aa76bd1ea93e192200b8a48904664fac5c9944636a

SHA512
2a941fe90b748d0326e011258fa9b494dc2f47ac047767455ed16a41d523f04370f818316503a5bad0ff5c5699e92a0aaf3952748b09287c5328354bfa6cc902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
198KB

MD5
319e0c36436ee0bf24476acbcc83565c

SHA1
fb2658d5791fe5b37424119557ab8cee30acdc54

SHA256
f6562ea52e056b979d6f52932ae57b7afb04486b10b0ebde22c5b51f502c69d1

SHA512
ad902b9a010cf99bdedba405cad0387890a9ff90a9c91f6a3220cdceec1b08ecb97a326aef01b28d8d0aacb5f2a16f02f673e196bdb69fc68b3f636139059902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
ce50ce9446ced8ae30b8c9d070572342

SHA1
254a80b268518d755d0330b08f0fe6b7660155dd

SHA256
fe8dc8afe5ba1094a9f2ce5f0f228d9f18fdceb433edc85c1b97cc9b78d83b3f

SHA512
2176dba200a2f34ccff7ce00a8a671825e6d6b32130b7b87eae3776a11e43ff748b0f6ea30da93df45997ff97d48de851c6ee31adf24aec4753b6029ec598a95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
815B

MD5
8eb92ac41ad30ad6055f22382bc273ed

SHA1
85057c738f093f472086a3c4b7b612321515b47e

SHA256
d1f249df592c850a4b4653c151cef9b6c2274c15c7c043ab04b3858987916f33

SHA512
c6dbd2b5c40a3bf51b3a7928c0dbfa366ed8d28cac471788b9d874710d1507b12b5910eb96281c01f07d1ea1f4d7164a6026853674a0e975f6f97701fe7a9385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
02968971e074118dae8439f3b253fb9f

SHA1
5219427c805c48d5cf5ec560b8502ba0720f647d

SHA256
1d23fb49f94830c72cef5f2f73be557be4b886a3e433f9470bb8f1e8782ad849

SHA512
c8e098c17d0565f808e4f09a3860308b79fad9d654c62b73097b5c4bf30cb802b0be7f11c6a8f6b383cc772be865832b179cd40ac25c624430956604a8571780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4923c106cc8f2cc479b2c04064b0f33d

SHA1
010b5e19aca69dead0bd2aff1904babe6be3c6c7

SHA256
051b23d79f56175d1864cdc4a788e5423e06afd43cc2e68a2eccc67c7b8df33d

SHA512
10cf9f953dcb6f5596bb09cbb6318e51eeddca9f66dac6ac7c91df9654aba49f6cb725fcc48297ed6066498a35046d30a97c3e5d1057ecd8da3b04ae277bf6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
06da06bda6ffc58e52faa0dedb6db24c

SHA1
9c776ebd15fd1b64f71bfe123a7c6a95deb9e5d6

SHA256
808dae1ea8bc6734fc4239a7aa25c4591cea3af7cec97f50866a913e363ac783

SHA512
127a42dd465dc3d6f5180825d9183ced4ee8b4979a79ce909c9422ad0f17652b76fc67f86b7acc05cb9d740807342d86051ca1727440ece095d3eadc76de98db

Download Submit