hxxp://185[.]155[.]184[.]57

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://185.155.184.57

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1944	msedge.exe
1944	msedge.exe
5104	msedge.exe
5104	msedge.exe
4456	identity_helper.exe
4456	identity_helper.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 2788	5104	msedge.exe	83
PID 5104 wrote to memory of 2788	5104	msedge.exe	83
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1572	5104	msedge.exe	84
PID 5104 wrote to memory of 1944	5104	msedge.exe	85
PID 5104 wrote to memory of 1944	5104	msedge.exe	85
PID 5104 wrote to memory of 3136	5104	msedge.exe	86
PID 5104 wrote to memory of 3136	5104	msedge.exe	86
PID 5104 wrote to memory of 3136	5104	msedge.exe	86
PID 5104 wrote to memory of 3136	5104	msedge.exe	86
PID 5104 wrote to memory of 3136	5104	msedge.exe	86
PID 5104 wrote to memory of 3136	5104	msedge.exe	86
PID 5104 wrote to memory of 3136	5104	msedge.exe	86
PID 5104 wrote to memory of 3136	5104	msedge.exe	86
PID 5104 wrote to memory of 3136	5104	msedge.exe	86
PID 5104 wrote to memory of 3136	5104	msedge.exe	86
PID 5104 wrote to memory of 3136	5104	msedge.exe	86
PID 5104 wrote to memory of 3136	5104	msedge.exe	86
PID 5104 wrote to memory of 3136	5104	msedge.exe	86
PID 5104 wrote to memory of 3136	5104	msedge.exe	86
PID 5104 wrote to memory of 3136	5104	msedge.exe	86
PID 5104 wrote to memory of 3136	5104	msedge.exe	86
PID 5104 wrote to memory of 3136	5104	msedge.exe	86
PID 5104 wrote to memory of 3136	5104	msedge.exe	86
PID 5104 wrote to memory of 3136	5104	msedge.exe	86
PID 5104 wrote to memory of 3136	5104	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://185.155.184.57
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe8bf646f8,0x7ffe8bf64708,0x7ffe8bf64718
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,10228399579056126636,3033819765510616630,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,10228399579056126636,3033819765510616630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,10228399579056126636,3033819765510616630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10228399579056126636,3033819765510616630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10228399579056126636,3033819765510616630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10228399579056126636,3033819765510616630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:320
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,10228399579056126636,3033819765510616630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,10228399579056126636,3033819765510616630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10228399579056126636,3033819765510616630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10228399579056126636,3033819765510616630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10228399579056126636,3033819765510616630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,10228399579056126636,3033819765510616630,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4452 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8c91c8582b0c918416d14bd7eedd686e

SHA1
b2ff8149bc21144fdcec64111afda492965c6621

SHA256
1e839706b748c04adf8efa2790564ca1efd707fdf6451e71af6862e07123717e

SHA512
a93be868d9f08097bff39069378a0bfa0f5c78e74e9e8df820be9b0426cbfe84e03e9638b329b6142279ed140a120c4c4c21857f410fc4789a370445c3919dcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2579d07b98bbefadc929d80fb3dbd32a

SHA1
1ceb57c4b81f0f23500e118a4b9a225116a467de

SHA256
b8443c289ad36568a2bf794ac9ec1f259a9dd930c36680dafc8d0cb4de81feb6

SHA512
53522ad5e8e2a272d5b1bff9b9226b7d976d47413891c60d7efebd4365baff12b6891e3f79b20e14892ec7c654ad2d437941014290c428c6b1bd78a7b3e557de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ea2b4285350e5ae8a831b0ab11c7d47b

SHA1
7a6554d92da62dba5d8e607b572ac9b1449682d9

SHA256
0d50567e2d39eb57f7b5b1e08cec512ef489ccd3301d4cd30da4c3edb984a580

SHA512
b52db01f2af9bacc037b4892da34d0d6a61d704bcb80a41fa189f7bd5b49fb4a6fe6dcacf72f49bfa83ad4e628f46ad8374ae464eda6b209bcff4da98351ffdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0e1acc18bd550e6bc8e508a91c4501c5

SHA1
aa0e81cd9b7e8347405d8c3bd7cac3e78eda2a78

SHA256
782327a196b4cc0b45f78b93e243f116caeee2e59355e70051234f88e57f7d27

SHA512
e4a55d526ff7911a1fa8929a8d7cf3b6e1bff77b63300f98b5e671e616172740144b27670a398c4ed5487698637be07b68f8672c441dc79d9ac5ee18fe7d2ced

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6eb73d11a82678316797b6b44dd25eff

SHA1
9cff2ad3ec685d6c894fc606517f23b72701e6a2

SHA256
3b2e6508b89e0802dd8364f7370d8bea45024104ae9ed161df5d4aa9d010c1cf

SHA512
a48f855d69ac9f87630ff754dd24d91c34ffb73e50404d04ac9909a148002e1c1b9f5ff01f9722515a93a70b1c353e5b9fe8a10f727df9aa85f6f4b116f15410

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d603865bfdd427932a491dc654321c6f

SHA1
8133e4ee07dc92c2ee0a17aa784a4ae91aa59f1c

SHA256
6c9580259c6d55ea1a93e3b4328a8c8a65a6878583ca98d2e0ed8ec60e7e9403

SHA512
d016e958a2e96eee3721a85b7fda8ac87eace0bd506df28095035f848ca05ea8e00a7fb605a4d73751ac7ca2088c216a7b230d2dbed204764313400bcdaee130

Download Submit