Analysis
-
max time kernel
150s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 13:02
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://grupoaedo.com
Resource
win10v2004-20240412-en
Behavioral task
behavioral2
Sample
https://grupoaedo.com
Resource
android-x86-arm-20240221-en
Behavioral task
behavioral3
Sample
https://grupoaedo.com
Resource
android-x64-20240221-en
General
-
Target
https://grupoaedo.com
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 4880 msedge.exe 4880 msedge.exe 3892 msedge.exe 3892 msedge.exe 2796 identity_helper.exe 2796 identity_helper.exe 1108 msedge.exe 1108 msedge.exe 1108 msedge.exe 1108 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4880 wrote to memory of 3872 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 3872 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2592 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 3892 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 3892 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1220 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1220 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1220 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1220 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1220 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1220 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1220 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1220 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1220 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1220 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1220 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1220 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1220 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1220 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1220 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1220 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1220 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1220 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1220 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1220 4880 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://grupoaedo.com1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff86ac446f8,0x7ff86ac44708,0x7ff86ac447182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,6862462015544515942,15236064770628291661,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,6862462015544515942,15236064770628291661,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,6862462015544515942,15236064770628291661,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,6862462015544515942,15236064770628291661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,6862462015544515942,15236064770628291661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,6862462015544515942,15236064770628291661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,6862462015544515942,15236064770628291661,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,6862462015544515942,15236064770628291661,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,6862462015544515942,15236064770628291661,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,6862462015544515942,15236064770628291661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,6862462015544515942,15236064770628291661,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,6862462015544515942,15236064770628291661,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5256 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e2ece0fcb9f6256efba522462a9a9288
SHA1ccc599f64d30e15833b45c7e52924d4bd2f54acb
SHA2560eff6f3011208a312a1010db0620bb6680fe49d4fa3344930302e950b74ad005
SHA512ead68dd972cfb1eccc194572279ae3e4ac989546bfb9e8d511c6bc178fc12aaebd20b49860d2b70ac1f5d4236b0df1b484a979b926edbe23f281b8139ff1a9ac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5864aa9768ef47143c455b31fd314d660
SHA109d879e0e77698f28b435ed0e7d8e166e28fafa2
SHA2563118d55d1f04ecdd849971d8c49896b5c874bdbea63e5288547b9812c0640e10
SHA51275dce411fce8166c8905ed8da910adb1dd08ab1c9d7cd5431ef905531f2f0374caf73dedd5d238b457ece61273f6c81e632d23eb8409efbb6bf0d01442008488
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
72B
MD5bed092ca5fefe68f24854b983680ac15
SHA1c1d5e651d150dd81b315dabffcbc06c48950b2db
SHA256c19ec278a1c49ea9271dcd420034f8bf899c5e0ff9ce9735c442e51c605a420d
SHA5124914e89aedd93241d8fe7318c5c3707793178ed8882234657b70715a9a8a99a78d251ca9f025e89232876c2536f5fd9828c840fa1139b69b497d3ea544aa39c4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
181B
MD55c9fa838ec1e70d0f88a3e17c8d3f858
SHA116fda730458d0aa213b84bbfbb6df61e4106366c
SHA256d2c1efe94189469d08722ca47514667bba18d6d71de5c8c7f6ddeef701b8e640
SHA512471bb7a760e602ed9d88ce1cba8e92e048d1e47b14a8fb35e129e4e88944ff2e5da95c7710db2d01f59e8b9efefddaadb782447d6c23f1422a15a649de8d9e97
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD52873270c2587c2c127d903b6d0f2e4a2
SHA17d5b4bcc9fe5d01eddcda9841a6864b4c553c562
SHA2561b56a51746a94357029cca3921cbbf9e028ffc5ecab29255d0ddc0598ae6a5c8
SHA512aa4f0db2bddc528a7562073b8b1468613d85177af2c8202c28db39a26396278c7b48b69e7f0a3ebec62b6dc1bbc37d708eecc92bff2d899041a3d26eb8394dd6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5c702cc8ce1000d6a4f3a7442add5879f
SHA176b4f8a41a69c7a9a425ddf4902e4e1bc67ce39f
SHA256c79afff7dc6531904282be7e08d46bfa0bcd2c7f5db96c14967f28f79fef3c99
SHA5120459ef0ba7877ba8e34245091448d3eb11eddcd8ae16d8337058523ce7e033fac3ca3d08338f4f51ca6666a3cfb1ed3737b2c2bcff9fc51cdbc97aa433d33630
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD539393c0c92e89865b9b6f51e091b4a9f
SHA13a3688b0e072ed77452854ffadc7363de4a62a96
SHA256884cc155e28e0a45e24a40182252cb58d4094bb3c9d2b5d9dfa63851d3610140
SHA512fa0029c34e750f050e78e63842b160a5ef74d805be7789f85a87d3b43d521308b176d51b0b7789fa76ad7da1661b2dd30480cafb538c9dc32effb7f42a148701
-
\??\pipe\LOCAL\crashpad_4880_RXLRECEDWSBZBDBQMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e