hxxps://cloudflare-ipfs[.]com/ipfs/bafybeigtwr3ontibnus3p5zn3echnujiu6x2mkmlck2z254a26h6ye7s3i/myscr673319[.]html

Analysis

max time kernel
50s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cloudflare-ipfs.com/ipfs/bafybeigtwr3ontibnus3p5zn3echnujiu6x2mkmlck2z254a26h6ye7s3i/myscr673319.html

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	cloudflare-ipfs.com
12	cloudflare-ipfs.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3204	msedge.exe
3204	msedge.exe
4508	msedge.exe
4508	msedge.exe
2592	identity_helper.exe
2592	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 772	4508	msedge.exe	89
PID 4508 wrote to memory of 772	4508	msedge.exe	89
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3736	4508	msedge.exe	90
PID 4508 wrote to memory of 3204	4508	msedge.exe	91
PID 4508 wrote to memory of 3204	4508	msedge.exe	91
PID 4508 wrote to memory of 3976	4508	msedge.exe	92
PID 4508 wrote to memory of 3976	4508	msedge.exe	92
PID 4508 wrote to memory of 3976	4508	msedge.exe	92
PID 4508 wrote to memory of 3976	4508	msedge.exe	92
PID 4508 wrote to memory of 3976	4508	msedge.exe	92
PID 4508 wrote to memory of 3976	4508	msedge.exe	92
PID 4508 wrote to memory of 3976	4508	msedge.exe	92
PID 4508 wrote to memory of 3976	4508	msedge.exe	92
PID 4508 wrote to memory of 3976	4508	msedge.exe	92
PID 4508 wrote to memory of 3976	4508	msedge.exe	92
PID 4508 wrote to memory of 3976	4508	msedge.exe	92
PID 4508 wrote to memory of 3976	4508	msedge.exe	92
PID 4508 wrote to memory of 3976	4508	msedge.exe	92
PID 4508 wrote to memory of 3976	4508	msedge.exe	92
PID 4508 wrote to memory of 3976	4508	msedge.exe	92
PID 4508 wrote to memory of 3976	4508	msedge.exe	92
PID 4508 wrote to memory of 3976	4508	msedge.exe	92
PID 4508 wrote to memory of 3976	4508	msedge.exe	92
PID 4508 wrote to memory of 3976	4508	msedge.exe	92
PID 4508 wrote to memory of 3976	4508	msedge.exe	92

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cloudflare-ipfs.com/ipfs/bafybeigtwr3ontibnus3p5zn3echnujiu6x2mkmlck2z254a26h6ye7s3i/myscr673319.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9c86a46f8,0x7ff9c86a4708,0x7ff9c86a4718
  2⤵
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,9821755829920017276,13106814380385583217,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,9821755829920017276,13106814380385583217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,9821755829920017276,13106814380385583217,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9821755829920017276,13106814380385583217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9821755829920017276,13106814380385583217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,9821755829920017276,13106814380385583217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:668
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,9821755829920017276,13106814380385583217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9821755829920017276,13106814380385583217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9821755829920017276,13106814380385583217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9821755829920017276,13106814380385583217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2092 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9821755829920017276,13106814380385583217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:3464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3784

C:\Windows\system32\charmap.exe
"C:\Windows\system32\charmap.exe"
1⤵
PID:5320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a9519bc058003dbea34765176083739e

SHA1
ef49b8790219eaddbdacb7fc97d3d05433b8575c

SHA256
e034683bc434a09f5d0293cb786e6a3943b902614f9211d42bed47759164d38b

SHA512
a1b67ccf313173c560ead25671c64de65e3e2599251926e33ce8399fde682fce5cb20f36ee330fcd8bb8f7a9c00ef432da56c9b02dfd7d3f02865f390c342b53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb138796dbfb37877fcae3430bb1e2a7

SHA1
82bb82178c07530e42eca6caf3178d66527558bc

SHA256
50c55ba7baeebe1fa4573118edbca59010d659ea42761148618fb3af8a1c9bdd

SHA512
287471cccbe33e08015d6fc35e0bcdca0ec79bebc3a58f6a340b7747b5b2257b33651574bc83ed529aef2ba94be6e68968e59d2a8ef5f733dce9df6404ad7cc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
01200b0803cc5582fc19cb8d30949ec2

SHA1
d02c82ddeab4e0d8b87a1f372828b63a6179287b

SHA256
fb6eefe5ed386ddb7efafa96c2b0aa7600731ead2b9d02d81a3948221d56c223

SHA512
9ae57fdb7ea2e87ebaf8b67dbf9f93706767c1c75039809ebeca7e4136133ab5f727f2f21785a40edf91fd62d2abc6f201130a78393089fc84565cc82873d879

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1901c1dcefec0a3a4659687dfd8d52a6

SHA1
b5e7e49e9978f6f798645b09418cc9fa4fcf5a37

SHA256
ae0ea2570705bf1671cc4ff17a68c2166aedbded491575aea2e752aebf3c63fd

SHA512
2f0c542a0d69382860b0e010ec0e37b6f0c40140e30fdb91dbd6981f84dbd6c3ded9befdf71d0b10b158e14994a2d398e0385f063923a4962d6d20f2b87d3e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
88b2a508bda66cae7ce985505cd71c1b

SHA1
c80c09f4565ec5e31decd1bd39edf4f1ad46de93

SHA256
16deacf73035ed84165e37c3d52fc62b7e45c26247dea001f7e89f02cef86bec

SHA512
7b9e0f9f3036f91f3f0148b0b99b4a2d212d165468e98416a71a50621c97cc3d68810c7cf141f0fd9a0910f0bf6fc5667c0df25926861d4b1d0d360f801a80e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
87d6ef9dcec9ff8f8e439e53078dbe67

SHA1
39a1f34dad68a2ee42c891991cb3dad1cbb5f700

SHA256
60e42bace05c0bfd0d5ee13748aa4c212574623f538f1b8282950c14626a8ec8

SHA512
70c4801ceea6476cc8f5d0c789bb0fd2102bd20a56a8c5cc00eecb768e2171a7af79acf31a3ee86b1345de78f630d05e99d5d699385b00557abca3f2a912bd4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit