hxxps://service-customer-n[.]nl/mygov

Analysis

max time kernel
176s
max time network
184s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
19/04/2024, 01:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://service-customer-n.nl/mygov

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4956	msedge.exe
4956	msedge.exe
4236	msedge.exe
4236	msedge.exe
4200	msedge.exe
4200	msedge.exe
1604	identity_helper.exe
1604	identity_helper.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 4588	4236	msedge.exe	79
PID 4236 wrote to memory of 4588	4236	msedge.exe	79
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4616	4236	msedge.exe	80
PID 4236 wrote to memory of 4956	4236	msedge.exe	81
PID 4236 wrote to memory of 4956	4236	msedge.exe	81
PID 4236 wrote to memory of 4664	4236	msedge.exe	83
PID 4236 wrote to memory of 4664	4236	msedge.exe	83
PID 4236 wrote to memory of 4664	4236	msedge.exe	83
PID 4236 wrote to memory of 4664	4236	msedge.exe	83
PID 4236 wrote to memory of 4664	4236	msedge.exe	83
PID 4236 wrote to memory of 4664	4236	msedge.exe	83
PID 4236 wrote to memory of 4664	4236	msedge.exe	83
PID 4236 wrote to memory of 4664	4236	msedge.exe	83
PID 4236 wrote to memory of 4664	4236	msedge.exe	83
PID 4236 wrote to memory of 4664	4236	msedge.exe	83
PID 4236 wrote to memory of 4664	4236	msedge.exe	83
PID 4236 wrote to memory of 4664	4236	msedge.exe	83
PID 4236 wrote to memory of 4664	4236	msedge.exe	83
PID 4236 wrote to memory of 4664	4236	msedge.exe	83
PID 4236 wrote to memory of 4664	4236	msedge.exe	83
PID 4236 wrote to memory of 4664	4236	msedge.exe	83
PID 4236 wrote to memory of 4664	4236	msedge.exe	83
PID 4236 wrote to memory of 4664	4236	msedge.exe	83
PID 4236 wrote to memory of 4664	4236	msedge.exe	83
PID 4236 wrote to memory of 4664	4236	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://service-customer-n.nl/mygov
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc30cc3cb8,0x7ffc30cc3cc8,0x7ffc30cc3cd8
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,13519825122369695102,13227893534576980620,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,13519825122369695102,13227893534576980620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,13519825122369695102,13227893534576980620,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13519825122369695102,13227893534576980620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13519825122369695102,13227893534576980620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,13519825122369695102,13227893534576980620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,13519825122369695102,13227893534576980620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13519825122369695102,13227893534576980620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13519825122369695102,13227893534576980620,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13519825122369695102,13227893534576980620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13519825122369695102,13227893534576980620,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,13519825122369695102,13227893534576980620,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5200 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7554e30cbebbfe1aba35488a485a9166

SHA1
1312cb8e5027ef37ca2e3e9a8689e3bc23f44f80

SHA256
0180b897f28fb36a3f005962f6e83fc855fe91a65dfd291124d4d8f8badd1d6f

SHA512
350bde3084974b5b17c7b5b05dd1365687cec55ef21e73f1c12754a93a6a4addaee4dd93ab849a2374325c1a60c73eac9ab5adb90d72c03195f5946a03a47540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b7fc16380cbf29a5dec23030995e553e

SHA1
62e7fe0fcf81ab250469ee6c5a89393856dcc3c1

SHA256
6f7e137ea862e054ace2561adfc7c65312b0fbe5b13f51dcec8a303049403b9a

SHA512
f18c70f701d070846bf1e7ad995fb5a959144122ce1fa9f1719952309c6195f39b3c699cf9d59e3c26f7b41a3b697f275bb89c03ac325beacc5fce60a4b45ac4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
f1c1ab0fa74d57371c2cee2dd2568c06

SHA1
0f98704d8a8315e6ce96e6af82563374241f1f1d

SHA256
cac0f748fb9129d26cfcad2710775661df3c083d29842f6a91a551f492b1889a

SHA512
6a3e7295d5084521cfdb67884e2a3083a5a5e808990821972aab61177b4fb4325e06cfa9d48b47b72d05b5c7335cfa473c299a8e3e727d65b4b588aa2a0f54f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
478B

MD5
54ef673ac1f7b418b9895e3e2c244c9e

SHA1
ba5a165395779460c65140e7b162b1bb553fdd3b

SHA256
9945d9099e4e36e821f5cca8db08a4949c474ee1d78ab10d7d48f87daea020be

SHA512
5216c73a4d6001c013c7b57d77486c09498d8835af5572f1961f50f701c2b87ce90d997152733ab16e8ffe9fe446d0918e0631481a3397582f3adb4af351af82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2957de4d91803819d70e1a2fad2a89e3

SHA1
d199905dd5a5d952e6627a26df4a92ecb193d209

SHA256
f0f72c66b42e6e127036bff151606f5db90260853abf14e96bf44b56cffb259b

SHA512
78042005d4f1c81df42e6bc1026d50b1279d4cb849a9b764ff13630e8ac45cd484fcbb6a45e6fff3f2cc14e8a88fbf52322a2cbeff7c76e46abf720f06e26d21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
286220585994b79753b8f8492f275949

SHA1
7060759d232ade5ceb46b39d6e26fbef63d03ec3

SHA256
8290650e71e261fd77751cdd61f09408bd984bf5521ffefd6c322a3cb671f59d

SHA512
5209ae6e95ba79325ee62f42327125339a5640f7b6e939a4670fbe8782ad9e3bf3005889c7bce9fce70dfa0612393ab4106908086127989fe503be1f658c9deb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
647512930b1752569c31f2a52fd41897

SHA1
e5e09ce9fa5bb68a38f0fdf93ca11d59c3f6d332

SHA256
167cf31d2e7e79cd1295192c7f91e37b684543046616065c7d7b5bad3745cd08

SHA512
3d43c549db640c4516f75c397673050be8868329033dc87aaea9a1a4627453d833e3c1afb42c8a8f569b948fb90edb45e77a33d970a639049ff3b7ed599a44e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3010dec16eaedc74ed324a3c5dc40fc5

SHA1
779ea341cd338b7baf7eb5826a3410f16654bac6

SHA256
e3c27da125b4245cedbc2b99b261fb1b591da5d3dd730bbbd07ac46f21a20da6

SHA512
5dc035c58d572d55dcad3c4ecfb43039c7de344e89eebd3b94a44cb83453a44634e701d02dfb60db3469e6a4c4294369c8d1e80ab32e4cb74057b27352b8f2fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e5e89ee7e253c039f15369bf712dc687

SHA1
05b54b607684d6701055156695f8d54b151cf683

SHA256
a4d6a2351736111f76d877530c516e48708c8835d2a6f9473396776d7655aee9

SHA512
1677bcd166e591bbc8496b8bd44ab8b534c5f5f9d7eea34e2aadb6ade5cfc334ae6951c3a9cac366abbe10c10cf1fcbb9b026c3b5cffd58873f1a7eaa5c40d93

Download Submit