hxxps://steamcommumnuty[.]com/gift/activation/feor37569hFvr1a

Analysis

max time kernel
44s
max time network
48s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
19-04-2024 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://steamcommumnuty.com/gift/activation/feor37569hFvr1a

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid process

4960 msedge.exe
4960 msedge.exe
4632 msedge.exe
4632 msedge.exe
4384 identity_helper.exe
4384 identity_helper.exe
4660 msedge.exe
4660 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4632 msedge.exe
4632 msedge.exe
4632 msedge.exe
4632 msedge.exe
4632 msedge.exe
4632 msedge.exe

pid	process
4960	msedge.exe
4960	msedge.exe
4632	msedge.exe
4632	msedge.exe
4384	identity_helper.exe
4384	identity_helper.exe
4660	msedge.exe
4660	msedge.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

msedge.exe

pid	process
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe

Suspicious use of SendNotifyMessage 14 IoCs

Processes:

msedge.exe

pid	process
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4632 wrote to memory of 4608	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 4608	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1864	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 4960	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 4960	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1592	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1592	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1592	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1592	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1592	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1592	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1592	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1592	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1592	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1592	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1592	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1592	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1592	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1592	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1592	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1592	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1592	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1592	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1592	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 1592	4632	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommumnuty.com/gift/activation/feor37569hFvr1a
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff7e243cb8,0x7fff7e243cc8,0x7fff7e243cd8
2⤵
PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,3721232088742558654,15366679403730046612,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
2⤵
PID:1864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,3721232088742558654,15366679403730046612,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,3721232088742558654,15366679403730046612,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
2⤵
PID:1592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3721232088742558654,15366679403730046612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
2⤵
PID:1620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3721232088742558654,15366679403730046612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
2⤵
PID:1496

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,3721232088742558654,15366679403730046612,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3721232088742558654,15366679403730046612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
2⤵
PID:4800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3721232088742558654,15366679403730046612,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
2⤵
PID:572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3721232088742558654,15366679403730046612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
2⤵
PID:1832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3721232088742558654,15366679403730046612,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
2⤵
PID:3256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,3721232088742558654,15366679403730046612,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1908,3721232088742558654,15366679403730046612,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2496 /prefetch:8
2⤵
PID:3984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1376

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0fcda4fac8ec713700f95299a89bc126

SHA1
576a818957f882dc0b892a29da15c4bb71b93455

SHA256
f7a257742d3a6e6edd16ac8c4c4696d4bdf653041868329461444a0973e71430

SHA512
ab350ca508c412ff860f82d25ac7492afb3baf4a2827249ebc7ec9632ee444f8f0716389f0623afc0756f395cf00d7a90a0f89b360acdf72b1befe34eecb5986

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
21986fa2280bae3957498a58adf62fc2

SHA1
d01ad69975b7dc46eba6806783450f987fa2b48d

SHA256
c91d76b0f27ccea28c4f5f872dee6a98f2d37424ef0b5f188af8c6757090cbb5

SHA512
ae9ba1abe7def7f6924d486a58427f04a02af7dd82aa3a36c1ed527a23ec7897f00b0e30f22529e9599ae2db88e8abc7ba8013b426885aa3c961ee74678455f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
480B

MD5
0877e62f5aa46706479005e9661321f9

SHA1
a85e3d73b78c61446b6b7e75c2bc9d2c8225b7cf

SHA256
b90d30d59cfceff23669cfb98fe8323c36ac033e9308f5e50d3724cf02201dfd

SHA512
0f523acde968f2b6a4784bd5b6302214c824ded77496c6d0b99f395a59c73cbf66a44cb52e23e51363daaf0b8c452394ca8d8a05487d94f001705016832f8ba4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
5d94a8b8360bb3eb25ba2a7efd893988

SHA1
432a6532a57446b789efe87240ce30e46e7992d8

SHA256
13eb5acb9d14c460ab327108af398c57955a72ce0f4776b371b96607d2de8edc

SHA512
78a25140cbba2e978f0eee076bc0c4fac1fed1082aea2c11e6ce18c9d3a5cd17543f0fb9ec7b1273e24a0fe317c9530fe25cac04d0200675a9f2c2919258a4ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
5d804fd92c1238cdc754ba7afdc9b282

SHA1
13f879145ae3daead962423b421e6c939ef3c70d

SHA256
edd6da3924f206e20a4d24f2e77bb662d384059351524b6c09007807aefebb98

SHA512
0e2bc0002614da6b7c600590fa63b3e42e999d4463dc90d6a29575e6fc871ff718c7ca93d004dbe6a7ed710ef524e140225da756d61ad9800e0e7c0e8e951466

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b555d9ccb46d9e297720b0111147e85b

SHA1
6c342e3e97acfc716f5ae08b517d981bdc53e846

SHA256
a28aad3213b83e5ddf1da9af324348f078fb0037ece741a9ae78fef838131f36

SHA512
a2b8f0dddb875cf1c6e51f8c1795cf8899f032f0a294871623a51b24be5a9ffdebb12bcea9e5dc0dc2d5f89b9a97844e63f5162a61d72ef04b68590a5f5085eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
cde96a56c3360d73dc3e7bdffdb46ecb

SHA1
d93eafbfee79ead3b11eb7115e79e554e54b50ad

SHA256
881c9810cc3f16f746884f4f345f80ba3cd4cce82a6eac967f00ddc7931033d4

SHA512
994b32d9470f7a90edcb6c3711b15bb170b6fbd51f3503a2bdc959801a1ad30a7f78d2340fec607a6b07da9fff24313436b15b1b2fcc306b86455998bc038b3a

Download Submit
\??\pipe\LOCAL\crashpad_4632_FNPMDBLZJWESADQP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit