hxxps://io50s[.]com/ew

Analysis

max time kernel
21s
max time network
23s
platform
windows10-2004_x64
resource
win10v2004-20240412-de
resource tags

arch:x64arch:x86image:win10v2004-20240412-delocale:de-deos:windows10-2004-x64systemwindows
submitted
21-04-2024 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://io50s.com/ew

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exe

pid process

4136 msedge.exe
4136 msedge.exe
376 msedge.exe
376 msedge.exe
3020 identity_helper.exe
3020 identity_helper.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

376 msedge.exe
376 msedge.exe

pid	process
4136	msedge.exe
4136	msedge.exe
376	msedge.exe
376	msedge.exe
3020	identity_helper.exe
3020	identity_helper.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

msedge.exe

pid	process
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 376 wrote to memory of 3564	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 3564	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 1852	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 4136	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 4136	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 2572	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 2572	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 2572	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 2572	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 2572	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 2572	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 2572	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 2572	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 2572	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 2572	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 2572	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 2572	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 2572	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 2572	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 2572	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 2572	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 2572	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 2572	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 2572	376	msedge.exe	msedge.exe
PID 376 wrote to memory of 2572	376	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://io50s.com/ew
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff909ff46f8,0x7ff909ff4708,0x7ff909ff4718
2⤵
PID:3564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,4172670150811299356,5507214626194201261,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1452 /prefetch:2
2⤵
PID:1852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1840,4172670150811299356,5507214626194201261,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=2480 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1840,4172670150811299356,5507214626194201261,131072 --lang=de --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
2⤵
PID:2572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,4172670150811299356,5507214626194201261,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
2⤵
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,4172670150811299356,5507214626194201261,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
2⤵
PID:5076

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1840,4172670150811299356,5507214626194201261,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
2⤵
PID:3260

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1840,4172670150811299356,5507214626194201261,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1844

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
cff358b013d6f9f633bc1587f6f54ffa

SHA1
6cb7852e096be24695ff1bc213abde42d35bb376

SHA256
39205cdf989e3a86822b3f473c5fc223d7290b98c2a3fb7f75e366fc8e3ecbe9

SHA512
8831c223a1f0cf5f71fa851cdd82f4a9f03e5f267513e05b936756c116997f749ffa563623b4724de921d049de34a8f277cc539f58997cda4d178ea205be2259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
dc629a750e345390344524fe0ea7dcd7

SHA1
5f9f00a358caaef0321707c4f6f38d52bd7e0399

SHA256
38b634f3fedcf2a9dc3280aa76bd1ea93e192200b8a48904664fac5c9944636a

SHA512
2a941fe90b748d0326e011258fa9b494dc2f47ac047767455ed16a41d523f04370f818316503a5bad0ff5c5699e92a0aaf3952748b09287c5328354bfa6cc902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
144B

MD5
53607b747f169332e9625a109d553509

SHA1
24f53d4872c3db45191b66dca9a53dd32bac4d47

SHA256
a3f414ce5b6d74e34550e59744d10eabf6741dc1207203464efe3dbddc572faf

SHA512
f1609c9aff37bd8a0797ca27926466894fca1de67800877f823af73c9753f1e1d74ef48bc82511df9ca4fe752fdd724edac92175a95904093bd264fc1f5dda05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
711B

MD5
104ed7283673544b853dfb0d65de10c4

SHA1
460e3d21e285b1e3bcc18e189220324baa9cb3dd

SHA256
da5fb7e9e55f05b71115dc5b3ff267bc134081d63a7f832230ef3e59be393fea

SHA512
4a25a372c59f2aa48c3da8b65e21c5c56bbe67084652b07490338efa9aa1e60bba8a7e4521c456cde0a9487e2558b31741c04ae3d85960ab945b259f8f0a9e40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
c944f6ec7f9425a4e7d01c77ec5fd5af

SHA1
832ef75c28f5910288a47f3db79456cba3d9534a

SHA256
0e7b4d8d385c57e3ce6178f3bb7ac27d706e0b97df099e76b50d001d6c0eebe7

SHA512
54e3c030e6d11d51ddd7ba09781beb8685a39091c1fe557e4693b7d7d4f6a9ee1c4a909ca661e3bc84123ec4db338827aea3cba7106ce36ed49c300c67358096

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
5e2ed4c70910bc68afbc4b7c3a6b25ea

SHA1
f756d3f4a5a3eca8b80b06366e963b484c046778

SHA256
d96d39152122f315e94a07e9a06eb6516b03e71cc76e64ec36eb41e506e851f3

SHA512
6330ed38a0957727a29900361ebda703fb156e2da2145b9c0d333a1d1cfd8897560483c722af6003c768931359042f7a9f1669aa444850aee0213e17a8a7f08f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
88708fe0dc551673e20dab0b06f45749

SHA1
63847b59c587ff9ccc0293ecfc07fd3e9186da05

SHA256
fbc31ad50c2925f1369a719bd240d86620c1121189dca1888faf006161c1a6de

SHA512
b7a9044fa54550d1face0fbd38f24abf43b01628211e5abe9509d741d78b30752e6511dac9ddcbfb6529cf34591d7a8311b189b28780cb1d0972e033a5b9aceb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
017ac3f1555b85c228f264be888ab9b3

SHA1
08af079a898ea3a8d09e9b011bb10bd5a2ae1a6a

SHA256
a9973cf4fce37d376262d8f0519811795c579f0d4ca409da5096df0cc307261e

SHA512
8ade472941244de577491fe77af444c99399d951bfb9181dbd6d33305334ea85935d8920952f4b266c280516a178b6372f5614c9f1af87f2547f63a034945cc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
c6ab70775222f86908ca096da9ed840b

SHA1
c81ae08513953555a2a5ca9b81d3d94771c1dc68

SHA256
f887f2a1ae9f4742df28cdd8b61d180d6abfa856880741f6685b772036e8fd65

SHA512
5812694c53d8f546f71c42a22e4e965b1c5827054d440006a6babc12e807a855b766afe0597f126227d50a04e1d54342deff2809dc47ab1e6952b9a3dc300e0a

Download Submit
\??\pipe\LOCAL\crashpad_376_OBGQNWGBKNLZUBKH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit