hxxps://public-wgnc4-eu[.]wargaming[.]net/tracking/click?h=~F-CEr0cEYwG9iGsBBmfykcuIMmRApQgP4_NGNddVmBybPicV7JwIU93KtimBBB4aasuPMR__HP58yqCRhUmeRk2yvGGakIXTW2wMcJ1NDcMp%7CMTI5NjMwNzcy%7CbnFlMm1jSmhwTw==%7Cv

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 11:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://public-wgnc4-eu.wargaming.net/tracking/click?h=~F-CEr0cEYwG9iGsBBmfykcuIMmRApQgP4_NGNddVmBybPicV7JwIU93KtimBBB4aasuPMR__HP58yqCRhUmeRk2yvGGakIXTW2wMcJ1NDcMp%7CMTI5NjMwNzcy%7CbnFlMm1jSmhwTw==%7Cv

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2216	msedge.exe
2216	msedge.exe
4808	msedge.exe
4808	msedge.exe
4536	identity_helper.exe
4536	identity_helper.exe
5980	msedge.exe
5980	msedge.exe
5980	msedge.exe
5980	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 4784	4808	msedge.exe	87
PID 4808 wrote to memory of 4784	4808	msedge.exe	87
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 3696	4808	msedge.exe	88
PID 4808 wrote to memory of 2216	4808	msedge.exe	89
PID 4808 wrote to memory of 2216	4808	msedge.exe	89
PID 4808 wrote to memory of 852	4808	msedge.exe	90
PID 4808 wrote to memory of 852	4808	msedge.exe	90
PID 4808 wrote to memory of 852	4808	msedge.exe	90
PID 4808 wrote to memory of 852	4808	msedge.exe	90
PID 4808 wrote to memory of 852	4808	msedge.exe	90
PID 4808 wrote to memory of 852	4808	msedge.exe	90
PID 4808 wrote to memory of 852	4808	msedge.exe	90
PID 4808 wrote to memory of 852	4808	msedge.exe	90
PID 4808 wrote to memory of 852	4808	msedge.exe	90
PID 4808 wrote to memory of 852	4808	msedge.exe	90
PID 4808 wrote to memory of 852	4808	msedge.exe	90
PID 4808 wrote to memory of 852	4808	msedge.exe	90
PID 4808 wrote to memory of 852	4808	msedge.exe	90
PID 4808 wrote to memory of 852	4808	msedge.exe	90
PID 4808 wrote to memory of 852	4808	msedge.exe	90
PID 4808 wrote to memory of 852	4808	msedge.exe	90
PID 4808 wrote to memory of 852	4808	msedge.exe	90
PID 4808 wrote to memory of 852	4808	msedge.exe	90
PID 4808 wrote to memory of 852	4808	msedge.exe	90
PID 4808 wrote to memory of 852	4808	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://public-wgnc4-eu.wargaming.net/tracking/click?h=~F-CEr0cEYwG9iGsBBmfykcuIMmRApQgP4_NGNddVmBybPicV7JwIU93KtimBBB4aasuPMR__HP58yqCRhUmeRk2yvGGakIXTW2wMcJ1NDcMp%7CMTI5NjMwNzcy%7CbnFlMm1jSmhwTw==%7Cv
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0fff46f8,0x7ffd0fff4708,0x7ffd0fff4718
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,17067226376847270777,16363186325147397253,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,17067226376847270777,16363186325147397253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,17067226376847270777,16363186325147397253,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17067226376847270777,16363186325147397253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17067226376847270777,16363186325147397253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,17067226376847270777,16363186325147397253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,17067226376847270777,16363186325147397253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17067226376847270777,16363186325147397253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17067226376847270777,16363186325147397253,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17067226376847270777,16363186325147397253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17067226376847270777,16363186325147397253,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,17067226376847270777,16363186325147397253,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1304 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
64836d9ed0fa36504e81806dfddba79d

SHA1
ce09ebf37aebaf90664fcf7f20d9361c7473a372

SHA256
ca4ff89e62d8fa19b959aee20a3eb90a032317329e392dc4e455dc7720651cb3

SHA512
99debdc52571e358b1da6c4086d085f818d5a27b8cddecf68aeff0aa4600d9952277d4578c5d411d4cc4024c54704f5f4583d2b8d2146aef00c031b1ebad412e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f89eacc173016441580a1298f148d46e

SHA1
7e27c79728f54be41984235f7bfdd8a0bdcd3a54

SHA256
68bc2993e25bb9f44bdd514acb1ad122806ffba33f21730a201ccc347f496625

SHA512
8c966c08f3decb560b58816dcc8115f927eb58b96e3acfc2b7cc512654479fda45a3de77f9d4639713c8bbce65f202696613bdc66bb33444e9b5451f6cd7481b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
362c2719d764610c014bb44d82159fab

SHA1
78dafbd205a73471d69f7f3ed0ba1fcb11b622b6

SHA256
9619866761d50782a4549409c78dbbe515611c41cc958b966ba5a26c0388f282

SHA512
360859b915666bd695f39c7c553b4a2d7d16a39ec26e808e36402aa73eefa3bb5df6238e2327cc3fe470988c395d0b208864ac4bbdff21c10ccd35f0dd681ad9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f673eff4102292bfbd0527260c993a82

SHA1
b32ccbdb3510f904b26467ae8a11e50d4c523c07

SHA256
f9af7e0e903e9962f88463960c915e9d8a35f54835d147e94e7b7a766ad1acac

SHA512
ec5b11d10ce8a371224fb92b4a6ebcc290a845b592e4feb4a22bb34783e772dbb48eb90da9fa0398bd9e637c00602d0565eb0457858708a3075c07a6a2534826

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5e5f9bd32aae6854212a031b6e300523

SHA1
cc8669258e1434751286afd57da411a05c9998db

SHA256
25750dcc8a27581ee9b900318146ab470cc1b7c57fb483eba9133cf44de6414d

SHA512
c32061bf863417242b480540c28fcda97cca5cc0d16d72d2d1523a35a087a7479d74ef9f871ae0e328c378af07e58eb1a6d17aa3cd1c41d426a61bb6a02b27a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d37cc676191649af10bb3d21ebf5a566

SHA1
1e96355801a4ec4a5485e2f9f8ef8f3c76d4fe85

SHA256
ea5688c8ab3d4850a6325076ed3faea2359319c1ce0e626c1970299a016c43e0

SHA512
2d2bf94de6fc17d2a50f7ac3e6a2d0bbae04a4be72365d0cbaceafa9e3294246cdeba67810ab46dc3cf7542cf44e88fd15d67edf5eba2d32c9538b2f5a2c4bd8

Download Submit