Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
22-04-2024 18:15
Static task
static1
URLScan task
urlscan1
General
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs
Processes:
flow ioc 16 https://case.stretto.com/voyager/file-a-claim -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 4236 msedge.exe 4236 msedge.exe 4716 msedge.exe 4716 msedge.exe 1372 identity_helper.exe 1372 identity_helper.exe 4328 msedge.exe 4328 msedge.exe 4328 msedge.exe 4328 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4716 wrote to memory of 2660 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 2660 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4940 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4236 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4236 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4092 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4092 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4092 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4092 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4092 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4092 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4092 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4092 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4092 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4092 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4092 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4092 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4092 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4092 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4092 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4092 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4092 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4092 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4092 4716 msedge.exe msedge.exe PID 4716 wrote to memory of 4092 4716 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://celsiusnetwork.government-stretto.com/claims/Voyager_files/1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80d6b46f8,0x7ff80d6b4708,0x7ff80d6b47182⤵PID:2660
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,14966076273913666523,17191478464280687179,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:22⤵PID:4940
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,14966076273913666523,17191478464280687179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4236 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,14966076273913666523,17191478464280687179,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:82⤵PID:4092
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14966076273913666523,17191478464280687179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵PID:816
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14966076273913666523,17191478464280687179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:2796
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14966076273913666523,17191478464280687179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:12⤵PID:4280
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,14966076273913666523,17191478464280687179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:82⤵PID:3936
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,14966076273913666523,17191478464280687179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1372 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14966076273913666523,17191478464280687179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:12⤵PID:1692
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14966076273913666523,17191478464280687179,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2288 /prefetch:12⤵PID:3120
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14966076273913666523,17191478464280687179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:12⤵PID:5188
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14966076273913666523,17191478464280687179,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:12⤵PID:5196
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14966076273913666523,17191478464280687179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:12⤵PID:6124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14966076273913666523,17191478464280687179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:12⤵PID:2104
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,14966076273913666523,17191478464280687179,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3132 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4328
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3624
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e36b219dcae7d32ec82cec3245512f80
SHA16b2bd46e4f6628d66f7ec4b5c399b8c9115a9466
SHA25616bc6f47bbfbd4e54c3163dafe784486b72d0b78e6ea3593122edb338448a27b
SHA512fc539c461d87141a180cf71bb6a636c75517e5e7226e76b71fd64e834dcacc88fcaaa92a9a00999bc0afc4fb93b7304b068000f14653c05ff03dd7baef3f225c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5559ff144c30d6a7102ec298fb7c261c4
SHA1badecb08f9a6c849ce5b30c348156b45ac9120b9
SHA2565444032cb994b90287c0262f2fba16f38e339073fd89aa3ab2592dfebc3e6f10
SHA5123a45661fc29e312aa643a12447bffdab83128fe5124077a870090081af6aaa4cf0bd021889ab1df5cd40f44adb055b1394b31313515c2929f714824c89fd0f04
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
408B
MD51859d8899c4c1d234d55c0859ce78ca0
SHA114910eca160791e6dae548da2a6e787fe5ac448c
SHA256838a4c78655cd011a80d5849cf9d7ed10173c93fa8d1e797ba08f8409ba882b1
SHA512334f248819511e9af43e6bafa89313505fc681430f6fffaebdac191177458a3dd1f8914ec4147b68e387330855a3d173fa4deb65a8a8e0fc9485124a1b19f9ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD53dc7f0583e7cd669808601d5b608c9e3
SHA11c4323d00263a19a47b8eb79ecf988284eafd5bd
SHA2561fe275e64f4378cbf24fb63e86e7aa23a40f61b81cb0b24f5a02aadfa08dc9d4
SHA512980c106c6e7facf81962519b0832263ac214962e98f362f6b06d845c3545db284573b8bc519f971a32327427302839fd7fdf5dd4dcfe70da30640f2c732b3294
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD50761f474d8369114b3acafe27514ac29
SHA138b0f99a20963f4b1c443e3537ed8a829e065351
SHA256312fb47eb4621b291c0543c9f0760526f0f15f9d837309c0de36e8ae0776a3f3
SHA5125fed6d4f62bdf31d5aa5a33acd7ec67e2ca36297e43c25d7a2e271eacbe1acf85442ff5e78d01e6a66bd1a8d50b748953a8e7661f4448c3b1bbadbe290857501
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD502ee8c7a310ef3e6b715e0044952d2c5
SHA18c403950453fc03629bae41def511d61da0cc7a8
SHA256a1b049c8b725757c66910b487694dcb4b61190d7ddd8d964b1d2142bb2e2b396
SHA512730cede65169bf734c7046e0bb5532829928e8d04343e1729cd3ad1c14e01d78c85a148098550ef1778d79d4a19045a4a850b9649305aa812a8d12041b1c4e7a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5489d401b98f63134a3634f9908ee1bbc
SHA19ccde7b514075a3569d2eb5b478a183239efcddc
SHA256910251ee87e45718e3164c6e6af05ca01d32e2ac184ca23d2de57eac30312566
SHA512417cd140a817aa82a6ccc7fdb17f36da5e6df525cf0289b8e024e816887cc2e73b070e6ed9f62e6df5afbf185102a7973a0f2571e6bfd85afa7ea59d0c830956
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD576bbb11f86b653083344efa91b7958fa
SHA195fcb7dbe859cea8a7ca9099f770d5a4c1daac59
SHA256b333276ef7baae7c495bcd0f03cceb184aeed32936c248a1c86c7840454281ed
SHA512ffe22be033971f2483fb2f5dcba30b46b13453671b94e66c06e412907c74e6cd7b082a519d45a31744c40a2b57d0b4b9ebfa384e28ebe3f78ae9ca4550e1000b