Analysis
-
max time kernel
145s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
25-04-2024 09:08
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://38.242.195.135
Resource
win10v2004-20240412-en
General
-
Target
http://38.242.195.135
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 4604 msedge.exe 4604 msedge.exe 3840 msedge.exe 3840 msedge.exe 4124 identity_helper.exe 4124 identity_helper.exe 5692 msedge.exe 5692 msedge.exe 5692 msedge.exe 5692 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3840 wrote to memory of 2468 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2468 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2528 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4604 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4604 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4664 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4664 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4664 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4664 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4664 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4664 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4664 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4664 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4664 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4664 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4664 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4664 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4664 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4664 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4664 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4664 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4664 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4664 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4664 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4664 3840 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://38.242.195.1351⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef73e46f8,0x7ffef73e4708,0x7ffef73e47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,18274962139625026229,6962072800289825013,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1968 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,18274962139625026229,6962072800289825013,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2792 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,18274962139625026229,6962072800289825013,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18274962139625026229,6962072800289825013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18274962139625026229,6962072800289825013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,18274962139625026229,6962072800289825013,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,18274962139625026229,6962072800289825013,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18274962139625026229,6962072800289825013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18274962139625026229,6962072800289825013,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18274962139625026229,6962072800289825013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18274962139625026229,6962072800289825013,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18274962139625026229,6962072800289825013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18274962139625026229,6962072800289825013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18274962139625026229,6962072800289825013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18274962139625026229,6962072800289825013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,18274962139625026229,6962072800289825013,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6048 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD58f38951143ede15b2f00d3352e458d47
SHA11130065985230474657d5f744e99312f22c69485
SHA2563a559763ad1634ef40108700025a909cc76ca8c66d6c77f41a07e2ced4c9ff65
SHA5125376e21235d1b828a0d04e35d26154a1e52db3fe02690fa272ba982da55b88bb0ab7473e6b2031fe8d19798abefec072e22542132b175912b31279cda6f15f57
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b533661b945a612876de1e58ce73d065
SHA1d93286945efeb7f33b49f8e594cdb264884c827e
SHA256e5480b47432d7b0ca972afe477fac49f5fc1e8e82aaeab6401de99045949bd65
SHA512672bc0f694e763a8597eebcce7728716a09515ad17854fae58d1f8df8aefca152eaabfd637bbaf8acae8e7936309809525a9f058a990148964a58c831d96dc4a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5e0f02efa39317f11c31053423dffba47
SHA11342424ffe0d002734885a8b09295deb74bcf2ed
SHA256e6c10c922b537fca07d6d29033c0240063715158135d1721416268534095ac87
SHA5123aa9fb358a55494fb3269aa72264f776354d149d0dd110daa584ba7a4a16e7abfb8cfcbd1e48cf71e395883648bb998a7f41a87ce33c5a39245308e330a876a1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD54afeb14b6e77d73b2ff784aa01d66a52
SHA16a62243edac127009920c5fd0f0e284cfd1a95d5
SHA2560ef34ca610d04728bb56d7202a70e972ae1409ca9e0a7179604114c3256b48ca
SHA512a040b468d3fdb27d0a55344c62ff045c67dab9031884185cccac0dd37b4fb487336c4f7cfe8440db281a37d42b743fd5e974a7be02e0beeb2cf93097ae0ba8c2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD5eba8517f3652641367e901d3a54f7581
SHA1fea9f4fd8d38fa53f21cebbc148d48fb07fe13c6
SHA2562d7c268095e786a3e6c729a4503a10709df851a8899197637e6d42aa11fce388
SHA512da857ea24ab0a1f4e1eae0a23c1b50e86c5e4c5781f9cff94eaa20127671ed5b1ed681c9b626366f155ec89e767ca11554a77f0f4c3a42c44cf821654b483517
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5c948b1b60473f3cd0b6d2e265e705b8a
SHA19b5ae98e039e95c8a138737db2dad71c07a21091
SHA256f32ebfaee5919937edb93db02b48b91e2a037491f11610985cd4de45c59fe2ca
SHA512c94d18a30a3f323d76b5e3ad58d56e55f22bc6e50f9076809b07b0b3effaff4c773da4724fe72e8dff44579f8d9a899865d35fa04b951e8508d90ae38468d7ad
-
\??\pipe\LOCAL\crashpad_3840_HNTSMACKAHMLKLQFMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e