hxxp://www[.]mtconline[.]tw/mtconline/course-NewsChinese[.]php

Analysis

max time kernel
328s
max time network
330s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.mtconline.tw/mtconline/course-NewsChinese.php

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4192	msedge.exe
4192	msedge.exe
3544	msedge.exe
3544	msedge.exe
1048	identity_helper.exe
1048	identity_helper.exe
5864	msedge.exe
5864	msedge.exe
5864	msedge.exe
5864	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 1376	3544	msedge.exe	85
PID 3544 wrote to memory of 1376	3544	msedge.exe	85
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4196	3544	msedge.exe	86
PID 3544 wrote to memory of 4192	3544	msedge.exe	87
PID 3544 wrote to memory of 4192	3544	msedge.exe	87
PID 3544 wrote to memory of 3044	3544	msedge.exe	88
PID 3544 wrote to memory of 3044	3544	msedge.exe	88
PID 3544 wrote to memory of 3044	3544	msedge.exe	88
PID 3544 wrote to memory of 3044	3544	msedge.exe	88
PID 3544 wrote to memory of 3044	3544	msedge.exe	88
PID 3544 wrote to memory of 3044	3544	msedge.exe	88
PID 3544 wrote to memory of 3044	3544	msedge.exe	88
PID 3544 wrote to memory of 3044	3544	msedge.exe	88
PID 3544 wrote to memory of 3044	3544	msedge.exe	88
PID 3544 wrote to memory of 3044	3544	msedge.exe	88
PID 3544 wrote to memory of 3044	3544	msedge.exe	88
PID 3544 wrote to memory of 3044	3544	msedge.exe	88
PID 3544 wrote to memory of 3044	3544	msedge.exe	88
PID 3544 wrote to memory of 3044	3544	msedge.exe	88
PID 3544 wrote to memory of 3044	3544	msedge.exe	88
PID 3544 wrote to memory of 3044	3544	msedge.exe	88
PID 3544 wrote to memory of 3044	3544	msedge.exe	88
PID 3544 wrote to memory of 3044	3544	msedge.exe	88
PID 3544 wrote to memory of 3044	3544	msedge.exe	88
PID 3544 wrote to memory of 3044	3544	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.mtconline.tw/mtconline/course-NewsChinese.php
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb226846f8,0x7ffb22684708,0x7ffb22684718
  2⤵
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,3446162460439011111,7679096641688139836,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,3446162460439011111,7679096641688139836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,3446162460439011111,7679096641688139836,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3446162460439011111,7679096641688139836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3446162460439011111,7679096641688139836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2280 /prefetch:1
  2⤵
  PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,3446162460439011111,7679096641688139836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,3446162460439011111,7679096641688139836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3446162460439011111,7679096641688139836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3446162460439011111,7679096641688139836,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3446162460439011111,7679096641688139836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3446162460439011111,7679096641688139836,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,3446162460439011111,7679096641688139836,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1292 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a9519bc058003dbea34765176083739e

SHA1
ef49b8790219eaddbdacb7fc97d3d05433b8575c

SHA256
e034683bc434a09f5d0293cb786e6a3943b902614f9211d42bed47759164d38b

SHA512
a1b67ccf313173c560ead25671c64de65e3e2599251926e33ce8399fde682fce5cb20f36ee330fcd8bb8f7a9c00ef432da56c9b02dfd7d3f02865f390c342b53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb138796dbfb37877fcae3430bb1e2a7

SHA1
82bb82178c07530e42eca6caf3178d66527558bc

SHA256
50c55ba7baeebe1fa4573118edbca59010d659ea42761148618fb3af8a1c9bdd

SHA512
287471cccbe33e08015d6fc35e0bcdca0ec79bebc3a58f6a340b7747b5b2257b33651574bc83ed529aef2ba94be6e68968e59d2a8ef5f733dce9df6404ad7cc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
10d8fc075e9db685c5f71146c0037e31

SHA1
c9bd737c80750d55cd412f57e8cf00b4c4298abe

SHA256
e71f0beb07f43edec833eb5797d557d78ca18ad44afaa00a6e4b2c2973dd4722

SHA512
c1f7b852ed889002245df0ca508969ab812af3122041da387365cdaba187cf78d7cfad661105ddfa518cc71fa5c2bf9707036671c402d1e9aa04412b890d315a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
505B

MD5
96a57e74469fe389ca3ae7f7b1c0df7c

SHA1
2a8e08fd1e5d026efc1b88c3cf716eb078db5927

SHA256
c7bf5fb9a5dd987ea79b2a77d7e6461271c638237f2f5b52a554fa2ca57396d8

SHA512
9fc21b911c3d104e2a31f5631b6720e8118ea836dbaee969801555076bad31cc1e8d2620fcb0948f215278476cccf783731fd5f5b092fc9d948d9cedce0f91e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0f5af5b47b0412fdc548e1adcb4544c7

SHA1
189c6e292b0b7f9523c9e5935a8961b55a5ae891

SHA256
d9d34c7f85696f1f761eadab3dfe85c89a4fe967abce206633a0357ef17c73d4

SHA512
3a3515c1f6d26d140b85c1f3d99fbedabac8dcc37d15dc9c00d58990c6b8201df804229988d8f69a4fc5d4319af86866713714b172b949bc6220786d4b24abb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fe1171fabff373205408ebf5bb9a2feb

SHA1
4fa5912cacefbe8083d0bc953c8486446ce7385a

SHA256
ae62a825ee276e630eefc53fb7ca554bad05a713aab4de67f7cbde7da8e7be9d

SHA512
4cf310658bc4174eacbab448be19d4edc1ba22911169d70909f0ece76755b5dd2455f04db645a1724da2b1e16adf8dbcf70c41ea70b53f4029c49e18ab61d258

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a2b15e654cf256bf71eda48dae2d8bd4

SHA1
2699edeb287896ee97638d8e51a1d974cc02ab74

SHA256
42950908f7b2179e1a1e2d357dc2665bae227daa6eada25914a40a5f152cd76b

SHA512
a9356c50019c91dbff45df6480b3d661b442c25d134aeccbe5402fef555ba83fe8ef4781a36903526d247fd3a26e88cf39b548b99d7b1fea74f9aab72bf4173f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f1c9539bbf0fab64c26f47c9815a7b21

SHA1
a47ed76e37b92970c60d7bcc42a3153f5eb9e4a2

SHA256
20c5f319d62c09317f9297d1add1609db408c0bdc15928c893a35e4074f08d1e

SHA512
8aa2cc1b800a56216ea79030913cc8c14cac6306edb587255c6af53374352aef4303f1b1e38a15dc73ff05de020c6e2bdf5dedbaa64fbb44872af1850e4c7a5b

Download Submit