hxxps://gofund[.]me/96d18d78

Analysis

max time kernel
112s
max time network
111s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
26/04/2024, 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofund.me/96d18d78

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3692	msedge.exe
3692	msedge.exe
3296	msedge.exe
3296	msedge.exe
4656	identity_helper.exe
4656	identity_helper.exe
1988	msedge.exe
1988	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3296 wrote to memory of 3108	3296	msedge.exe	79
PID 3296 wrote to memory of 3108	3296	msedge.exe	79
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 4000	3296	msedge.exe	80
PID 3296 wrote to memory of 3692	3296	msedge.exe	81
PID 3296 wrote to memory of 3692	3296	msedge.exe	81
PID 3296 wrote to memory of 4584	3296	msedge.exe	82
PID 3296 wrote to memory of 4584	3296	msedge.exe	82
PID 3296 wrote to memory of 4584	3296	msedge.exe	82
PID 3296 wrote to memory of 4584	3296	msedge.exe	82
PID 3296 wrote to memory of 4584	3296	msedge.exe	82
PID 3296 wrote to memory of 4584	3296	msedge.exe	82
PID 3296 wrote to memory of 4584	3296	msedge.exe	82
PID 3296 wrote to memory of 4584	3296	msedge.exe	82
PID 3296 wrote to memory of 4584	3296	msedge.exe	82
PID 3296 wrote to memory of 4584	3296	msedge.exe	82
PID 3296 wrote to memory of 4584	3296	msedge.exe	82
PID 3296 wrote to memory of 4584	3296	msedge.exe	82
PID 3296 wrote to memory of 4584	3296	msedge.exe	82
PID 3296 wrote to memory of 4584	3296	msedge.exe	82
PID 3296 wrote to memory of 4584	3296	msedge.exe	82
PID 3296 wrote to memory of 4584	3296	msedge.exe	82
PID 3296 wrote to memory of 4584	3296	msedge.exe	82
PID 3296 wrote to memory of 4584	3296	msedge.exe	82
PID 3296 wrote to memory of 4584	3296	msedge.exe	82
PID 3296 wrote to memory of 4584	3296	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofund.me/96d18d78
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa58563cb8,0x7ffa58563cc8,0x7ffa58563cd8
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,4395006804941191091,3553100945511315438,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,4395006804941191091,3553100945511315438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,4395006804941191091,3553100945511315438,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:8
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,4395006804941191091,3553100945511315438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,4395006804941191091,3553100945511315438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,4395006804941191091,3553100945511315438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,4395006804941191091,3553100945511315438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,4395006804941191091,3553100945511315438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,4395006804941191091,3553100945511315438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,4395006804941191091,3553100945511315438,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,4395006804941191091,3553100945511315438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,4395006804941191091,3553100945511315438,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
  2⤵
  PID:4872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0c5042350ee7871ccbfdc856bde96f3f

SHA1
90222f176bc96ec17d1bdad2d31bc994c000900c

SHA256
b8b1cb139d4d19a85adce0152fa3c4f6adfb73a322d7253820e848c6f82afc1b

SHA512
2efdb535fa6a06c4f9702b2129f2dd07c330e37fd10b492f2236007c660c1707773c22005d1e1fa580dbf633dc1a700ada3b7b611ef9accd9555a17a244f61ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
50f47fb34b14d199fd6ad5251d058f84

SHA1
71803ac1f44ff0b282c51d85bac576e72586619a

SHA256
72f88b19c8109f5a2f83c94e15f1eb7e7025a68b5cd2c03b27b2807b86925b4d

SHA512
a65baf40668a1662b215a283893c30fc392abcc328321e574fe8539c8d69d47ed96583c3425a589bcf741b01e168be9df43769db8e634cdef0088ec7f305d3cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
f7637502a02b82ca6e1e6ee711d974f5

SHA1
96f0297370f9fa9c7a55b3331dc0031639b62c13

SHA256
e8405fe97508582445cfb471d54b91135e5f1f7cf08210c705dcd337cf4a3730

SHA512
f8ae9928282c949f49fb8b66508434236b0e59a0e5b27cf61ee02857be9aec4bbd9696e7ebccd369fd018051f7c17e5ce329d62a6cf560fe9ed8a397e7eaa658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6e20478b06b79b08aa6930dcc7f5358d

SHA1
f08130f828fe97cd28644e704107655fe0d2b3b2

SHA256
51d1176ad9a9283030685faabe2677199467d951ff0d9eca5bc460e65aa96d31

SHA512
1aa71b8fdbb555f82d1a79acded749ce768572a1a2356ce49bc0226f2c6514f31421635b516c787010dd9c69e7e96e468e4db8e31ce11ebf6b7d118be51f93a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ed6d961a700d5180e887a853739b4391

SHA1
ba69a5cc6caa838fbf5f856e9436d6cbb583ad18

SHA256
0b29bbee4b44b4b7dc6e8de036c9010faeb712865fa135b59ca5faf96db317e9

SHA512
b7b7d39bddb74968872554b55a8f9bc8109ac444542cea84acade761b66c79022803c9cbd606910a2825f627e33fe1a8e6cb9585f1dabcec9d78131e65e13d1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
045d6c4d06faca5b0886014b8c182063

SHA1
6e8327f1716c3a630eb62a76742686ad97d166de

SHA256
679178e28e93ab9a10f3de854e36aee025982b1fc7c168a998f8da71189aa635

SHA512
491d055afd37c2f113825d7ed060bfec0ff8bf0ab249d9ee62b87226e1ad9362c5456c5ac3a73f1746586de8b4df92f8d396cd551699a3c0f8964c53399d7fe7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58a870.TMP

Filesize
1KB

MD5
358b10f017d855c9506a862fd9c97bd8

SHA1
5d6a80d14b34d7eeeda01535c331d202d989e80f

SHA256
e87f3b4133489dcaa8e5e6b54d3fd8bc6dbfe965980a5929cbb2125dc4b43d98

SHA512
4ad0215ce00ae2e122a9db0ec228f53687b4a6fd8bdbe128f1b18c7b51339cfa870c81862a0552de0ecdc647d5655368b3b70bc4d7a3449c963f215b1430241b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e35d3bab0b615bddcc85ba90b60c00ea

SHA1
d5785d1e41939b5545c58d66d62932ce23892a6d

SHA256
435dc751e3af4dbd0e10394e74a1e57d7668d11404a7ecff68e500fbd623bd51

SHA512
55899b91c3373607aa11de243580dab6116d1640389de07c12e151aae8cbd53b19135607465993e0928cd3950fc39dec9c81eb2138b07cbe9ac08ac3e7fb7b6e

Download Submit