Analysis
-
max time kernel
145s -
max time network
143s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
02-05-2024 23:51
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://uspdexpress.com/domain.html
Resource
win11-20240419-en
General
-
Target
https://uspdexpress.com/domain.html
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4156 msedge.exe 4156 msedge.exe 900 msedge.exe 900 msedge.exe 2276 identity_helper.exe 2276 identity_helper.exe 1856 msedge.exe 1856 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe 900 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 900 wrote to memory of 1644 900 msedge.exe 79 PID 900 wrote to memory of 1644 900 msedge.exe 79 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 2792 900 msedge.exe 80 PID 900 wrote to memory of 4156 900 msedge.exe 81 PID 900 wrote to memory of 4156 900 msedge.exe 81 PID 900 wrote to memory of 2044 900 msedge.exe 82 PID 900 wrote to memory of 2044 900 msedge.exe 82 PID 900 wrote to memory of 2044 900 msedge.exe 82 PID 900 wrote to memory of 2044 900 msedge.exe 82 PID 900 wrote to memory of 2044 900 msedge.exe 82 PID 900 wrote to memory of 2044 900 msedge.exe 82 PID 900 wrote to memory of 2044 900 msedge.exe 82 PID 900 wrote to memory of 2044 900 msedge.exe 82 PID 900 wrote to memory of 2044 900 msedge.exe 82 PID 900 wrote to memory of 2044 900 msedge.exe 82 PID 900 wrote to memory of 2044 900 msedge.exe 82 PID 900 wrote to memory of 2044 900 msedge.exe 82 PID 900 wrote to memory of 2044 900 msedge.exe 82 PID 900 wrote to memory of 2044 900 msedge.exe 82 PID 900 wrote to memory of 2044 900 msedge.exe 82 PID 900 wrote to memory of 2044 900 msedge.exe 82 PID 900 wrote to memory of 2044 900 msedge.exe 82 PID 900 wrote to memory of 2044 900 msedge.exe 82 PID 900 wrote to memory of 2044 900 msedge.exe 82 PID 900 wrote to memory of 2044 900 msedge.exe 82
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://uspdexpress.com/domain.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbb7f13cb8,0x7ffbb7f13cc8,0x7ffbb7f13cd82⤵PID:1644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,744399764900010090,1167980052233147198,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:22⤵PID:2792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,744399764900010090,1167980052233147198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,744399764900010090,1167980052233147198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:82⤵PID:2044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,744399764900010090,1167980052233147198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:12⤵PID:3904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,744399764900010090,1167980052233147198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵PID:1800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,744399764900010090,1167980052233147198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,744399764900010090,1167980052233147198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:12⤵PID:3096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,744399764900010090,1167980052233147198,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:12⤵PID:2376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,744399764900010090,1167980052233147198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3284 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,744399764900010090,1167980052233147198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵PID:2800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,744399764900010090,1167980052233147198,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:12⤵PID:3100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,744399764900010090,1167980052233147198,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1680 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3272
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5060
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD56e498afe43878690d3c18fab2dd375a5
SHA1b53f3ccbfe03a300e6b76a7c453bacb8ca9e13bd
SHA256beb39e9a246495e9dd2971224d23c511b565a72a6f02315c9f9bf1dcfae7df78
SHA5123bf8a2dd797e7f41377267ad26bde717b5b3839b835fe7b196e748fec775ffd39346dba154bb5d8bda4e6568133daaa7fefa3a0d2a05e035c7210bb3c60041a7
-
Filesize
152B
MD5b8b53ef336be1e3589ad68ef93bbe3a7
SHA1dec5c310225cab7d871fe036a6ed0e7fc323cf56
SHA256fe5c2fb328310d7621d8f5af5af142c9ce10c80f127c4ab63171738ad34749e1
SHA512a9081a5a909d9608adfc2177d304950b700b654e397cf648ed90ecac8ac44b860b2cf55a6d65e4dfa84ef79811543abf7cb7f6368fd3914e138dfdd7a9c09537
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize360B
MD5309b52512995a21e75430b482d0f4d59
SHA1765c99e4d5be235b6bcbdecd8f0cacb93fd5169e
SHA256e7cf08448326e9a75e06fe91072b5f099b677a67eb430942be8b4b7cdf394382
SHA512fabd9a827a66930fd2751f2dd90769aca6506ad0f4bdf54be4567778d82354bd6312ecac8d4125eb782fdfcf09e5255102cbc92550b043a347f9a14cd9933ec4
-
Filesize
1KB
MD5bc9464eaa94c67cabbdbebd254675ba8
SHA1b0f115ff3510015dc100a187a7b570aa90086067
SHA256b159b4f43126ba6e134bea35f7c4387c547b94092fc77fea57796ae5427dbc1e
SHA512e5736e7b0d38ba8f283c1a849f73a783627cdec8d0c90cf7c1e06983f5bffe7c1074257a28f451e51fc53a0ebb24dc92eb8025df2182add41e637a0481829a5f
-
Filesize
6KB
MD501484acfb1f1f668cab3edbcbec4c701
SHA16508c8f00512918394fe08db846ec2f94d6fa2a7
SHA2566e59cabcad19bded6cf6a11fee6f5d0b5a93a0bea76f9db0537f449e6ef8af80
SHA512b7f881dfdeee6396d4ab9d89745e74c9d02d3e4dccac13477473a9757236cab11a2bc4416a5be497e65f0acb74a7733573c3fed5b06eda8841dc1b0758d3d7c5
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fd278ad8-41fa-4c6a-83f4-a34bdfedf2de.tmp
Filesize5KB
MD50bb7f15c9d85ccb254c73767d3f11c19
SHA1bc3fa02ef0297b7e9331cda200d72bed5f1215b3
SHA2564395d80b11ded2ebc35e78ce468be1c79d694b93a01d0c1c93c3ceb28928a8c9
SHA512662bdb32cf7afbe4be12788cf87918056a016c0d924ee4bd0aa7ea24fe4d8e2b0c6b9a784157a1fb2e308a6b6477e2c458d7300706e70870727eb3d271567a17
-
Filesize
11KB
MD57db5fc4f8ee46b220990faeab9a668ac
SHA1e94920d6522a01d9cf781c1dab09ed6eea42ae0e
SHA2565a7c0f706063dfa91835b6810afee0ac1d930c9369f90874279fbeba899f8a01
SHA512e1c8820b5e735892145724e12e0e67a153ff9fcf89de0a96e184daba98e3fa111d0532684bae89973fef8ddbf00f383bcdf1fd9504bba191261e8ca9efc01fef