hxxp://pivothealth[.]io

Analysis

max time kernel
1043s
max time network
1044s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
02/05/2024, 09:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://pivothealth.io

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4444	msedge.exe
4444	msedge.exe
3112	msedge.exe
3112	msedge.exe
4008	msedge.exe
4008	msedge.exe
1084	identity_helper.exe
1084	identity_helper.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3112 wrote to memory of 3156	3112	msedge.exe	80
PID 3112 wrote to memory of 3156	3112	msedge.exe	80
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 3300	3112	msedge.exe	81
PID 3112 wrote to memory of 4444	3112	msedge.exe	82
PID 3112 wrote to memory of 4444	3112	msedge.exe	82
PID 3112 wrote to memory of 2304	3112	msedge.exe	83
PID 3112 wrote to memory of 2304	3112	msedge.exe	83
PID 3112 wrote to memory of 2304	3112	msedge.exe	83
PID 3112 wrote to memory of 2304	3112	msedge.exe	83
PID 3112 wrote to memory of 2304	3112	msedge.exe	83
PID 3112 wrote to memory of 2304	3112	msedge.exe	83
PID 3112 wrote to memory of 2304	3112	msedge.exe	83
PID 3112 wrote to memory of 2304	3112	msedge.exe	83
PID 3112 wrote to memory of 2304	3112	msedge.exe	83
PID 3112 wrote to memory of 2304	3112	msedge.exe	83
PID 3112 wrote to memory of 2304	3112	msedge.exe	83
PID 3112 wrote to memory of 2304	3112	msedge.exe	83
PID 3112 wrote to memory of 2304	3112	msedge.exe	83
PID 3112 wrote to memory of 2304	3112	msedge.exe	83
PID 3112 wrote to memory of 2304	3112	msedge.exe	83
PID 3112 wrote to memory of 2304	3112	msedge.exe	83
PID 3112 wrote to memory of 2304	3112	msedge.exe	83
PID 3112 wrote to memory of 2304	3112	msedge.exe	83
PID 3112 wrote to memory of 2304	3112	msedge.exe	83
PID 3112 wrote to memory of 2304	3112	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pivothealth.io
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe6e853cb8,0x7ffe6e853cc8,0x7ffe6e853cd8
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,16772388515328969868,18417957729744105733,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1752 /prefetch:2
  2⤵
  PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,16772388515328969868,18417957729744105733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2556 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,16772388515328969868,18417957729744105733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2592 /prefetch:8
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16772388515328969868,18417957729744105733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16772388515328969868,18417957729744105733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16772388515328969868,18417957729744105733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16772388515328969868,18417957729744105733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1848,16772388515328969868,18417957729744105733,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,16772388515328969868,18417957729744105733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16772388515328969868,18417957729744105733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16772388515328969868,18417957729744105733,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,16772388515328969868,18417957729744105733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6324 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16772388515328969868,18417957729744105733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16772388515328969868,18417957729744105733,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,16772388515328969868,18417957729744105733,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5892 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1308

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004B8 0x00000000000004CC
1⤵
PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8d5e555f6429eb64461265a024abf016

SHA1
05a5dca6408d473d82fe45ebc8e4843653ad55af

SHA256
0344fd65882ba51695a10e1312e65f08d58afca83771c9d545e181829d6b5ed1

SHA512
be5edfdcda1ba0db9fbab48ee1b643f1b03821e24048892d18033094fec14171035179e987a08dd91a1c25d91d9256837a4105f6765afd225a868f3e95050b8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b5710c39b3d1cd6dd0e5d30fbe1146d6

SHA1
bf018f8a3e87605bfeca89d5a71776bfc8de0b47

SHA256
770d04df1484883a18accb258ecfa407d328c32c0ccbd8866c1203c5dfb4981f

SHA512
0f868e4ce284984662d8f0ff6e76f1a53e074a7223122a75efa7bb90d0204bc59bee4b36c215d219a03707c642e13f5efce0c3c57f46659a0cb1e7fd2f4d3cf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
13c90159b38c31f9ab6fdd8ddef94c40

SHA1
44186da041bb4796e581a531427fcde229f662af

SHA256
1eea591ebdb177e14bd4a077dca5781c3887ae14d1c6a04d28a4f175f4d1eb82

SHA512
bf17cd7091de577e13f6526749ff6ac12a3314ae9d0dd2b306c26319d598fcf3788c5093549300c7a35c3877dbd52c89f6c2182460d83a29c2ec7f212ad30d36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
32f3c5a88488161aa07b9afa4eac969e

SHA1
0957175b62e1f240509eebb6e02063e8ec22cd69

SHA256
874c391f5d177fdd0231b0ed788b3ccdf0ce248a0b35f1a85340446086157bcb

SHA512
06ad04b9c4b0fd12f41e840bae0db33e1a0671c6b02659d87fa715309e0cb4b2c8312cccc6a01be627eead15cd8dcd74a82270b79106c44506be7112272eed1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3941786e9a8f7fdbc631fc994b256e8d

SHA1
eadaf0ec1767206311d84d6f55eceeac5caead6d

SHA256
27bc7c2673b2ca1b099f35e31c1e0faa6575459a93c4986170af8d39021d53f0

SHA512
ac32026952b0556931b102ba8698dcd5ac5040659e776ace4fc659d6f90f1014dee1f626fd42c474d90749ef215a396396b254a54d07bb4353f74c6bf28d58ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0d7591d844eab0db610e065d2d74f0bc

SHA1
4aa812e7797fd1a9b9118ba9a8b9d588398479a6

SHA256
f3a82cdfce12d0f18d72262b470c378009d09336afeb992e33f758ad982ca8d1

SHA512
b15b0d1d51c41e0953e5e51b2faaa7e2935a7ea27d0ec6000568d78983baeacf05481c8dfd46083f0e59ab026c11653588736cce9fe7d795ea84ea398bb8a741

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dc5006eecdbc589ecfdf563e1f5987ce

SHA1
9a512bb6be1c6da48176192426ca89ec7307bc99

SHA256
ed05b5a527adbfc95a76928f87787dfd69b25b60862b4698e04c9f7caca5b00a

SHA512
7371e14cad25b0f934a1aeada3d2e1e7cd28b85a2afda8aaef9e4f800568c5892893e0790344c589b415e66ae1386445424dce0986c2ce8d717c6519ad71e260

Download Submit