Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02-05-2024 19:24
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://lovespotlight.life/?u=hv0ktec&o=lw2plm6
Resource
win10v2004-20240426-en
General
-
Target
https://lovespotlight.life/?u=hv0ktec&o=lw2plm6
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 2872 msedge.exe 2872 msedge.exe 1008 msedge.exe 1008 msedge.exe 1020 identity_helper.exe 1020 identity_helper.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1008 wrote to memory of 3728 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 3728 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2788 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2872 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 2872 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 3296 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 3296 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 3296 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 3296 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 3296 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 3296 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 3296 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 3296 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 3296 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 3296 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 3296 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 3296 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 3296 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 3296 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 3296 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 3296 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 3296 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 3296 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 3296 1008 msedge.exe msedge.exe PID 1008 wrote to memory of 3296 1008 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://lovespotlight.life/?u=hv0ktec&o=lw2plm61⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8958546f8,0x7ff895854708,0x7ff8958547182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,17435332558967949761,14844156891875790998,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,17435332558967949761,14844156891875790998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,17435332558967949761,14844156891875790998,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,17435332558967949761,14844156891875790998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,17435332558967949761,14844156891875790998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,17435332558967949761,14844156891875790998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,17435332558967949761,14844156891875790998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,17435332558967949761,14844156891875790998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,17435332558967949761,14844156891875790998,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,17435332558967949761,14844156891875790998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,17435332558967949761,14844156891875790998,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,17435332558967949761,14844156891875790998,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51ac52e2503cc26baee4322f02f5b8d9c
SHA138e0cee911f5f2a24888a64780ffdf6fa72207c8
SHA256f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4
SHA5127670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b2a1398f937474c51a48b347387ee36a
SHA1922a8567f09e68a04233e84e5919043034635949
SHA2562dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6
SHA5124a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
192B
MD5188e9d48fbb72aabaa20f75c08628bf7
SHA164ce72f46a3b2744458dd42817972e049be67d64
SHA256fbf2d7e4a731998a94df7ccfb3b466a0e311c3e4b92dabc7a97a1dc561dac05f
SHA5121da9544ce01be760eb461746a31eff2ec85bc764c9ccba1b7d763ae70e0c304dce94fe04afbea58d93d16f05c2c67b56ac8733d66b9e2c451eb36f14043443fa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
505B
MD5c49904a675de997be59b2c66989565c1
SHA104441b16a73512b34e38228a904056cd5d11e85b
SHA25621f3a6b8bab872fc7ea7aacbde67c36f8ffc84297f1a3e1d5e02e03386347e73
SHA512aa67a897bc391fa2594e2d63b439cf4ba5d304d80b0282e6466fc1d260749643ac9191c7686fa2328bc646c0a895b89eec3cd07ff9d84548c5be5f7eea20c5e0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD58a69c0d4a436732868cd66ed597adf18
SHA103b784b959b63b35c6734ddb3e474dabc1db1f06
SHA25647a537496b4c97151bea2ef607741995d2800048fffc94b60a8dd9ec7721a4d9
SHA512628e94d4d0f6ad1be77a0974abb76917d29cf6d733db02cda1c6444e9837f37c7b9804924024a40d6d611b4232507d2af1c359b61c7ae90780cf9460c5c8d79c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f6963db42bfab5834cecde86977005a2
SHA14680fefbac044417b570a9ef4e96e0e9f730d392
SHA256ca7cd6d5630144bf6e3b308cfc41f7b8a9ee184185258aaa7e1732d533c68442
SHA51279a0c1752f66d562726e168a110e3b1cc6740eb1f5ec0cd45bdc120867a2af3b4ff564602c2c204c3d67b3c6a0d9107647bbedca761a0566f9249a634b4583d6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD56bf09a69a65529421b8d2753d27290ca
SHA1793f510a7cb6801b24853904543675e27a0c92cf
SHA2562d8ed59f66fc522f3b2849d88b9a7b2a8199b55a99729d032dc1e6f1c1cea653
SHA512078161ebf9e73e729bd8fb9b5e71840882d0b9b0dfc6861bb234817cbfc15f8c364cd86e9eaa30fbc88eac870ffb46f34120eb7b8546d14953b0f69148fc23e2
-
\??\pipe\LOCAL\crashpad_1008_OCRZLSGADULJBQGUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e