hxxps://weave[.]su/

Analysis

max time kernel
145s
max time network
144s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
04-05-2024 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://weave.su/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1432	msedge.exe
1432	msedge.exe
3316	msedge.exe
3316	msedge.exe
4944	msedge.exe
4944	msedge.exe
1556	identity_helper.exe
1556	identity_helper.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 3948	3316	msedge.exe	80
PID 3316 wrote to memory of 3948	3316	msedge.exe	80
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 804	3316	msedge.exe	82
PID 3316 wrote to memory of 1432	3316	msedge.exe	83
PID 3316 wrote to memory of 1432	3316	msedge.exe	83
PID 3316 wrote to memory of 2056	3316	msedge.exe	84
PID 3316 wrote to memory of 2056	3316	msedge.exe	84
PID 3316 wrote to memory of 2056	3316	msedge.exe	84
PID 3316 wrote to memory of 2056	3316	msedge.exe	84
PID 3316 wrote to memory of 2056	3316	msedge.exe	84
PID 3316 wrote to memory of 2056	3316	msedge.exe	84
PID 3316 wrote to memory of 2056	3316	msedge.exe	84
PID 3316 wrote to memory of 2056	3316	msedge.exe	84
PID 3316 wrote to memory of 2056	3316	msedge.exe	84
PID 3316 wrote to memory of 2056	3316	msedge.exe	84
PID 3316 wrote to memory of 2056	3316	msedge.exe	84
PID 3316 wrote to memory of 2056	3316	msedge.exe	84
PID 3316 wrote to memory of 2056	3316	msedge.exe	84
PID 3316 wrote to memory of 2056	3316	msedge.exe	84
PID 3316 wrote to memory of 2056	3316	msedge.exe	84
PID 3316 wrote to memory of 2056	3316	msedge.exe	84
PID 3316 wrote to memory of 2056	3316	msedge.exe	84
PID 3316 wrote to memory of 2056	3316	msedge.exe	84
PID 3316 wrote to memory of 2056	3316	msedge.exe	84
PID 3316 wrote to memory of 2056	3316	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://weave.su/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb36ad3cb8,0x7ffb36ad3cc8,0x7ffb36ad3cd8
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,14965696776961155652,17490351462070099954,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,14965696776961155652,17490351462070099954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,14965696776961155652,17490351462070099954,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14965696776961155652,17490351462070099954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14965696776961155652,17490351462070099954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,14965696776961155652,17490351462070099954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14965696776961155652,17490351462070099954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14965696776961155652,17490351462070099954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14965696776961155652,17490351462070099954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14965696776961155652,17490351462070099954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:996
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,14965696776961155652,17490351462070099954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,14965696776961155652,17490351462070099954,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2516 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
046d49efac191159051a8b2dea884f79

SHA1
d0cf8dc3bc6a23bf2395940cefcaad1565234a3a

SHA256
00dfb1705076450a45319666801a3a7032fc672675343434cb3d68baccb8e1f7

SHA512
46961e0f0e4d7f82b4417e4aac4434e86f2130e92b492b53a194255bd3bba0855069524cd645f910754d4d2dbf3f1dc467bcc997f01dc6b1d8d6028e2d957236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d22039bc7833a3a27231b8eb834f70

SHA1
79c4290a2894b0e973d3c4b297fad74ef45607bb

SHA256
402defe561006133623c2a4791b2baf90b92d5708151c2bcac6d02d2771cd3d6

SHA512
c69ee22d8c52a61e59969aa757d58ab4f32492854fc7116975efc7c6174f5d998cc236bbf15bce330d81e39a026b18e29683b6d69c93d21fea6d14e21460a0a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
36f50b344dd69d5bbe660f8a9916134e

SHA1
6c8c195dd0511ab936758542ced8400ac48b38b6

SHA256
b4f580a06370d35a0493e9562efe58f50e00ba4106f3864767138a96261485ba

SHA512
e5ff27f1f3d266e77a171293b3bc94324b1a989ed71a6ce2c26f6d280ca741c58b023f8d1f2a94af0cbf5b654c6e31dda2f41027b66543b5bc7c9aa45f629889

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
537B

MD5
970f772ca793bee75f5c45b342fe668b

SHA1
fe90150a968a752d7b33022aaa3f382e98c4dd23

SHA256
6fe2645043bccb7ef1b86804e76a8977927e5a83db4494a64303d0dd0afb955a

SHA512
c6e85dbf8ad2e04583e6e41080ee5fa0097cbe48756ed23702bf91574fe0d5762387231b00f1a294e8c7a0078f24fdfadf000fea19e9f4a1624e23f2c3f1b3cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
184e7fe24df1781cf83f3c80abdae0f9

SHA1
3763e55e2be1fdf5d45536bc59b9b0c40bce6be1

SHA256
4022b1d4c0873b1f5a48002d946793277b5e93d5fff9188afe4ad291d0fdfb2b

SHA512
3293862ab4689bfd063cfeb60007d8b9ecb346109296807f24594609206a4254529870bfd9e8e46981bbe86e803ba1b7d48dee607073093f8af7577518d38085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
13c4095a6bb1959c6ea39002e02f0cb2

SHA1
9563ef9ea6bab80c6fa62c66328f2d52c071bdee

SHA256
2ab5e79c766288d0d86e70c91b990577b2a72a61bb47ab5472a3e6c7640fbb80

SHA512
b5fdef95b9259fa0381063a0b985c41a0a16ca9944b6f4ac25acb01247945b0b7d0f95d294245274c809a8b36b19c649dd7f64703ac24f2ff70ee6d6a3343cd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7b8a5fafb3ab3c846a47f1b53a49bba8

SHA1
9e7751f20b8be8ff3bc6e1dae3984eae0c0567c9

SHA256
c3344996807526ef48c34b420d461902a3e3548e4555aa365944bd8e7156db16

SHA512
ee6b654e9b6db3f0861eff09af6e726b78115b75d84016691201b8e3b898b1ca047662958eeb484f24821e86a15bfd39720dfdf88e53da10b49ef37736c50543

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2eb2d1df8dead243c86eac5635abe34b

SHA1
1bc7f02f41fd38f62508cf9827f059d464d928bd

SHA256
6ef13508ca6b68544bcd59fc2921adcc07f9c2085488f1a7b2cfdf6ff7d0b9ef

SHA512
45b5dfcfdb2ccd0a780dce87d3559dfcc99d6a373dbce5d4f071d2936b724329d9f626fd3dacc97d6900a0e54ebf1e8102016cd615b8941885c2cee6122d8d51

Download Submit