Analysis
-
max time kernel
28s -
max time network
23s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
07/05/2024, 12:27
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://scratch.mit.edu/projects/472598865
Resource
win11-20240426-en
General
-
Target
https://scratch.mit.edu/projects/472598865
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2480 msedge.exe 2480 msedge.exe 4452 msedge.exe 4452 msedge.exe 4336 msedge.exe 4336 msedge.exe 4552 identity_helper.exe 4552 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2364 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2364 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4452 wrote to memory of 4156 4452 msedge.exe 79 PID 4452 wrote to memory of 4156 4452 msedge.exe 79 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2864 4452 msedge.exe 80 PID 4452 wrote to memory of 2480 4452 msedge.exe 81 PID 4452 wrote to memory of 2480 4452 msedge.exe 81 PID 4452 wrote to memory of 4900 4452 msedge.exe 82 PID 4452 wrote to memory of 4900 4452 msedge.exe 82 PID 4452 wrote to memory of 4900 4452 msedge.exe 82 PID 4452 wrote to memory of 4900 4452 msedge.exe 82 PID 4452 wrote to memory of 4900 4452 msedge.exe 82 PID 4452 wrote to memory of 4900 4452 msedge.exe 82 PID 4452 wrote to memory of 4900 4452 msedge.exe 82 PID 4452 wrote to memory of 4900 4452 msedge.exe 82 PID 4452 wrote to memory of 4900 4452 msedge.exe 82 PID 4452 wrote to memory of 4900 4452 msedge.exe 82 PID 4452 wrote to memory of 4900 4452 msedge.exe 82 PID 4452 wrote to memory of 4900 4452 msedge.exe 82 PID 4452 wrote to memory of 4900 4452 msedge.exe 82 PID 4452 wrote to memory of 4900 4452 msedge.exe 82 PID 4452 wrote to memory of 4900 4452 msedge.exe 82 PID 4452 wrote to memory of 4900 4452 msedge.exe 82 PID 4452 wrote to memory of 4900 4452 msedge.exe 82 PID 4452 wrote to memory of 4900 4452 msedge.exe 82 PID 4452 wrote to memory of 4900 4452 msedge.exe 82 PID 4452 wrote to memory of 4900 4452 msedge.exe 82
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://scratch.mit.edu/projects/4725988651⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc75413cb8,0x7ffc75413cc8,0x7ffc75413cd82⤵PID:4156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,18333583914336561282,12274122742354252480,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:22⤵PID:2864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,18333583914336561282,12274122742354252480,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,18333583914336561282,12274122742354252480,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:82⤵PID:4900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,18333583914336561282,12274122742354252480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵PID:2732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,18333583914336561282,12274122742354252480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵PID:2716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1868,18333583914336561282,12274122742354252480,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5164 /prefetch:82⤵PID:3256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1868,18333583914336561282,12274122742354252480,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,18333583914336561282,12274122742354252480,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,18333583914336561282,12274122742354252480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:12⤵PID:1532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,18333583914336561282,12274122742354252480,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:12⤵PID:1144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,18333583914336561282,12274122742354252480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:2828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,18333583914336561282,12274122742354252480,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:3632
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4444
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:568
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004C01⤵
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:2908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5046d49efac191159051a8b2dea884f79
SHA1d0cf8dc3bc6a23bf2395940cefcaad1565234a3a
SHA25600dfb1705076450a45319666801a3a7032fc672675343434cb3d68baccb8e1f7
SHA51246961e0f0e4d7f82b4417e4aac4434e86f2130e92b492b53a194255bd3bba0855069524cd645f910754d4d2dbf3f1dc467bcc997f01dc6b1d8d6028e2d957236
-
Filesize
152B
MD534d22039bc7833a3a27231b8eb834f70
SHA179c4290a2894b0e973d3c4b297fad74ef45607bb
SHA256402defe561006133623c2a4791b2baf90b92d5708151c2bcac6d02d2771cd3d6
SHA512c69ee22d8c52a61e59969aa757d58ab4f32492854fc7116975efc7c6174f5d998cc236bbf15bce330d81e39a026b18e29683b6d69c93d21fea6d14e21460a0a7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize192B
MD53fd2155f38b90996a5f94e7950fa1ecd
SHA13111dd8981d826474868e5eb62f13a8d1995bd56
SHA25646267e3ad6fa0bdb236a2d303527370e4a4df61173c8ce0d49226641f32a45f4
SHA512c6b06bc5da71f028eec7e3ecd441074c64b58789ed10824ab91cbba6014667b04650037a5690894a9f1c3258a1f7f9d5b97effddb6ba58dfd281294318ebd4b0
-
Filesize
870B
MD5a6d2559246d03419b9a41e55e161555a
SHA11aa07b8b3142695d6f6a698c205d32fa8a14d27a
SHA256ed6fa368005a3af9b82766652576447fe43fbcb2b3fdbee61cade75e3ea7816f
SHA512f4e564714da4644ae9569d1185e7b8d12b811b03d43701f79eac9cfb02d02884e76654d7f129d09f6e75e3a37fcfecb2ba83e9774a63824d51ce319012d98cb4
-
Filesize
5KB
MD5c497d28773145bc0c3fa478e428ce206
SHA1d85a2a192bbabeeeb02dc3f12fc3f48f48037ecd
SHA256cfebf267f69427a97a22a85087df165d0273a83491666044e1b22d125cea9b1b
SHA512886d64d59d09ba128b4c9960b3eeef7b6cb72cff8d886782055b45fcc238e7235310654296292ecc239795b594f5656dcb3c1f28b739ded8e7fe54cb580589c5
-
Filesize
6KB
MD5dea2c9741ede4e4bf5c1d508659240ee
SHA1fe2d0192e42abd88d4cbe0e450a6a42433999159
SHA2567e5dc11197852eec82b97d1a8d2970537993e467260717c3ac18e149d11882ca
SHA51258dc21861d64225900e02cb09143d4643ff5246d72c83dadf59529db725460c23a577b77dd59b6cbe887b2df5d18f82cc1f9d87ecf46fe57ac4c44178e0d8440
-
Filesize
6KB
MD51a5100ddf2407b3195b9f74b527c6ab3
SHA1948042626614e45cf7d7e97d79d367ca6dc97b79
SHA2561f3ae9fa26b7b0a60aa7e0953106f080e22c52cfaff550d93241aa60f21f136f
SHA512390ef8aa109c173b00ba4478c2eb74ae5122ea138c19649649a5cc8a83ac473266f71ee2dcfc2e10580371353013f2ca1e282c4a2977355fe8a068a282da2a07
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5cd5b6f928013a85ba364e53fc6f7b53b
SHA1141be943036289786079e16ce714b443b74d5c01
SHA256d099dc9db72a6c3d0a659a5b56b54fcd1433bdd9e4792098038a263574a6f354
SHA512cc1ca6a3bf21efee302379d0c602dd51f0ddacfb40f62c150ea52386375a63848520713fbaba8f1b70844aefac39bbffcd77d2467c1e1cb12e64169ae1021424
-
Filesize
11KB
MD58a05e61d28897c049735fff160fcb9d9
SHA1af2b088fb74b69a2d626a5f9b880eca1c2acd37f
SHA256df33f9a07285a4f18c5ceff8eacd940f10f386b9ea250fe43127626fe9500524
SHA5127a840cc91e418c5e9ce552fd1c96a083349101b52ea78601dd8b803bc84b3e6f0f3945cb9c25f0a6756d940b26dd0fcc10ed93401e92aa115fc7a3dc3199c812