hxxps://siyenza[.]evlink4[.]net/public/contacts/unsubscribe/pVzdgm2sHf1MyMF7/avbjXbiSCHQxwNrm/9bc5b04a345e5b6d

Analysis

max time kernel
142s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://siyenza.evlink4.net/public/contacts/unsubscribe/pVzdgm2sHf1MyMF7/avbjXbiSCHQxwNrm/9bc5b04a345e5b6d

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1120	msedge.exe
1120	msedge.exe
1112	msedge.exe
1112	msedge.exe
2180	identity_helper.exe
2180	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 4920	1112	msedge.exe	82
PID 1112 wrote to memory of 4920	1112	msedge.exe	82
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 636	1112	msedge.exe	84
PID 1112 wrote to memory of 1120	1112	msedge.exe	85
PID 1112 wrote to memory of 1120	1112	msedge.exe	85
PID 1112 wrote to memory of 3928	1112	msedge.exe	86
PID 1112 wrote to memory of 3928	1112	msedge.exe	86
PID 1112 wrote to memory of 3928	1112	msedge.exe	86
PID 1112 wrote to memory of 3928	1112	msedge.exe	86
PID 1112 wrote to memory of 3928	1112	msedge.exe	86
PID 1112 wrote to memory of 3928	1112	msedge.exe	86
PID 1112 wrote to memory of 3928	1112	msedge.exe	86
PID 1112 wrote to memory of 3928	1112	msedge.exe	86
PID 1112 wrote to memory of 3928	1112	msedge.exe	86
PID 1112 wrote to memory of 3928	1112	msedge.exe	86
PID 1112 wrote to memory of 3928	1112	msedge.exe	86
PID 1112 wrote to memory of 3928	1112	msedge.exe	86
PID 1112 wrote to memory of 3928	1112	msedge.exe	86
PID 1112 wrote to memory of 3928	1112	msedge.exe	86
PID 1112 wrote to memory of 3928	1112	msedge.exe	86
PID 1112 wrote to memory of 3928	1112	msedge.exe	86
PID 1112 wrote to memory of 3928	1112	msedge.exe	86
PID 1112 wrote to memory of 3928	1112	msedge.exe	86
PID 1112 wrote to memory of 3928	1112	msedge.exe	86
PID 1112 wrote to memory of 3928	1112	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://siyenza.evlink4.net/public/contacts/unsubscribe/pVzdgm2sHf1MyMF7/avbjXbiSCHQxwNrm/9bc5b04a345e5b6d
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80c8546f8,0x7ff80c854708,0x7ff80c854718
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,9590293588757680823,11913795612533572246,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
  2⤵
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,9590293588757680823,11913795612533572246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,9590293588757680823,11913795612533572246,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9590293588757680823,11913795612533572246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9590293588757680823,11913795612533572246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,9590293588757680823,11913795612533572246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,9590293588757680823,11913795612533572246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9590293588757680823,11913795612533572246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9590293588757680823,11913795612533572246,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9590293588757680823,11913795612533572246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9590293588757680823,11913795612533572246,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:1136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
605a1dbc60aab129b2caeaf941e37f0f

SHA1
714ae80dff779452e505c4c09c628853ebd17728

SHA256
2940dacc3f06ca775a2749d7d678259a9fda00f0836716773773f646a3b22fea

SHA512
cd19cafdfdea07d61fab03e7cbe1690e2bc3ebcd0be6bfaebea62bb77aaecd243aeffdc703acea175a0c164fbe68857922623117cdb7e24a242ce345633da897

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
541B

MD5
2c61a0b31c836f9c73c7c78cb8ca36dd

SHA1
5879a973483ba3bfe429202a065e84f18f2f30e9

SHA256
a20435258a488835faabc8261eddff4202c1dbcc2eb0a5201a2a2b36b18108e2

SHA512
230cfeff3f0ecbc176246540adc9fc107351e8cfad9c6aa5055fcac2f5d3d81d7114bc355d04297caacaf6ef137d734a1e50de59c4b467ef2e53423f2c985b67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4ec369dc318c9972afa3147f5e44447e

SHA1
cea4c1e49eaaca1d016b0ccac562a2e90ab908e5

SHA256
3f4beffb7e5db126ed82240bdddb55e9be351ff3c4f9a90dd316da517102ba84

SHA512
90a2e430153d4f0830721758d338b4d28d5640e5fb5d08d15136b84cd7c7b52d1ccfdc95b4de8486dd429df6af068aaf1efd925a33d55cd086f52dac66655097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
45fa62d9214a0d06bb755dd76c19e5f9

SHA1
c414f82da95204b065ce4ea90dcd39f63bee8968

SHA256
f946074e8cf6ceedae603e8eca5f3f1a017c80d9d629c099aa1bc6a1f8610adb

SHA512
874fb3fe46f04af47ac2e4af69ed953196ea72492c064b6c6557e469ec1cbe3827164e8234d1c71b0e9ca686473e1027ac500f37a6f6086d264929084ee10ddf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d674ded9d23d05d54cf0d6e5dc5e0964

SHA1
c4f07160c3391164101b81413fb95ef760db109b

SHA256
a2fcf568a4be2a03e14c1e4b63d9cfd1e82e695fc177a986be54edcc947acd24

SHA512
90c32c3b6524366e982c488ec2dfa289b53cc7e19df12ea8d35b17ba25075202efd15aa1b9738887895232dad33b437eb67c71d9468f4f26f7132433c543399b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0c9b3ba19a3a66120b7df67519844ed4

SHA1
fcd7ef07155cb9da3b8edfd476c58f0beae63d91

SHA256
c50e5480916df73d03d0c75b4a673c9251b7bf2f021334e58e72d728b6de4f0b

SHA512
ba12d44dd3f913138b7fbb665f44e97aad3d1ffffcb3dacccc5415f715ed47f23ecad13fe213184536eef482818284f2650b2511aeaf829f07ee9faae88cfb0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7304675ca0096354baf536a2a98da68e

SHA1
0db5082cb9cfe46ee5d009249cec5a8403fbe356

SHA256
e6769f7e4f26f996950ec5f5a2325f04795cb671db880b6b98b93be07cf8edf2

SHA512
968bf9d02b2d55973f45850b7a0f587797163b3fa09378b5668d25ffd9f8dce5569103318a65b35a92f8bb629c2b18049eb25397535ac14755138266e10cd4fc

Download Submit