hxxp://www[.]fundraising[.]pbs[.]mt

Resubmissions

14/05/2024, 16:58

240514-vg7jksfb2s 1

14/05/2024, 16:53

240514-vd5ktafd39 1

14/05/2024, 16:50

240514-vcf6tseg9v 1

Analysis

max time kernel
145s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 16:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://www.fundraising.pbs.mt

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1604	msedge.exe
1604	msedge.exe
3776	msedge.exe
3776	msedge.exe
3420	identity_helper.exe
3420	identity_helper.exe
808	msedge.exe
808	msedge.exe
808	msedge.exe
808	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3776 wrote to memory of 2028	3776	msedge.exe	82
PID 3776 wrote to memory of 2028	3776	msedge.exe	82
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 3580	3776	msedge.exe	83
PID 3776 wrote to memory of 1604	3776	msedge.exe	84
PID 3776 wrote to memory of 1604	3776	msedge.exe	84
PID 3776 wrote to memory of 3092	3776	msedge.exe	85
PID 3776 wrote to memory of 3092	3776	msedge.exe	85
PID 3776 wrote to memory of 3092	3776	msedge.exe	85
PID 3776 wrote to memory of 3092	3776	msedge.exe	85
PID 3776 wrote to memory of 3092	3776	msedge.exe	85
PID 3776 wrote to memory of 3092	3776	msedge.exe	85
PID 3776 wrote to memory of 3092	3776	msedge.exe	85
PID 3776 wrote to memory of 3092	3776	msedge.exe	85
PID 3776 wrote to memory of 3092	3776	msedge.exe	85
PID 3776 wrote to memory of 3092	3776	msedge.exe	85
PID 3776 wrote to memory of 3092	3776	msedge.exe	85
PID 3776 wrote to memory of 3092	3776	msedge.exe	85
PID 3776 wrote to memory of 3092	3776	msedge.exe	85
PID 3776 wrote to memory of 3092	3776	msedge.exe	85
PID 3776 wrote to memory of 3092	3776	msedge.exe	85
PID 3776 wrote to memory of 3092	3776	msedge.exe	85
PID 3776 wrote to memory of 3092	3776	msedge.exe	85
PID 3776 wrote to memory of 3092	3776	msedge.exe	85
PID 3776 wrote to memory of 3092	3776	msedge.exe	85
PID 3776 wrote to memory of 3092	3776	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.fundraising.pbs.mt
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed44d46f8,0x7ffed44d4708,0x7ffed44d4718
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,5157358364183406688,3640928418565677567,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,5157358364183406688,3640928418565677567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,5157358364183406688,3640928418565677567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5157358364183406688,3640928418565677567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5157358364183406688,3640928418565677567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5157358364183406688,3640928418565677567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,5157358364183406688,3640928418565677567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:2580
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,5157358364183406688,3640928418565677567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5157358364183406688,3640928418565677567,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2172,5157358364183406688,3640928418565677567,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5404 /prefetch:6
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5157358364183406688,3640928418565677567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5157358364183406688,3640928418565677567,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5157358364183406688,3640928418565677567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5157358364183406688,3640928418565677567,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,5157358364183406688,3640928418565677567,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5084 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
e16b1211b9a20e6e5885ba739602f3b7

SHA1
97da0d20c376e8e85a0e88f404965facbe677307

SHA256
6cb57f3aff0df86fa219a60f83a6b793aa7e9f26bb47825db7018f394b4c68d8

SHA512
5e72816ffcaaf4a5263c0c6c7f5217cbb8e202d24c566edeac317ad3f136746eca8ae8bbb4556fc933062e7e605f4a307eb9226964f608201edb07618da74730

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
777B

MD5
61b4a9b4508bde451b1e6d3f2b64ce85

SHA1
4d7131e0f4ed6b263f7d86c7f9ab791bdb8ac0b2

SHA256
cf9ff4f79641deaa989db1dd3fe22de6ade7b6cb592fe9b1ca49277203289e9a

SHA512
013f16ef4dd0a6fdde86761abb8f53ade4a62e63d4c58a1c3e513cfbad00e26e45d7621cdc9dcc8d3e4100881186b179ad2a95a63d6c6141e81298ad1db15c02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d9f7367eebe2c0a7c2848d9d9b033aac

SHA1
18368b2d3ce0d27f1ae19a4f5758c359787d1d14

SHA256
e3811a14533a2d4183f3563d5fef11e5f91f471275c281398665c1b150296cce

SHA512
a09abb9fe4eddce0d79b0779f11443d52f2a95dbfad3a8e89c730f02c70c7ca6c00d1e401b2a34323b84672c9cf25e7f5bbfde67c0a06f7f8b29637e71200946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5812acbc7aee074831a466d196f91009

SHA1
581bea18ac6d914a93697c4617a37b012cf83bf0

SHA256
c0ea03aa688bb80e39c51f30e8ee06f09774905c12757606f1bd7a45d89321bb

SHA512
2994451bfbdd8dcc19daf6653b361f6ed812deff533df05fe802a9181b8b45923df3cfa15be27b1492c269f81ef463bad623a10479064d7291bcbde6ca5d37b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e636e2953f8f3d214e9eb871f63ebb2e

SHA1
6258bffbe1093a48d2669ac85551dbccc4cf3128

SHA256
417759a245003e5d8793c0b3d243228abae252afc384367b56c72ce37b0418f3

SHA512
c415584b8803414e7162d744306df21963cba48c849d129f484c20f9f95be9a49559ae806a0460af0d7c673ab0096281719863817eba7bd21af50c451d58f2d9

Download Submit