hxxps://4207903[.]extforms[.]netsuite[.]com/app/site/hosting/scriptlet[.]nl?script=944&deploy=1&compid=4207903&h=64e2e1ddc67dfef4aec4

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 14:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://4207903.extforms.netsuite.com/app/site/hosting/scriptlet.nl?script=944&deploy=1&compid=4207903&h=64e2e1ddc67dfef4aec4

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3536	msedge.exe
3536	msedge.exe
4640	msedge.exe
4640	msedge.exe
4288	identity_helper.exe
4288	identity_helper.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 5064	4640	msedge.exe	84
PID 4640 wrote to memory of 5064	4640	msedge.exe	84
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 5084	4640	msedge.exe	85
PID 4640 wrote to memory of 3536	4640	msedge.exe	86
PID 4640 wrote to memory of 3536	4640	msedge.exe	86
PID 4640 wrote to memory of 1316	4640	msedge.exe	87
PID 4640 wrote to memory of 1316	4640	msedge.exe	87
PID 4640 wrote to memory of 1316	4640	msedge.exe	87
PID 4640 wrote to memory of 1316	4640	msedge.exe	87
PID 4640 wrote to memory of 1316	4640	msedge.exe	87
PID 4640 wrote to memory of 1316	4640	msedge.exe	87
PID 4640 wrote to memory of 1316	4640	msedge.exe	87
PID 4640 wrote to memory of 1316	4640	msedge.exe	87
PID 4640 wrote to memory of 1316	4640	msedge.exe	87
PID 4640 wrote to memory of 1316	4640	msedge.exe	87
PID 4640 wrote to memory of 1316	4640	msedge.exe	87
PID 4640 wrote to memory of 1316	4640	msedge.exe	87
PID 4640 wrote to memory of 1316	4640	msedge.exe	87
PID 4640 wrote to memory of 1316	4640	msedge.exe	87
PID 4640 wrote to memory of 1316	4640	msedge.exe	87
PID 4640 wrote to memory of 1316	4640	msedge.exe	87
PID 4640 wrote to memory of 1316	4640	msedge.exe	87
PID 4640 wrote to memory of 1316	4640	msedge.exe	87
PID 4640 wrote to memory of 1316	4640	msedge.exe	87
PID 4640 wrote to memory of 1316	4640	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://4207903.extforms.netsuite.com/app/site/hosting/scriptlet.nl?script=944&deploy=1&compid=4207903&h=64e2e1ddc67dfef4aec4
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba6a246f8,0x7ffba6a24708,0x7ffba6a24718
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,13711393627911059717,7567102399953758370,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,13711393627911059717,7567102399953758370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,13711393627911059717,7567102399953758370,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13711393627911059717,7567102399953758370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13711393627911059717,7567102399953758370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13711393627911059717,7567102399953758370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,13711393627911059717,7567102399953758370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,13711393627911059717,7567102399953758370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13711393627911059717,7567102399953758370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13711393627911059717,7567102399953758370,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13711393627911059717,7567102399953758370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13711393627911059717,7567102399953758370,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:1732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,13711393627911059717,7567102399953758370,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1052 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
199KB

MD5
585ac11a4e8628c13c32de68f89f98d6

SHA1
bcea01f9deb8d6711088cb5c344ebd57997839db

SHA256
d692f27c385520c3b4078c35d78cdf154c424d09421dece6de73708659c7e2a6

SHA512
76d2ed3f41df567fe4d04060d9871684244764fc59b81cd574a521bb013a6d61955a6aedf390a1701e3bfc24f82d92fd062ca9e461086f762a3087c142211c19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
862f0d195d40b7ce73b1cd6b1cb3b5d7

SHA1
8df6b85f54ee7b668195d614ad115674972e9641

SHA256
9d2c70a393af6981b69701e5012562ecfd5bfc966037763e4af12cda320141d1

SHA512
e55c3cd74402d5702a7cb579cb5f7f4c028356bf0a0b95f2e72d94c564da0b0f7d64ed1a9c721bb553542c06d8041580968722f00e2e850b2efd9354d25d800c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
902B

MD5
405b4fb75e05fc4ec79a2757de9c3d61

SHA1
5935fb3e4d802e81011da9d7602701c85704edf5

SHA256
bbe5752b5e66eb619e878be3e44d5cd99e7ac79a81ccfa844e1eaae85ce290c3

SHA512
fbf4c8609055e685783e7efc9d2d31a0814dcd831d6a626bf54124eca80cefc17f8cf485a04dcc7fe0c349d92f161a1acf7b1083fd6bb90239eef2eb7eb81bca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c11256f475949207a0d9b7edd1800e03

SHA1
f794551f12b0f342884a86d09677001307c3f4d0

SHA256
35525ccae69caa46521150a024b0a3565567f55b1f4549acfc6c74154575d59e

SHA512
29caaa665d8b1f4c8cf44662b17dd07ac4ba867c95e0c74e9c5a86ea2dfaae113710ff5d7bbc9a9f908863be2e87cdaa703e0ea1a93f91380810b42956d048d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b33203929b29918901ba40bbbe1c4445

SHA1
af314a44808e912d82ec3eec056e6eabbad9cbe1

SHA256
1fcc5896584bdd11e949e3dcd4f4642a469e1acfcd937635f65d1cb81459942f

SHA512
5f8089590feb26191887a4e3b5252cc1bb622975be4589674042244130985775019705a1ca654ea7a2abab7b42f3cb7c544dcdccefe6b5f5c203590cc521b086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ba82fc3d57b8982c842d5853edd73fc7

SHA1
9f8129f7836c5caf2f6638407469b62f97c9b454

SHA256
3d446317b56b0bd3a65595aaec64cf4a8d68005739e3665e8d089382de2feda6

SHA512
cf0844e0b00cd2762d7c4ae213a3a6f4c3de1613aff64fc2d3ac25a66ef1fdf67ffdc97391c5170f4dd554ff2a56f000b836178df30b4858558e6d04c6393b88

Download Submit