hxxp://servedbydoceree[.]doceree[.]com

Analysis

max time kernel
21s
max time network
29s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://servedbydoceree.doceree.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exe

pid process

2064 msedge.exe
2064 msedge.exe
208 msedge.exe
208 msedge.exe
2244 identity_helper.exe
2244 identity_helper.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

208 msedge.exe
208 msedge.exe
208 msedge.exe
208 msedge.exe
208 msedge.exe
208 msedge.exe
208 msedge.exe
208 msedge.exe

pid	process
2064	msedge.exe
2064	msedge.exe
208	msedge.exe
208	msedge.exe
2244	identity_helper.exe
2244	identity_helper.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe
208	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 208 wrote to memory of 4076	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 4076	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1008	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 2064	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 2064	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1928	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1928	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1928	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1928	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1928	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1928	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1928	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1928	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1928	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1928	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1928	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1928	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1928	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1928	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1928	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1928	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1928	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1928	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1928	208	msedge.exe	msedge.exe
PID 208 wrote to memory of 1928	208	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://servedbydoceree.doceree.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba57446f8,0x7ffba5744708,0x7ffba5744718
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,2029113053582129432,7922076494673193649,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,2029113053582129432,7922076494673193649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,2029113053582129432,7922076494673193649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2029113053582129432,7922076494673193649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2029113053582129432,7922076494673193649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2029113053582129432,7922076494673193649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,2029113053582129432,7922076494673193649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3736 /prefetch:8
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,2029113053582129432,7922076494673193649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3736 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2029113053582129432,7922076494673193649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2029113053582129432,7922076494673193649,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2029113053582129432,7922076494673193649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2029113053582129432,7922076494673193649,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2029113053582129432,7922076494673193649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2060,2029113053582129432,7922076494673193649,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5492 /prefetch:8
  2⤵
  PID:5040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4476

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d8 0x3ac
1⤵
PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
1024KB

MD5
20720755f67df3ec592e7391d9ed0ff6

SHA1
2a73483dffdd11b030f8083d94bf6b7b1268e2bd

SHA256
c522e77c3f2f623855e6918134b2b0332994bcb92a35d3e8bd0ad72539b93a6d

SHA512
ab48ad738ce4631f44013d1d965eb18a20402cba6c58d9899765bc532755ea205afceabe81d2620c0bf4ca8bbe9dfee179d744e02ce93f0edfb0f182421137a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
be3dd42cd6304db1184dc851d75b4515

SHA1
1b8305d12579c0c9cbfb317c6b26c38137d48073

SHA256
c7d15af744798016039963a0350d0097b27e998175107656c4e05c8ccba6d5cd

SHA512
003f1811497818715dc127a58ac61dd71c7684ef1ffe3d4a5a616911e1db38cdf8b93cfcb2a0c385d5d8cb663e7fc16f2cd0943c2bc42f0d62cd2f435929dca8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4d09879ef2289e33a250268eac6cf218

SHA1
e3210b72ab624378723a9f640823c55f021a9fee

SHA256
e5e917e4b31f0d039a0187e861d78aa00efa8930d4b8bf409d42ff3db13f741e

SHA512
dc98b1a68ccc8a9abec91c666f8aac29ba15ae33810612f807193df51dfef524e366651df6946d1a42ad0ec386b49c28c4dbcc70c1dd054651b09557c7503dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ac6bb2340cd02dfa52d0f9870f357608

SHA1
005c518a526f321c39f947bdb16810ffcc5d1199

SHA256
b92cfa9c2b14e69d344840d723612c769550e5afb11020612aa6c0451c55567c

SHA512
be07391287ce59f48c89fae608cb02620e45c8156cea7aa926c9f6e6c06aaf3064c077cb7cd1878c8f987830bd809286ded0edeb07de22137c9084e4f9dd1027

Download Submit
\??\pipe\LOCAL\crashpad_208_ETEADQCSQHLTRPFK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit