Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 23:35
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://google.kz/amp/s/cloudflare-ipfs.com/ipfs/QmeFYfA5PZVFVGugSKX4BkUqsJsMxf6me51ZMVwz9d63jh/#[email protected]
Resource
win10v2004-20240426-en
General
-
Target
https://google.kz/amp/s/cloudflare-ipfs.com/ipfs/QmeFYfA5PZVFVGugSKX4BkUqsJsMxf6me51ZMVwz9d63jh/#[email protected]
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 59 ipinfo.io 72 ipinfo.io -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 2692 msedge.exe 2692 msedge.exe 212 msedge.exe 212 msedge.exe 2784 identity_helper.exe 2784 identity_helper.exe 5836 msedge.exe 5836 msedge.exe 5836 msedge.exe 5836 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 212 wrote to memory of 116 212 msedge.exe msedge.exe PID 212 wrote to memory of 116 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2380 212 msedge.exe msedge.exe PID 212 wrote to memory of 2692 212 msedge.exe msedge.exe PID 212 wrote to memory of 2692 212 msedge.exe msedge.exe PID 212 wrote to memory of 3488 212 msedge.exe msedge.exe PID 212 wrote to memory of 3488 212 msedge.exe msedge.exe PID 212 wrote to memory of 3488 212 msedge.exe msedge.exe PID 212 wrote to memory of 3488 212 msedge.exe msedge.exe PID 212 wrote to memory of 3488 212 msedge.exe msedge.exe PID 212 wrote to memory of 3488 212 msedge.exe msedge.exe PID 212 wrote to memory of 3488 212 msedge.exe msedge.exe PID 212 wrote to memory of 3488 212 msedge.exe msedge.exe PID 212 wrote to memory of 3488 212 msedge.exe msedge.exe PID 212 wrote to memory of 3488 212 msedge.exe msedge.exe PID 212 wrote to memory of 3488 212 msedge.exe msedge.exe PID 212 wrote to memory of 3488 212 msedge.exe msedge.exe PID 212 wrote to memory of 3488 212 msedge.exe msedge.exe PID 212 wrote to memory of 3488 212 msedge.exe msedge.exe PID 212 wrote to memory of 3488 212 msedge.exe msedge.exe PID 212 wrote to memory of 3488 212 msedge.exe msedge.exe PID 212 wrote to memory of 3488 212 msedge.exe msedge.exe PID 212 wrote to memory of 3488 212 msedge.exe msedge.exe PID 212 wrote to memory of 3488 212 msedge.exe msedge.exe PID 212 wrote to memory of 3488 212 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.kz/amp/s/cloudflare-ipfs.com/ipfs/QmeFYfA5PZVFVGugSKX4BkUqsJsMxf6me51ZMVwz9d63jh/#[email protected]1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fad346f8,0x7ff9fad34708,0x7ff9fad347182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,15766355539864183507,11267672005412310202,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,15766355539864183507,11267672005412310202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,15766355539864183507,11267672005412310202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15766355539864183507,11267672005412310202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15766355539864183507,11267672005412310202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15766355539864183507,11267672005412310202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15766355539864183507,11267672005412310202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,15766355539864183507,11267672005412310202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,15766355539864183507,11267672005412310202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15766355539864183507,11267672005412310202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15766355539864183507,11267672005412310202,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15766355539864183507,11267672005412310202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15766355539864183507,11267672005412310202,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,15766355539864183507,11267672005412310202,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4980 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c9c4c494f8fba32d95ba2125f00586a3
SHA18a600205528aef7953144f1cf6f7a5115e3611de
SHA256a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b
SHA5129d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54dc6fc5e708279a3310fe55d9c44743d
SHA1a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2
SHA256a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8
SHA5125874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\234362e7-a398-492a-96e1-8e31c9fced5c.tmpFilesize
5KB
MD5659d5e1588494c5b798302fc55dabefc
SHA1fd33091374a1aa6e1903e3638c78b8cd49426962
SHA256e76f1061c1bd0be2ead9d7b9c9c096eacf2feb3a393f2ed1d8f4e7d0a8a3223e
SHA51264bd66318473b79113ebae07614191fd26ea7c1ecdda67b7e48e9da513ba8318dbfe7ddfd9ecff1fefd22edaeb533e14a2230af0f33e277a3b0203376f5b0be6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
288B
MD589fa2669e967ee72bdc371f477cd34be
SHA11b2dedf17a868f0c9c1bbdc155dfad0b032d56df
SHA2564611ecd184ae9179566582f43e5d05fbc569c4f0e1e48b26d8d2008f6d6674fd
SHA51211affa3623a7dc90055bb9843321d2a5a0fcfc94bca103716fe72a996594ef8d1823c0372877cc327269cc1e632aadd5401bfc38781a2efb73e4f049818d6570
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5c3197032fb20d6a04df0e99addc21b87
SHA10efbabb2f422ed541d90ff27f4d99e1c618ef8c7
SHA25692851caca4e63b164013404996d0a2053bf968d4a43ea6e892233e55193d44b2
SHA512dc07c551b571889ec1f433e4e35ff342229147ba99c878fa1ee7722cdd868825f1034dbe2839b1479d2c64ca2970a5718dc4d64eb9f186664129a046a79dfce5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD56e1b44e8316da5ae141d3c0bd8f4a762
SHA146f83d548755aca3f3a3d32bef7399516ef2ffde
SHA2562a6086bd707a0e0490637780f5074fd72a259506ec1648601f2ca92007808cbe
SHA5126176dcff462eb6141d48f490961a96ac5ffe4c9f94583b0c1d4bee77318cfb3a38d5a2ea19af452c4852ffa48a23a2a6c9d8ff15e4a011d7537d42b6f72b7966
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5434cd7692657030ea490f29b7ced3b5b
SHA1a183aa2d5035df91a60efd20cc292cc5e3b77386
SHA256c63935c36e904038c0588ea42ffb0ab3ad928fbd1603d59c69bdd80b52b539dc
SHA512026bfeb3018757b3e8cd96bd563544ad4837db1fe58d1f7d2ef99c9b7a70943c7ef6945b143ef0a23e02c24f284564602c575b6a54c040cb61ddb844d0859af6
-
\??\pipe\LOCAL\crashpad_212_DLEHYJEWBGJUPBHFMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e