Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 18:26
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://ul5os.ru/c
Resource
win10v2004-20240508-en
General
-
Target
https://ul5os.ru/c
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 4144 msedge.exe 4144 msedge.exe 220 msedge.exe 220 msedge.exe 4372 identity_helper.exe 4372 identity_helper.exe 640 msedge.exe 640 msedge.exe 640 msedge.exe 640 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
msedge.exepid process 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 220 wrote to memory of 228 220 msedge.exe msedge.exe PID 220 wrote to memory of 228 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 3212 220 msedge.exe msedge.exe PID 220 wrote to memory of 4144 220 msedge.exe msedge.exe PID 220 wrote to memory of 4144 220 msedge.exe msedge.exe PID 220 wrote to memory of 2384 220 msedge.exe msedge.exe PID 220 wrote to memory of 2384 220 msedge.exe msedge.exe PID 220 wrote to memory of 2384 220 msedge.exe msedge.exe PID 220 wrote to memory of 2384 220 msedge.exe msedge.exe PID 220 wrote to memory of 2384 220 msedge.exe msedge.exe PID 220 wrote to memory of 2384 220 msedge.exe msedge.exe PID 220 wrote to memory of 2384 220 msedge.exe msedge.exe PID 220 wrote to memory of 2384 220 msedge.exe msedge.exe PID 220 wrote to memory of 2384 220 msedge.exe msedge.exe PID 220 wrote to memory of 2384 220 msedge.exe msedge.exe PID 220 wrote to memory of 2384 220 msedge.exe msedge.exe PID 220 wrote to memory of 2384 220 msedge.exe msedge.exe PID 220 wrote to memory of 2384 220 msedge.exe msedge.exe PID 220 wrote to memory of 2384 220 msedge.exe msedge.exe PID 220 wrote to memory of 2384 220 msedge.exe msedge.exe PID 220 wrote to memory of 2384 220 msedge.exe msedge.exe PID 220 wrote to memory of 2384 220 msedge.exe msedge.exe PID 220 wrote to memory of 2384 220 msedge.exe msedge.exe PID 220 wrote to memory of 2384 220 msedge.exe msedge.exe PID 220 wrote to memory of 2384 220 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ul5os.ru/c1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff97d9546f8,0x7ff97d954708,0x7ff97d9547182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1743274474042558302,4821787541628564367,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,1743274474042558302,4821787541628564367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,1743274474042558302,4821787541628564367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1743274474042558302,4821787541628564367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1743274474042558302,4821787541628564367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,1743274474042558302,4821787541628564367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,1743274474042558302,4821787541628564367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1743274474042558302,4821787541628564367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1743274474042558302,4821787541628564367,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1743274474042558302,4821787541628564367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1743274474042558302,4821787541628564367,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1743274474042558302,4821787541628564367,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4612 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
144B
MD5cda7af55826cb9c1691736026cfe9fc0
SHA13e22578121531e4a6a77c7b8ad88b5170aba8d7a
SHA256cdc447883ed52714f9d1024fe16d77c546469d55250491d0572822196de71283
SHA5127e4f7a3a136d29b91a6d015720389fd29a521f9f6a88cf09fb6c406c3534c8a33d011a284d8d4ea9f2abf50b83621f48c78ac46a7a935eda161b171c5e5358fc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
120B
MD559ef7f7e63c0a9f8187f0e6a68d34791
SHA1a087b8648eca68fa59e86a077eb4b118dbeb7eaf
SHA256c7db58bf3c1f827594de1864f46bb66ed7f23b3d35c2d2290726746214f76fd2
SHA51214e21a8b8c626c5d2cf91052d39cf019dcbeff8ead01f023138ad91cfa34557e6c339e8a50e3bc306abe6a97b6148b2abae0606a7c50b64a6e7f877bdcfb96eb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
617B
MD5ba9cd5da78d527711ace113ad633176a
SHA1a554ecd792c561cdac8361a752cf58cdb9e57621
SHA2563cb9155c66a930c2268eef502f899dbfd40214f6c917242b855cc06c5674f488
SHA512d64bf5341deefe35680e9248c908125649d7feed3ae73cef09526d858e103d3298cef3072f6e501e371331a813325e048518daa4af31094f009701226018824c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5ef05fa6ce830c17995db7985645d7216
SHA13af7f737ef1ac1099161fdc492b2e197b0c04546
SHA256d90db766d6e71ed225bf247ec47d0d15164dcaa99dcc80eee0fe29b84c8f62ea
SHA5124443db01b04d6857793510058a89ac93e80a1d6587894c4c454bcc2c0ae791ac8484463ad192c92db8b4adf13af685c06917764630bbff45212ad9d1dc1ec837
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD565aeec30b4a358c55e35555609c92a32
SHA1bcb1d4aafbb372cc4d6dc0b2d08edf64358f845e
SHA256316466c4f67e8db7903ee7c5a586c61a88ca5f43e3ea948ba70f26e659cf49e3
SHA512966f6caab9c4170d0c27ec89f667d3b7fbe01eb1796f578143206a5d8492c11749d04450faa57cdcb038d37192ad2890e3f89c8eee1f9dd8776ca611b66705d8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5a791c33d0b4d61950227d08ae2639114
SHA1c15b0176a9c5a94a6681868243f95f91d3044725
SHA256c32a211209fcd99b04291021ea5de003497a3a2454e479654b986356833e1f7a
SHA5120e3f2ab904e5328f85e4b0e106ad71d22ec966522c085ac7241b2e413f23f01eebfb38e3451e3e2ed63d7911ee8c028f73211af94e316e50d830512c431ab488
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD54c7cc13796c60f28e3c7a4f8c13e1b05
SHA1c5fc4aa3d8d42813ea5cb543af247e28007bfd61
SHA2568e4788ada4b94794f132a0661154b133d6160eb999781a327c60dbc2b6dc1877
SHA5127efbec22fd94d740dca47caf05e20b83aaea7f7711834947e14039344c43e61bcd86c478683f26d8185c3068b484c6bd853509f89190b86aba85e966cf998d4c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD56bd47281fa4373082bf4d6dd3b81970f
SHA14e45ec094fd96e24eeeccc23295423d8ef94fa79
SHA25685ed5f233982a3062bda01b4a1d0ad0630dd0512a4c446d74376ae7b06d2200d
SHA512ead651a02d906d9cd99f3fe2df220c057d0c0b2864077a5a9d02db7d8e64e5db222b53da57a111a15713e73dc977152803e26a4f6edccf66717ebe6bf371c60c
-
\??\pipe\LOCAL\crashpad_220_TEHHRDGJDHKIPXEJMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e