Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 06:54
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://securemailcenter.citigroup.com/recoverPsk.html?pskId=1466529&enterprise=citi&[email protected]&locale=ro_RO
Resource
win10v2004-20240426-en
General
-
Target
https://securemailcenter.citigroup.com/recoverPsk.html?pskId=1466529&enterprise=citi&[email protected]&locale=ro_RO
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2876 msedge.exe 2876 msedge.exe 3820 msedge.exe 3820 msedge.exe 4800 identity_helper.exe 4800 identity_helper.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe 3820 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3820 wrote to memory of 3800 3820 msedge.exe 82 PID 3820 wrote to memory of 3800 3820 msedge.exe 82 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 712 3820 msedge.exe 83 PID 3820 wrote to memory of 2876 3820 msedge.exe 84 PID 3820 wrote to memory of 2876 3820 msedge.exe 84 PID 3820 wrote to memory of 3336 3820 msedge.exe 85 PID 3820 wrote to memory of 3336 3820 msedge.exe 85 PID 3820 wrote to memory of 3336 3820 msedge.exe 85 PID 3820 wrote to memory of 3336 3820 msedge.exe 85 PID 3820 wrote to memory of 3336 3820 msedge.exe 85 PID 3820 wrote to memory of 3336 3820 msedge.exe 85 PID 3820 wrote to memory of 3336 3820 msedge.exe 85 PID 3820 wrote to memory of 3336 3820 msedge.exe 85 PID 3820 wrote to memory of 3336 3820 msedge.exe 85 PID 3820 wrote to memory of 3336 3820 msedge.exe 85 PID 3820 wrote to memory of 3336 3820 msedge.exe 85 PID 3820 wrote to memory of 3336 3820 msedge.exe 85 PID 3820 wrote to memory of 3336 3820 msedge.exe 85 PID 3820 wrote to memory of 3336 3820 msedge.exe 85 PID 3820 wrote to memory of 3336 3820 msedge.exe 85 PID 3820 wrote to memory of 3336 3820 msedge.exe 85 PID 3820 wrote to memory of 3336 3820 msedge.exe 85 PID 3820 wrote to memory of 3336 3820 msedge.exe 85 PID 3820 wrote to memory of 3336 3820 msedge.exe 85 PID 3820 wrote to memory of 3336 3820 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://securemailcenter.citigroup.com/recoverPsk.html?pskId=1466529&enterprise=citi&[email protected]&locale=ro_RO1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ff968ca46f8,0x7ff968ca4708,0x7ff968ca47182⤵PID:3800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,6281400818749977324,8613316006620827657,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:22⤵PID:712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,6281400818749977324,8613316006620827657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,6281400818749977324,8613316006620827657,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:82⤵PID:3336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,6281400818749977324,8613316006620827657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:3792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,6281400818749977324,8613316006620827657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:4436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,6281400818749977324,8613316006620827657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:82⤵PID:3012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,6281400818749977324,8613316006620827657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,6281400818749977324,8613316006620827657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:12⤵PID:2912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,6281400818749977324,8613316006620827657,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:12⤵PID:4824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,6281400818749977324,8613316006620827657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:12⤵PID:2032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,6281400818749977324,8613316006620827657,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:12⤵PID:3028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,6281400818749977324,8613316006620827657,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5416 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1960
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5044
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD54f7152bc5a1a715ef481e37d1c791959
SHA1c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7
SHA256704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc
SHA5122e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c
-
Filesize
152B
MD5ea98e583ad99df195d29aa066204ab56
SHA1f89398664af0179641aa0138b337097b617cb2db
SHA256a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6
SHA512e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize192B
MD526a585cdee4b35c64a58df97afbec52b
SHA13ee6b9d3354645a520a249b2096479c57ca4ae3b
SHA2562e6fb811deb04b580d1600dbf010e381e95aef77a0e351b8151e53f8bb3b2f53
SHA512268589c2dfe983b35f9f903266ef228ef856f521d05d8c361f156c5da0f5c373be363d8ca27917a56ce44f765ef23622ace3a0a15f95a488a37ee1e9795dc957
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize240B
MD5093b5f9377127cd79e6e9e10cfc131a3
SHA1dbcd8391343f0eb8875e9ca7263d76737c596e8d
SHA256a73340dfd763a513bb438bd5f04685bdb88af7ce3bcc1769fcc229123e78dbcc
SHA51212e0a3bd49e1266356c65ad2881d6d1d0bc82799a5bff0e7686f328cf8537c423be226e2e941b9a1a0d43216ae7ef358ca129315bd27a35124d10ad56e59622d
-
Filesize
5KB
MD5e12f872076b2c4f265b6682d8c632959
SHA17367f9d65d09479f8fa0033eeacf573b2d8c6014
SHA256858b94c7ee8434d46919efdcdf810a03bf363c79f4cfcf576f8426ce99709087
SHA51243f914ce04f9d270c93984601fe87afaf18c067dfc321cf8c54c45a7a626a061facf0ed67ac690b7ebcaeed5a4de7b18c7c77b0d1813ee0898874256631eb785
-
Filesize
6KB
MD57404769657b0c3500dd4a340bbb5fff4
SHA187b1cb1f26f459680582907bc734f32ee9453af4
SHA256e94d4f5a9b9604239e4ddcac5bf55a6850d5e699c56dd5841efdef05324ba7c6
SHA512f0576d1419b63896aa2d4a396d0e57e8f374186f9083a1d710f7e647c778571a0e45aabd99c6e9f2cc14d073069ffa03cc0690a8f28d0f95d662bce5bba3d486
-
Filesize
6KB
MD57e47df46a5905cf27cfcd8da608f514f
SHA1fc514d491b6c3f2ddef95d171fac01cb4844814c
SHA256737150c7f5bffe2c102a4feceb062d5d6bc05192eabed330188f24145c88b607
SHA5125bb767feb4e98e2a5a8077f05309c86d46d1db0f3ccc55dc3f23183ab7e3397d5eca9985084d784c8425e9453e22ee5297374693fcd775bb8b283b880cab4c3d
-
Filesize
203B
MD5859958cc21fde98cdeb8034b318ec978
SHA194fc431c5dff80bab89100ab113ba25a3a0fccab
SHA256910eacccbfd359d5e49db810a079a181f1b541f7072399b1aa682b7dda4020bc
SHA512f057477471778e9db3f4276e2b7a7facd17880715c1e16c355bdb74102c0613dde32ffad1b48920534439ed2a261aa3c1428aae69f098de12924090c7116caf2
-
Filesize
203B
MD58887391aaaaa9093b8c8e3978d6285da
SHA148acade080a2a34d17a24d4bbff730d219843dc7
SHA2567db9b4fa13297461e4393ef30f8c8a28b8d918f78d54e52171d9119712407d91
SHA512b53b22d7f527df8f9cbbb3d46523dd9567e90f9853e362b28d5c19ddcd13e744bc02d3605d43845c638197832e6d88c002da28368445de52db07bee19f265e6e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5ac161a760643a01ece7b6fdcade23380
SHA10c517c250ea74d28c2981fefa10b70c24a206da9
SHA256ebb2d8074cc9e3aa5f4e02dc2abe2324bcbf9e3d6b7c23ac3b10eb2ee33ab224
SHA512725151833520b8e557a7830606a11c8f1f809ed45e2c0a4d246987c98fa171a867a3a7a6b322c00875ab2c261af09e99a69199281618de875ef3c9a5e58389de
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84