Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
30/05/2024, 01:23
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://govloginatoau.org
Resource
win11-20240426-en
General
-
Target
http://govloginatoau.org
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4384 msedge.exe 4384 msedge.exe 832 msedge.exe 832 msedge.exe 3696 identity_helper.exe 3696 identity_helper.exe 1792 msedge.exe 1792 msedge.exe 2840 msedge.exe 2840 msedge.exe 2840 msedge.exe 2840 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe 832 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 832 wrote to memory of 756 832 msedge.exe 77 PID 832 wrote to memory of 756 832 msedge.exe 77 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 3924 832 msedge.exe 78 PID 832 wrote to memory of 4384 832 msedge.exe 79 PID 832 wrote to memory of 4384 832 msedge.exe 79 PID 832 wrote to memory of 2720 832 msedge.exe 80 PID 832 wrote to memory of 2720 832 msedge.exe 80 PID 832 wrote to memory of 2720 832 msedge.exe 80 PID 832 wrote to memory of 2720 832 msedge.exe 80 PID 832 wrote to memory of 2720 832 msedge.exe 80 PID 832 wrote to memory of 2720 832 msedge.exe 80 PID 832 wrote to memory of 2720 832 msedge.exe 80 PID 832 wrote to memory of 2720 832 msedge.exe 80 PID 832 wrote to memory of 2720 832 msedge.exe 80 PID 832 wrote to memory of 2720 832 msedge.exe 80 PID 832 wrote to memory of 2720 832 msedge.exe 80 PID 832 wrote to memory of 2720 832 msedge.exe 80 PID 832 wrote to memory of 2720 832 msedge.exe 80 PID 832 wrote to memory of 2720 832 msedge.exe 80 PID 832 wrote to memory of 2720 832 msedge.exe 80 PID 832 wrote to memory of 2720 832 msedge.exe 80 PID 832 wrote to memory of 2720 832 msedge.exe 80 PID 832 wrote to memory of 2720 832 msedge.exe 80 PID 832 wrote to memory of 2720 832 msedge.exe 80 PID 832 wrote to memory of 2720 832 msedge.exe 80
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://govloginatoau.org1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb336a3cb8,0x7ffb336a3cc8,0x7ffb336a3cd82⤵PID:756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1712,17804166774870133230,5157432985206273535,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1856 /prefetch:22⤵PID:3924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1712,17804166774870133230,5157432985206273535,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1712,17804166774870133230,5157432985206273535,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:82⤵PID:2720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,17804166774870133230,5157432985206273535,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:12⤵PID:1316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,17804166774870133230,5157432985206273535,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:12⤵PID:2908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,17804166774870133230,5157432985206273535,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:12⤵PID:1556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,17804166774870133230,5157432985206273535,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:12⤵PID:2652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,17804166774870133230,5157432985206273535,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:12⤵PID:4836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,17804166774870133230,5157432985206273535,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:12⤵PID:2164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,17804166774870133230,5157432985206273535,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:12⤵PID:4596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,17804166774870133230,5157432985206273535,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:12⤵PID:1120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,17804166774870133230,5157432985206273535,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:12⤵PID:3076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,17804166774870133230,5157432985206273535,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:12⤵PID:2648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1712,17804166774870133230,5157432985206273535,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5824 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1712,17804166774870133230,5157432985206273535,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3472 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1712,17804166774870133230,5157432985206273535,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4816 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2840
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1792
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD51e4ed4a50489e7fc6c3ce17686a7cd94
SHA1eac4e98e46efc880605a23a632e68e2c778613e7
SHA256fc9e8224722cb738d8b32420c05006de87161e1d28bc729b451759096f436c1a
SHA5125c4e637ac4da37ba133cb1fba8fa2ff3e24fc4ca15433a94868f2b6e0259705634072e5563da5f7cf1fd783fa8fa0c584c00f319f486565315e87cdea8ed1c28
-
Filesize
152B
MD58ff8bdd04a2da5ef5d4b6a687da23156
SHA1247873c114f3cc780c3adb0f844fc0bb2b440b6d
SHA25609b7b20bfec9608a6d737ef3fa03f95dcbeaca0f25953503a321acac82a5e5ae
SHA5125633ad84b5a003cd151c4c24b67c1e5de965fdb206b433ca759d9c62a4785383507cbd5aca92089f6e0a50a518c6014bf09a0972b4311464aa6a26f76648345e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD5118103903f46e93e6fd5d310f4582dc3
SHA147fa4b670df71bf2e94c1e126732a5f603d65374
SHA2560c1bb26f88ff1bc393d5cf1b69f7d93d384c5f865152e1ee291d98840926f965
SHA5123588c142ffe28b91b6cfba67ebd5bf463002aaf8924659fc62b5b7725c652cbfb93773c0d709c41a5c212c92480db7a58848b74d620426283a3e4e55e7a1951c
-
Filesize
558B
MD5345377e3a8e7cb58b4e2ad630c4746be
SHA1a768f2ac2da5686e9d2d1c6c7a65d7fa3e18aebf
SHA2562623ef3912bf51b6e5c60d00eb91271eec327d29a1c470f8ef9ee90799d5ca63
SHA512c9eccf1be6282c280d178dbfe145a0ff2b1fc5415c79d2667cad009ce755cf828de964131feb688b239695d45f42015aa88fad526d5df2e897ca94fd6e82cb43
-
Filesize
5KB
MD59d87fc6823b90d4b2e659b4e586e79b6
SHA1d0fbacd987236738088f5857b69d5a7bbcc5ad5c
SHA256f66a97721165918ec121fe4b8460774a5c53b9f2821743a21dcd52334ebab6a9
SHA512daed787f6ab98ad9fedc77c0c77e51f1e4150bf9b87d4b6a929c055203e72138a705628e6bc486125f85e7c39fdfc9327f554a94788d747433b1c4f11ea62e90
-
Filesize
6KB
MD5c1d9851c52b7d5454b37daee9264fc96
SHA11682e97590b174aba2198f09638f9923b12e3190
SHA256c6843a4f1634e134443144de35ef936e2450fc1320911162373c90b4b88dd842
SHA512935efa7355b9c5515c0520d6f3bea4ada4105ad8278e6c8a598430c7c085d95ce15bfa9c3e44c2b7bc7f5bab83629f719197a08f7c75b7d902e29cc65c210084
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD524979308d509b1a708c674eeade0799b
SHA1edbbe2f700ffd14d9557f4c7f0f7f6413f8cbea4
SHA256bfac27180cb2831a1cf31f13170e0a178efaf974c4130b139a9a339a20298964
SHA512f8db469378bd9cb161d8c5dccb35286e23e75570c38f3310bd62f68ff4a755852682b551521668e28547a02e5ee96ccd385a597122e7dda0f7ebbb42bd25b467