hxxps://zanycards[.]glitch[.]me/

Resubmissions

30/05/2024, 16:14

240530-tpzm9sfb28 1

Analysis

max time kernel
67s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://zanycards.glitch.me/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1084	msedge.exe
1084	msedge.exe
4244	msedge.exe
4244	msedge.exe
988	identity_helper.exe
988	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 5048	4244	msedge.exe	82
PID 4244 wrote to memory of 5048	4244	msedge.exe	82
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1596	4244	msedge.exe	83
PID 4244 wrote to memory of 1084	4244	msedge.exe	84
PID 4244 wrote to memory of 1084	4244	msedge.exe	84
PID 4244 wrote to memory of 5032	4244	msedge.exe	85
PID 4244 wrote to memory of 5032	4244	msedge.exe	85
PID 4244 wrote to memory of 5032	4244	msedge.exe	85
PID 4244 wrote to memory of 5032	4244	msedge.exe	85
PID 4244 wrote to memory of 5032	4244	msedge.exe	85
PID 4244 wrote to memory of 5032	4244	msedge.exe	85
PID 4244 wrote to memory of 5032	4244	msedge.exe	85
PID 4244 wrote to memory of 5032	4244	msedge.exe	85
PID 4244 wrote to memory of 5032	4244	msedge.exe	85
PID 4244 wrote to memory of 5032	4244	msedge.exe	85
PID 4244 wrote to memory of 5032	4244	msedge.exe	85
PID 4244 wrote to memory of 5032	4244	msedge.exe	85
PID 4244 wrote to memory of 5032	4244	msedge.exe	85
PID 4244 wrote to memory of 5032	4244	msedge.exe	85
PID 4244 wrote to memory of 5032	4244	msedge.exe	85
PID 4244 wrote to memory of 5032	4244	msedge.exe	85
PID 4244 wrote to memory of 5032	4244	msedge.exe	85
PID 4244 wrote to memory of 5032	4244	msedge.exe	85
PID 4244 wrote to memory of 5032	4244	msedge.exe	85
PID 4244 wrote to memory of 5032	4244	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://zanycards.glitch.me/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8699846f8,0x7ff869984708,0x7ff869984718
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,6377087236660663678,3558582217677902046,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,6377087236660663678,3558582217677902046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,6377087236660663678,3558582217677902046,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6377087236660663678,3558582217677902046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6377087236660663678,3558582217677902046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,6377087236660663678,3558582217677902046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,6377087236660663678,3558582217677902046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6377087236660663678,3558582217677902046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6377087236660663678,3558582217677902046,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6377087236660663678,3558582217677902046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6377087236660663678,3558582217677902046,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6377087236660663678,3558582217677902046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,6377087236660663678,3558582217677902046,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1844 /prefetch:8
  2⤵
  PID:1648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
90f5bfd58f5632576dc3f20ecdc87f22

SHA1
a4e64fd6ac8a172fc63e394c901e74ecea14582e

SHA256
b5bbd09963344f01a9d3ce291d2567abe84929647d07086cb0a436f33d7c676e

SHA512
7211be898d5016a1447cfbde11622f164fe0c1098b739346980dcbb165c8ab27c11215e071cd96f27f1bdfd6a31a1905021d4a35e8800e5f12fe9cb126c154fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
beb6e83e18c017040c74107c84ae7d37

SHA1
03efa376865083a83591c36d38f942db4b5415a2

SHA256
381e43132008f346d0afd534fb6371ef27277b82437b3a12581cc160df0d0990

SHA512
509d42eec0725fe41fa72604d25116feb01545dcbf8eb391d14b3bec715d8678e98e67bfa9b3f33441f7783c46746e26bd12d10aa0f5b03b199443c99ed24072

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
897cbd463f3b0fec7052b7a0a21028df

SHA1
29b09b374a2c05ec032b84ea5b6027fbd9bf3ee1

SHA256
01817b320e60340098e5208f83be3ce4bff9cacd6bf2b3543dd1e6a9b7678c56

SHA512
c7f29632d5668ed663c7b98d2a5395d8c927fec88f6627b35b3b33dd639df2e1ab5344aca153100466267f9b54bf36c8dc51908eda76f3d911a8e2fcc9ac3519

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6136cbf18dc2180b249f97ad2a285234

SHA1
b6e4ce5dfffb85855639e3abd4d66ee47dca58ca

SHA256
0be312790166b9c33a4ec19e3b47f40be508f86cec6328983808a732e99de8e1

SHA512
aa5a7f31f5b3a34fa86a8c354f000dedbae0e958b5a767e985eef0cc9751bc0937254fa877a6fd823ce1937daab76fc6db610444b48b79a01e5a66b0b6a4b1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1732d4436e07165d0dfc2a810d39347e

SHA1
31623ec42d2a7d281afb9fdb3135407d52513114

SHA256
9215322c5f3873b1e6e7dbb9be3f14cbb5cf1ff39ff3949c96010dcbbef072df

SHA512
f4ad9eea10da49af727ac6ad66b5e438fdd9800c7919e91c2edc3aeeb9bf5dd9a36ca989d248847f79729642a1abe80a71cdd1746647085596ffead53c3b2bbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
2d2fb140b36adc07f376b1bbac3f44c6

SHA1
cfc04d03a14b4ed65e3871026c9dffd3f989aeb3

SHA256
538b9c66683f58e19f34fc5dfb2ab0f29afaff1ab226ad27b6f4d087c2dd7a72

SHA512
0e87d3a7b214363bb74ba7e045f9f0c7164067de4e778d453f54dba12600e694ba55f3e90373ef13bd32a7c3335bc27b8be1d89e3cb312c495fb92fd1e44d948

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d7a56a9b53702df615ecd0fb65a88dfd

SHA1
2e48dd7e2f71f8787ca24aefc54b23a79318234b

SHA256
fd4c71a5d169c5e2b81642935d36ba9f4b03b4ecbd878648067c4d303efb0df6

SHA512
09a2959434a33f36fa3629e4dadf4678bd06243174f3e44421fca1fa92f7d4eb6c74678a8286b0f49d17fffbf937733828595ac50d34d30cc91e3e990836c2ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8cc9dcdffd05be5c51cdb9104d008429

SHA1
a7422c59e589f485a7a62dab433bf393177905be

SHA256
cafc3e467c9c1af9695b8d7f679b29c921d1ac31b9c38cf9f38cb85b3af4eb1b

SHA512
c8137183b86be2bfb03626d216113b8283c9e3f80f0885fc3b39fcad6472486babd523682ddc05b8a9ab9f588c5c7bd519110b7ea03767e8f20005b0593b5e0b

Download Submit