Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03/06/2024, 08:00
Static task
static1
Behavioral task
behavioral1
Sample
ATT31845 (jangan dibuka).html
Resource
win10v2004-20240508-en
General
-
Target
ATT31845 (jangan dibuka).html
-
Size
435B
-
MD5
438b34707dcc4fa8807eced7a6f65a3b
-
SHA1
323f850c06b26af04192c0ed1c94be2c3070753d
-
SHA256
3df6a64d9c9704d3df8a19e565a52bb1af2eb882c2c043e6dca2be9d61d99550
-
SHA512
408c25d4074a261ca5206ab4973e08d04e59db20844278973445c008d4baa4c892db8c1567637ebe1e2fbc3f3fe85f5e6a49dd480155f8f00a7e39db946a911b
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 25 href.li 26 href.li -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 75 ipapi.co 76 ipapi.co -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2008 msedge.exe 2008 msedge.exe 1408 msedge.exe 1408 msedge.exe 3244 msedge.exe 3244 msedge.exe 3244 msedge.exe 3244 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1408 wrote to memory of 380 1408 msedge.exe 82 PID 1408 wrote to memory of 380 1408 msedge.exe 82 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 792 1408 msedge.exe 83 PID 1408 wrote to memory of 2008 1408 msedge.exe 84 PID 1408 wrote to memory of 2008 1408 msedge.exe 84 PID 1408 wrote to memory of 1176 1408 msedge.exe 85 PID 1408 wrote to memory of 1176 1408 msedge.exe 85 PID 1408 wrote to memory of 1176 1408 msedge.exe 85 PID 1408 wrote to memory of 1176 1408 msedge.exe 85 PID 1408 wrote to memory of 1176 1408 msedge.exe 85 PID 1408 wrote to memory of 1176 1408 msedge.exe 85 PID 1408 wrote to memory of 1176 1408 msedge.exe 85 PID 1408 wrote to memory of 1176 1408 msedge.exe 85 PID 1408 wrote to memory of 1176 1408 msedge.exe 85 PID 1408 wrote to memory of 1176 1408 msedge.exe 85 PID 1408 wrote to memory of 1176 1408 msedge.exe 85 PID 1408 wrote to memory of 1176 1408 msedge.exe 85 PID 1408 wrote to memory of 1176 1408 msedge.exe 85 PID 1408 wrote to memory of 1176 1408 msedge.exe 85 PID 1408 wrote to memory of 1176 1408 msedge.exe 85 PID 1408 wrote to memory of 1176 1408 msedge.exe 85 PID 1408 wrote to memory of 1176 1408 msedge.exe 85 PID 1408 wrote to memory of 1176 1408 msedge.exe 85 PID 1408 wrote to memory of 1176 1408 msedge.exe 85 PID 1408 wrote to memory of 1176 1408 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\ATT31845 (jangan dibuka).html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb263f46f8,0x7ffb263f4708,0x7ffb263f47182⤵PID:380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,11159109407416668952,14306157444365450312,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:22⤵PID:792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,11159109407416668952,14306157444365450312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1476 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,11159109407416668952,14306157444365450312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:82⤵PID:1176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11159109407416668952,14306157444365450312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵PID:2848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11159109407416668952,14306157444365450312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:3468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11159109407416668952,14306157444365450312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:12⤵PID:396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11159109407416668952,14306157444365450312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:12⤵PID:912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11159109407416668952,14306157444365450312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:3736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11159109407416668952,14306157444365450312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:12⤵PID:4980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,11159109407416668952,14306157444365450312,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2556 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3244
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2448
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2252
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f61fa5143fe872d1d8f1e9f8dc6544f9
SHA1df44bab94d7388fb38c63085ec4db80cfc5eb009
SHA256284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64
SHA512971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6
-
Filesize
152B
MD587f7abeb82600e1e640b843ad50fe0a1
SHA1045bbada3f23fc59941bf7d0210fb160cb78ae87
SHA256b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262
SHA512ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize264B
MD5a8277c6a7100217172e44ad055f50bb8
SHA107fb6f26e04938ffd298013ecb41b1d4563209f6
SHA256c0cf63bc77f1ad94d7d1acc07ee457e49f81284156898e20f45064c00798286b
SHA5127e7e56fb38a4015349370897a6dd21d55fdb331df333464d3ea786d2dc3c91ae276c7847f871fd6898cde7f18f94e9d269094561b7514dd34c93be44d06dcc3e
-
Filesize
1KB
MD5d25889bfe37f6777c663db21878da44b
SHA1098030c2518c261d43af975056954307a6c68579
SHA2566dec631a5a898a7ab14fd4e7957d8bcc4ce09eebc5665dedd9c784e36fff97b3
SHA5126a5ddf6ef2063266dbe3f58e14f9ea15c2958852fc2927e77d0efdd2b3c293d891f5a20c89efdda8aa9f22233281bd1d37990f6f5ff19b6b0fbfcccb8bd6bb5b
-
Filesize
6KB
MD5709e9143d8e73f48b7a81dda4550eab8
SHA1099063c5041969e5afd33de7e2369f103bf3372f
SHA2569d13845c9fd819fe68427e7f06ba462e1f0527bee32fd966066f72fc5126e026
SHA512af3a2682e164e15fabdc2e95f35369b93b87293390393b10b48c48f9c9a779cb523e233f0420616079e315fd6d26703aed4765429f40fa0e2ccbf84643a33f8a
-
Filesize
5KB
MD549317d252834d22e89b22ff5fd5ea057
SHA1a5b8038867f6111bbdbe375e83097b8210502482
SHA2562052e5b3d72d3d02384565fc21c358b7bf731461251736b92fa64f654503f3a3
SHA512ca33c3e120e25d55f24416ce6beae525b1d217f78e22a3fa4b2e4334a718aa9b512fde964e25255f7c94cc9faab287204790b1391d5c326e9dd9ae198237589c
-
Filesize
11KB
MD5b243ffa5a50400c27c96335066dbe8a8
SHA13d522b14f125938b3363fc11845161993702cb8a
SHA25623bbaa71c9183348f8d5e6f0eaef337fc8326e20fca920259209e9873394c92c
SHA512b08669be8c8a39eed0e9e2ffc39da90fa50b3d0ffb41f67821f9bdcd404b7dbe45e1f01db4969429f11300f2948c36b78a8356c70e3bca4350bb00602508343d