Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 13:19
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://estudiosquironprevencion.com/RespWeb/Cuestionarios.aspx?PECO=jy2vymaj3hkege55pcsgz245
Resource
win10v2004-20240508-en
General
-
Target
https://estudiosquironprevencion.com/RespWeb/Cuestionarios.aspx?PECO=jy2vymaj3hkege55pcsgz245
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4512 msedge.exe 4512 msedge.exe 1836 msedge.exe 1836 msedge.exe 2400 identity_helper.exe 2400 identity_helper.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe 1836 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1836 wrote to memory of 4548 1836 msedge.exe 83 PID 1836 wrote to memory of 4548 1836 msedge.exe 83 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 2904 1836 msedge.exe 84 PID 1836 wrote to memory of 4512 1836 msedge.exe 85 PID 1836 wrote to memory of 4512 1836 msedge.exe 85 PID 1836 wrote to memory of 1032 1836 msedge.exe 86 PID 1836 wrote to memory of 1032 1836 msedge.exe 86 PID 1836 wrote to memory of 1032 1836 msedge.exe 86 PID 1836 wrote to memory of 1032 1836 msedge.exe 86 PID 1836 wrote to memory of 1032 1836 msedge.exe 86 PID 1836 wrote to memory of 1032 1836 msedge.exe 86 PID 1836 wrote to memory of 1032 1836 msedge.exe 86 PID 1836 wrote to memory of 1032 1836 msedge.exe 86 PID 1836 wrote to memory of 1032 1836 msedge.exe 86 PID 1836 wrote to memory of 1032 1836 msedge.exe 86 PID 1836 wrote to memory of 1032 1836 msedge.exe 86 PID 1836 wrote to memory of 1032 1836 msedge.exe 86 PID 1836 wrote to memory of 1032 1836 msedge.exe 86 PID 1836 wrote to memory of 1032 1836 msedge.exe 86 PID 1836 wrote to memory of 1032 1836 msedge.exe 86 PID 1836 wrote to memory of 1032 1836 msedge.exe 86 PID 1836 wrote to memory of 1032 1836 msedge.exe 86 PID 1836 wrote to memory of 1032 1836 msedge.exe 86 PID 1836 wrote to memory of 1032 1836 msedge.exe 86 PID 1836 wrote to memory of 1032 1836 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://estudiosquironprevencion.com/RespWeb/Cuestionarios.aspx?PECO=jy2vymaj3hkege55pcsgz2451⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff488146f8,0x7fff48814708,0x7fff488147182⤵PID:4548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,9652552754522034681,8236422838492192445,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:22⤵PID:2904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,9652552754522034681,8236422838492192445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,9652552754522034681,8236422838492192445,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:82⤵PID:1032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9652552754522034681,8236422838492192445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:1300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9652552754522034681,8236422838492192445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:12⤵PID:3576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,9652552754522034681,8236422838492192445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:82⤵PID:1304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,9652552754522034681,8236422838492192445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9652552754522034681,8236422838492192445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:12⤵PID:1944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9652552754522034681,8236422838492192445,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:12⤵PID:1508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9652552754522034681,8236422838492192445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:12⤵PID:1332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9652552754522034681,8236422838492192445,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:12⤵PID:2992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,9652552754522034681,8236422838492192445,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2756 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4184
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4560
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4824
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f61fa5143fe872d1d8f1e9f8dc6544f9
SHA1df44bab94d7388fb38c63085ec4db80cfc5eb009
SHA256284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64
SHA512971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6
-
Filesize
152B
MD587f7abeb82600e1e640b843ad50fe0a1
SHA1045bbada3f23fc59941bf7d0210fb160cb78ae87
SHA256b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262
SHA512ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize432B
MD514e051e40922a337fe06db193ae50df2
SHA1bed8f7f80ccd7370eca5bfd66716146b6df59ef3
SHA256821afb9442f717234028ff3710b3d8c8923432164c52eae3a9cffab852874a48
SHA5127194416af7d8a552d896129e3f3d224971a2b9987440e9408946e42180908d3af24151d729b8ecc9bb99503effb6f5866b28d588109e28470e10cc2e02dd9905
-
Filesize
933B
MD5d753bdc248ed4dfbb7b1225e8620d817
SHA103f15e509244663f475e00592e1ff4ed0042774f
SHA2569eaa1d2418288e23c87460ec469a97bd749fa568144e62e4e95fd403d2d7585a
SHA512025bd180f428b978b778fca6f14682a4e7add3c307137dd5aba93bce3b77a2a1478449297d94be31feeccfa9f7ac361f762d7499f82df0b644092aed9cc1256c
-
Filesize
964B
MD5d27628405e14a14ffaefc962c6825a74
SHA1424d7390b5e6a440c69cd9bbf93b09421d54ddc7
SHA256155254f918b584b6ed60c5a32a8dcbeba076f5b2533cf688c6d7b3f266e3fba9
SHA512dd4258f539a90c220381cd2487a36ec27b8471da3ad617132d1450928511219122e002e084ea30996724bfbf87b187620e1ef3a9f8d0d4c0c0ece3599f8b5075
-
Filesize
5KB
MD5c2e3d8b5f9f121cf6e4b2792d3b1b36b
SHA1f95d611f7f249a75d0162cac08a8d352a155fd62
SHA25653654c630cd57051bf95419aa88f97f6276d822b70bc118785d31d59fc610e5a
SHA512f5b179a35303a6a423dd72fec5eb7d2881dccf84f666555b98493cd3faebf39772ad2e15761f65caaf6e489c2e96a4f8c0c60329c662980f3882222ae5ec714c
-
Filesize
6KB
MD57805d5e9a796196831c38acd6dc2d892
SHA1fb98636b59eec2ce78fd8d28eab00164ade25370
SHA2566823ba754e14691653b5bbc1a7f858b3e9af5d7a93990a17944443b7ec724089
SHA5122a7be43a36671fe00d506fc55dec6e6b1b010f9660d5115aa674dc9941b326bf081393a356f120dd95356e8fb5034256823a93c44246e2cf3272ac4e102e855f
-
Filesize
370B
MD5d4d2d760194b8d01e3f290f8a02fcc53
SHA1b8f02bd24daf1790cf6f47b5cc9bd9ef43b0cb0e
SHA2562572206e5771ff779d2fc97874132070590c908930a75e3740322cfa189d724a
SHA5126676d64b5ca16718b41e0f403f106e6f01ef63da16b010eab47ec90baf28ad56a32b055010e94567082d6b1f0836647df60f41ec2cffd1668370b6bc4a1bb726
-
Filesize
370B
MD5192b762a8e9c34a0285f3b86ac425ffe
SHA128f6e27834b0c2647a603fd1ebfa866d0d3ca5eb
SHA2562d18a403199598bf613812bc1274231bb236ac7558d5a808460333505e898228
SHA512707da03b13f22cbd60d599571b88dccb6627ad03765b9e8578b2d3b56876e6991fb759e156a6dcbea52c7b55a71a258f3de4fc664f60d6a877dd72ec81699130
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5bb9f36ed743755bb2eb51745e0980f16
SHA106df7ead34cae4205ab043a5d7aceefa173152ad
SHA256ed1b9881b6654d40e4214c7541c274737415114afa9a7fb953180a8d11db8632
SHA51248065503d90fc171573c2040d49a7338e732ebab6c569948a0aa9b6968b195c6954095251af48b6968da5af8ba9c4d7d07caa949b894ab04f37bf9820916a8e3