Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08-06-2024 14:21
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://nc-card50.ru/50
Resource
win10v2004-20240508-en
General
-
Target
https://nc-card50.ru/50
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 1572 msedge.exe 1572 msedge.exe 2976 msedge.exe 2976 msedge.exe 4256 identity_helper.exe 4256 identity_helper.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2976 wrote to memory of 2796 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 2796 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1516 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1572 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1572 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1828 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1828 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1828 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1828 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1828 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1828 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1828 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1828 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1828 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1828 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1828 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1828 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1828 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1828 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1828 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1828 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1828 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1828 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1828 2976 msedge.exe msedge.exe PID 2976 wrote to memory of 1828 2976 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://nc-card50.ru/501⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff76e346f8,0x7fff76e34708,0x7fff76e347182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,2282192954816631826,318419266663602035,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,2282192954816631826,318419266663602035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,2282192954816631826,318419266663602035,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2282192954816631826,318419266663602035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2282192954816631826,318419266663602035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,2282192954816631826,318419266663602035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,2282192954816631826,318419266663602035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2282192954816631826,318419266663602035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2282192954816631826,318419266663602035,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2282192954816631826,318419266663602035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2282192954816631826,318419266663602035,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,2282192954816631826,318419266663602035,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4892 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
120B
MD5872d788b654d93acc188dae9e6f0e07f
SHA1723a36fa19b4ef3d0cfa729cff4aec78df4b7fd6
SHA2560786868d1c53cb957f522937e75a9895679bcab8382b6731849904b8b75abc27
SHA512bc2d4c77f46b0e7f9bab9a9b11a4c2e6748871d2a187b65229c5f214d747699fc1887987cc2ea1cf34c94ef952c851f7a9736576c6d423e201f09818e1580617
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
331B
MD57fbaddf6475416842b901760c16e9ca6
SHA16283af713d7d3a256994d7c9743de6fed0056514
SHA25618a21fd507c95d825167de0e2a88ec60bd17dff72410b18d8bff2d4626cdc49c
SHA5122588ae3cd828652a0d96395a2f9362b13d646661d66915f82164acc4bd1817d2a771acaace9c450755bc3dfa8ae6528153e0242d8b5ff3424b627945bee8345a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD59889688437b4c4ccc45b2a8c52fa2cda
SHA11cf131dea633b28e7be956d92ce51aa780097d50
SHA256e52395efdacc9dea3f5121ccf657ae1fbdffdeee6311859fb133983947297b97
SHA5125313bd56db28a09152bf43f86164d49098345da4a92ca28ef0989f7857e7f6004aa18f5535e62268bd1a41fff5ae7850898ebbf3b56176b5f648df9b667aab05
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD599cc9270763658b7e55239ea67c34a3f
SHA1bd2a3b8ab19b7335d584151ba9a36959ab58da1d
SHA2566b30d86fb31922e30200912f1fe034188f7a8b3cd21ee35bc96e03bfa1a7e760
SHA5128f8a4f248d3c8368ae60d1bae72f6183c926b1699265cb7b29fc0617eacf1760e2b55d45ace1c364d98419196f3bfbbd7af00c8c507fe1a25434ca260d860be1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5840b7e1a9b3a4499fe830f84224d8cf7
SHA1370dd6068e987fd6e93a541637ea3c425b9f4eca
SHA256c8c25fb1517fd02a821b60c23497dbed477b785ed4d7a801a1f65ee020ff3fbb
SHA5120922ff4dd8d32341d02857e7271c1cf8a17e27e5a1645498fb0d55a56dff0db58abe1a08cab27c7780d2c2f2dae6f1019a3b4f1bdc18e4c20f2b618c2451ffb2
-
\??\pipe\LOCAL\crashpad_2976_UOGDCKWEERATFTOHMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e