Analysis
-
max time kernel
1800s -
max time network
1762s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 23:10
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mega.nz/file/sus2XY6R#-j-jnA_3hHpgNb_fPR4pWL2n8yGgrP4OHjGxB9x2bJg
Resource
win10v2004-20240611-en
General
-
Target
https://mega.nz/file/sus2XY6R#-j-jnA_3hHpgNb_fPR4pWL2n8yGgrP4OHjGxB9x2bJg
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2328 msedge.exe 2328 msedge.exe 2984 msedge.exe 2984 msedge.exe 2228 identity_helper.exe 2228 identity_helper.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2984 wrote to memory of 4356 2984 msedge.exe 81 PID 2984 wrote to memory of 4356 2984 msedge.exe 81 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 4796 2984 msedge.exe 83 PID 2984 wrote to memory of 2328 2984 msedge.exe 84 PID 2984 wrote to memory of 2328 2984 msedge.exe 84 PID 2984 wrote to memory of 764 2984 msedge.exe 85 PID 2984 wrote to memory of 764 2984 msedge.exe 85 PID 2984 wrote to memory of 764 2984 msedge.exe 85 PID 2984 wrote to memory of 764 2984 msedge.exe 85 PID 2984 wrote to memory of 764 2984 msedge.exe 85 PID 2984 wrote to memory of 764 2984 msedge.exe 85 PID 2984 wrote to memory of 764 2984 msedge.exe 85 PID 2984 wrote to memory of 764 2984 msedge.exe 85 PID 2984 wrote to memory of 764 2984 msedge.exe 85 PID 2984 wrote to memory of 764 2984 msedge.exe 85 PID 2984 wrote to memory of 764 2984 msedge.exe 85 PID 2984 wrote to memory of 764 2984 msedge.exe 85 PID 2984 wrote to memory of 764 2984 msedge.exe 85 PID 2984 wrote to memory of 764 2984 msedge.exe 85 PID 2984 wrote to memory of 764 2984 msedge.exe 85 PID 2984 wrote to memory of 764 2984 msedge.exe 85 PID 2984 wrote to memory of 764 2984 msedge.exe 85 PID 2984 wrote to memory of 764 2984 msedge.exe 85 PID 2984 wrote to memory of 764 2984 msedge.exe 85 PID 2984 wrote to memory of 764 2984 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/sus2XY6R#-j-jnA_3hHpgNb_fPR4pWL2n8yGgrP4OHjGxB9x2bJg1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb027646f8,0x7ffb02764708,0x7ffb027647182⤵PID:4356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,6324675429750584530,17816533175717750020,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:22⤵PID:4796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,6324675429750584530,17816533175717750020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,6324675429750584530,17816533175717750020,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:82⤵PID:764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6324675429750584530,17816533175717750020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:1796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6324675429750584530,17816533175717750020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵PID:1836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,6324675429750584530,17816533175717750020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:82⤵PID:1532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,6324675429750584530,17816533175717750020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6324675429750584530,17816533175717750020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:12⤵PID:3104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6324675429750584530,17816533175717750020,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:12⤵PID:3992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6324675429750584530,17816533175717750020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵PID:392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6324675429750584530,17816533175717750020,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:5052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,6324675429750584530,17816533175717750020,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5056 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4972
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4660
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5477462b6ad8eaaf8d38f5e3a4daf17b0
SHA186174e670c44767c08a39cc2a53c09c318326201
SHA256e6bbd4933b9baa1df4bb633319174de07db176ec215e71c8568d27c5c577184d
SHA512a0acc2ef7fd0fcf413572eeb94d1e38aa6a682195cc03d6eaaaa0bc9e5f4b2c0033da0b835f4617aebc52069d0a10b52fc31ed53c2fe7943a480b55b7481dd4e
-
Filesize
152B
MD5b704c9ca0493bd4548ac9c69dc4a4f27
SHA1a3e5e54e630dabe55ca18a798d9f5681e0620ba7
SHA2562ebd5229b9dc642afba36a27c7ac12d90196b1c50985c37e94f4c17474e15411
SHA51269c8116fb542b344a8c55e2658078bd3e0d3564b1e4c889b072dbc99d2b070dacbc4394dedbc22a4968a8cf9448e71f69ec71ded018c1bacc0e195b3b3072d32
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD523d40172b52f6e1d2c2254274413ae81
SHA177ebaac711e6522b0a0a679c8f74d69d5b84c2f3
SHA25687f6c387e76a0ff7f838d4f31c3037a974a1db307b7d6fc03bce228926ddb765
SHA512dd626239cd675831664cf86e4044d0c0fc5ea17d9cc905ec530408bc6412aea9b56f69ed7f56e6b1280eb3ad2bae72046cb5c91be8bbe6c26abd433f56bd0d1d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
188B
MD5008114e1a1a614b35e8a7515da0f3783
SHA13c390d38126c7328a8d7e4a72d5848ac9f96549b
SHA2567301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18
SHA512a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b
-
Filesize
6KB
MD57649729a4e79a7ea6b0f3cc4c9fa0a87
SHA186b409101f754834e4d60b065cd7a5d161fb637c
SHA2569bed185badfa32aff0279c30e91b7e3627a7131e3260f5f181534cbdbd1fca7d
SHA5122b7114ce0e3d8a336233fbce54cf09ae560fc7d85862f100b45f397c453d40341fea8d14cccdf313e4c2b85785cad15b97a5919b7f02c2b8fed5da5f0a39d31e
-
Filesize
6KB
MD50373f2fe3f8222e1bf45eca3b4a9e408
SHA172151e260ad59a9bf7cd830db6476cf33a990a1f
SHA256874ccab334e49cb0a19b801ed10576bd3f926103e770bc9471847b6b8838dca8
SHA5120479582d3dcf8d74403a6029c4d6101253ba2d4543fdb247b9ae8d75a2ecfaf16234d086126d1843446039c146d0fa7bdc429d8c2911d11ddd6018beff3135a8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD594812c2934cfc168c468d1166329872b
SHA1783cd8df67cd56d947f2b6b0acda34f99e48030f
SHA256d5d710531eed74db4375bf9faea9c118e8a143bca38f5f71d7790cb7508c5bfd
SHA512ad6063d4c01073552f1bedca915710c5ba3c7d554b2144803065c250c39b26d2ee5cdbea254131ace11f154168085755516750b4679e1eb103e2d885198ceeb3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe578de8.TMP
Filesize48B
MD511d56b22223bcb5ff78116cb793c48d9
SHA1b55e449eee1b562279f1150007129df830143727
SHA2563250f73f8a285cce5d866f3842a161a92d139a172586a6533cc31f446d220c40
SHA5122b2eb15447467017ed677c5cbb58a14c4ed4967959626844ebca4bbcea8bf9ca4becaae5fbad60a46dd8d84aee9438a98a055f0c46bb40440d6325fd95b8343b
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD58f54cd8d9dd79b5460bc4113b9b0cc18
SHA1badc4280d8a4cbff7b29ca3af4ed40001de4b47e
SHA256c9280ea8a57e99eab9eb728824820dc918d08622345b8a9a9af7bc65b15514e8
SHA5124da77a186033eb137e61c2aa392103fd6bec0f5450cebe82ffbfa5c09e5096fcb02ee03bef3f4b1b0eb848876580890ecaffcf19b54b015c9a3938321f0e213a