Analysis
-
max time kernel
52s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13/06/2024, 02:44
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://patramovip.com/en/movie/1062807/spy-x-family-code-white?artstation
Resource
win10v2004-20240508-en
General
-
Target
https://patramovip.com/en/movie/1062807/spy-x-family-code-white?artstation
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4656 msedge.exe 4656 msedge.exe 3000 msedge.exe 3000 msedge.exe 3480 identity_helper.exe 3480 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe 3000 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3000 wrote to memory of 1700 3000 msedge.exe 81 PID 3000 wrote to memory of 1700 3000 msedge.exe 81 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4272 3000 msedge.exe 82 PID 3000 wrote to memory of 4656 3000 msedge.exe 83 PID 3000 wrote to memory of 4656 3000 msedge.exe 83 PID 3000 wrote to memory of 4548 3000 msedge.exe 84 PID 3000 wrote to memory of 4548 3000 msedge.exe 84 PID 3000 wrote to memory of 4548 3000 msedge.exe 84 PID 3000 wrote to memory of 4548 3000 msedge.exe 84 PID 3000 wrote to memory of 4548 3000 msedge.exe 84 PID 3000 wrote to memory of 4548 3000 msedge.exe 84 PID 3000 wrote to memory of 4548 3000 msedge.exe 84 PID 3000 wrote to memory of 4548 3000 msedge.exe 84 PID 3000 wrote to memory of 4548 3000 msedge.exe 84 PID 3000 wrote to memory of 4548 3000 msedge.exe 84 PID 3000 wrote to memory of 4548 3000 msedge.exe 84 PID 3000 wrote to memory of 4548 3000 msedge.exe 84 PID 3000 wrote to memory of 4548 3000 msedge.exe 84 PID 3000 wrote to memory of 4548 3000 msedge.exe 84 PID 3000 wrote to memory of 4548 3000 msedge.exe 84 PID 3000 wrote to memory of 4548 3000 msedge.exe 84 PID 3000 wrote to memory of 4548 3000 msedge.exe 84 PID 3000 wrote to memory of 4548 3000 msedge.exe 84 PID 3000 wrote to memory of 4548 3000 msedge.exe 84 PID 3000 wrote to memory of 4548 3000 msedge.exe 84
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://patramovip.com/en/movie/1062807/spy-x-family-code-white?artstation1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef94246f8,0x7ffef9424708,0x7ffef94247182⤵PID:1700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,6364489545424771521,2866962339630402831,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:22⤵PID:4272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,6364489545424771521,2866962339630402831,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,6364489545424771521,2866962339630402831,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:82⤵PID:4548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,6364489545424771521,2866962339630402831,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵PID:2012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,6364489545424771521,2866962339630402831,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:12⤵PID:2104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,6364489545424771521,2866962339630402831,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 /prefetch:82⤵PID:4216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,6364489545424771521,2866962339630402831,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,6364489545424771521,2866962339630402831,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2260 /prefetch:12⤵PID:3840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,6364489545424771521,2866962339630402831,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:12⤵PID:1676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,6364489545424771521,2866962339630402831,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2916 /prefetch:12⤵PID:3644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,6364489545424771521,2866962339630402831,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2300 /prefetch:12⤵PID:2060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,6364489545424771521,2866962339630402831,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:12⤵PID:2488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,6364489545424771521,2866962339630402831,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:12⤵PID:2376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,6364489545424771521,2866962339630402831,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:12⤵PID:4628
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1868
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f61fa5143fe872d1d8f1e9f8dc6544f9
SHA1df44bab94d7388fb38c63085ec4db80cfc5eb009
SHA256284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64
SHA512971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6
-
Filesize
152B
MD587f7abeb82600e1e640b843ad50fe0a1
SHA1045bbada3f23fc59941bf7d0210fb160cb78ae87
SHA256b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262
SHA512ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618
-
Filesize
5KB
MD580f1654b5728f5fe47ebf453529d5c51
SHA11ca92f19dd763a471176a85c5675de59bcc030a1
SHA25692053139b41a8c1924a317855b300bd70def6180fd4d564f8686e6f0b2dcf275
SHA512c5acda9f569ebf8494a87c0bdf28b4cae2215c680c8cc096ae043ec0b771a20623256ad085535ea59b5a1a2b382a0a0e0a846a3d4d6956f4bb09fe40e1b82185
-
Filesize
6KB
MD5ef981fcfbc41bc3fcd5fa9aa308c3e75
SHA16fbc10122f6b135eb5a70fecaee0a13a7ede79f6
SHA256b129137ab8f6260e21989ccb2675e68f6454a57632c20bf7a062c5f8a4b05687
SHA5129243412463fa855fabaa0694f92672c9537e4a0c5feac0a0371309cb6407228ab6e58e434adb64d997022a097fa56304248f43f5ca83f81316384d97ecddeaff
-
Filesize
6KB
MD5c27ff999464f830cac93cb38f6db9ab6
SHA1e5bbde222fb0ac10c59941f9837a39775e121d76
SHA256fa4832ce3c528fcc6f0deb23ff90b6bb832de161d918bce98e0b127b0ad303c2
SHA51273c25e41476274db82ab481004e5b22776af8521d3c2bfae72ada9a3317bb618c593dc978dea5232e0722b1b9b0c35a8fca23d92224bc2b19a639f2c2a9d7fed
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD516cb0a70029bae1a6b6cbaa4b1d7a068
SHA1a33c6e776f2be0eeace9c5faf22b7b78d18c39f0
SHA256c1ff483be45cc3e8f14ed06fcb5eb3acc37cb9fad35339c9cf5aa7406be361ad
SHA512597795e3fbfc1fc9e74891661579845387888e08dd028b0f7e0877a26e960654f17469b538e76f5a10006ede22801a069af2f5a66bda9aa8eefedd7b81c58578
-
Filesize
8KB
MD5cd83cb793a49b5d6348f1278834ba4e1
SHA1181c9c0de2b52be8447563b311088dfbc9a96654
SHA256f13b82118e5308babdcc6eab7fb1472347c7d5c84867c3baf8a5a79007f3480a
SHA512dd5cf5c069ecb7cf9e0f55cfa3439d76303b9f6bdc771d49b2dabdaefec68009fc209eced70d9884c9f81fd33af8936c4b6287c26b8b01a2bc545fc559c33930
-
Filesize
264KB
MD551b58cbb183a162bfc63b41815f9163f
SHA13d27ba0559eb0ad1ac95e5b683dd395ab1385242
SHA256a10553ba32396d5eb0b6bd7a0f0812317bef632a63273cafb6c0b335a1aaae81
SHA512e20def14f1e9e864c261e47aca1111bf692148ee9456f8588c050c62ab4a42d8b52294b6582919a0719e2b742f18fe61fbe4439634969646f89fbfe9c0c9b0f5