Analysis
-
max time kernel
145s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 17:39
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://crystalbynature.com
Resource
win10v2004-20240611-en
General
-
Target
http://crystalbynature.com
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 1052 msedge.exe 1052 msedge.exe 212 msedge.exe 212 msedge.exe 3308 identity_helper.exe 3308 identity_helper.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 212 wrote to memory of 1292 212 msedge.exe msedge.exe PID 212 wrote to memory of 1292 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 2640 212 msedge.exe msedge.exe PID 212 wrote to memory of 1052 212 msedge.exe msedge.exe PID 212 wrote to memory of 1052 212 msedge.exe msedge.exe PID 212 wrote to memory of 2172 212 msedge.exe msedge.exe PID 212 wrote to memory of 2172 212 msedge.exe msedge.exe PID 212 wrote to memory of 2172 212 msedge.exe msedge.exe PID 212 wrote to memory of 2172 212 msedge.exe msedge.exe PID 212 wrote to memory of 2172 212 msedge.exe msedge.exe PID 212 wrote to memory of 2172 212 msedge.exe msedge.exe PID 212 wrote to memory of 2172 212 msedge.exe msedge.exe PID 212 wrote to memory of 2172 212 msedge.exe msedge.exe PID 212 wrote to memory of 2172 212 msedge.exe msedge.exe PID 212 wrote to memory of 2172 212 msedge.exe msedge.exe PID 212 wrote to memory of 2172 212 msedge.exe msedge.exe PID 212 wrote to memory of 2172 212 msedge.exe msedge.exe PID 212 wrote to memory of 2172 212 msedge.exe msedge.exe PID 212 wrote to memory of 2172 212 msedge.exe msedge.exe PID 212 wrote to memory of 2172 212 msedge.exe msedge.exe PID 212 wrote to memory of 2172 212 msedge.exe msedge.exe PID 212 wrote to memory of 2172 212 msedge.exe msedge.exe PID 212 wrote to memory of 2172 212 msedge.exe msedge.exe PID 212 wrote to memory of 2172 212 msedge.exe msedge.exe PID 212 wrote to memory of 2172 212 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://crystalbynature.com1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfd7b46f8,0x7ffcfd7b4708,0x7ffcfd7b47182⤵PID:1292
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,1297917537895800037,12901402547103076485,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2004 /prefetch:22⤵PID:2640
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,1297917537895800037,12901402547103076485,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1052 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,1297917537895800037,12901402547103076485,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:82⤵PID:2172
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1297917537895800037,12901402547103076485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵PID:1812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1297917537895800037,12901402547103076485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵PID:1736
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1297917537895800037,12901402547103076485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:12⤵PID:1720
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,1297917537895800037,12901402547103076485,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 /prefetch:82⤵PID:3916
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,1297917537895800037,12901402547103076485,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3308 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1297917537895800037,12901402547103076485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:12⤵PID:2984
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1297917537895800037,12901402547103076485,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:12⤵PID:3624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1297917537895800037,12901402547103076485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:12⤵PID:2776
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1297917537895800037,12901402547103076485,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:12⤵PID:2152
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,1297917537895800037,12901402547103076485,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4864 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2300
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1436
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5dabfafd78687947a9de64dd5b776d25f
SHA116084c74980dbad713f9d332091985808b436dea
SHA256c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201
SHA512dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b
-
Filesize
152B
MD5c39b3aa574c0c938c80eb263bb450311
SHA1f4d11275b63f4f906be7a55ec6ca050c62c18c88
SHA25666f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c
SHA512eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize216B
MD51e3593e259ae67e08a7df5201cce49bb
SHA16351dba80c97092dbf000bc7b26a98cee0772157
SHA256aeef54f5ba0ecb50cb971fd7443422dedef0ac6b3f3bf172f540bb670ec3062c
SHA512c78b8f1041446d3dc34d118ea19d14f28e34f99102cc3423f81562f449a5eb633e42cafbb2554313b4b1ae169fe255b4df84fa5c7521a32b40e0f4d356ea247e
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
730B
MD56738668939d0854054bf9243cc86251b
SHA1bbf5a12461e47b26a1c3ebafc9edf530224c4a2b
SHA2563efe385102c6be4f6a13987bbf97c0b1bc24aef72d8a55a2900281c12c4d7893
SHA51285012915fb1b4a2296ea1f0f8f287a196139ea3619504efc3233c8dd97d8f6080724309d755da4fcfb112697a8168aa212d45d4cc8a9048251a717e9829bc62c
-
Filesize
6KB
MD5a9c6c14a9355619fa4849edf04ef545a
SHA1669b130aa6c0ff2251708b3c7b279c52796899dc
SHA256cd87aaea18031422c4bec4e8f96f9461b175740f1a9eb7761727826cdce06bd1
SHA512e16bfea20e1ced705b4cdbb00d6502cede42b1e6885e21cedb14b5cc0c779bad6826b76e3f9accc8e4dcd4b37213332f430f8fdee7826ee5f735aaf21877ee2e
-
Filesize
6KB
MD504cb167159a657cb2620b9412dc8073b
SHA119b84f59f0104e94c5a83a1f0b6375142e03c004
SHA25658b5e6b06831a72c92ab6c7d2f1f4a31fc38edfa7ba0409b8406c24e2b5fc909
SHA512fae85aad65b3b6e515d8e8144de070183a06c95c26afbdfad617e6c14703250e9e2baccd0b1bb1392221457720d3438797c195f670d7f6c2e45fcd7c709aa637
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD523c9f9341dd2bca82daf69169f1ed5a0
SHA1a4f6b59b622be013182bf8d998a5f45e0fd6d6b2
SHA25620be6ee994118972d5c4f6dfb7e275f97387683e69e7be2e3badf69deb514195
SHA5126649fe1dfd0112db3712567a45888ec46563ab51453b2cba6ea87a4dbcb0242b3468d7c38fef64978d24052530ef32b3035c407fdf41cbc3bad4a8fa26896bb8
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e