hxxps://scrive[.]com/s/9222115557520720139/9221402946417830671/9c8546a7371d1cb0

Analysis

max time kernel
145s
max time network
139s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
24/06/2024, 06:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://scrive.com/s/9222115557520720139/9221402946417830671/9c8546a7371d1cb0

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1596	msedge.exe
1596	msedge.exe
3588	msedge.exe
3588	msedge.exe
392	msedge.exe
392	msedge.exe
4964	identity_helper.exe
4964	identity_helper.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 5072	3588	msedge.exe	79
PID 3588 wrote to memory of 5072	3588	msedge.exe	79
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1876	3588	msedge.exe	81
PID 3588 wrote to memory of 1596	3588	msedge.exe	82
PID 3588 wrote to memory of 1596	3588	msedge.exe	82
PID 3588 wrote to memory of 3556	3588	msedge.exe	83
PID 3588 wrote to memory of 3556	3588	msedge.exe	83
PID 3588 wrote to memory of 3556	3588	msedge.exe	83
PID 3588 wrote to memory of 3556	3588	msedge.exe	83
PID 3588 wrote to memory of 3556	3588	msedge.exe	83
PID 3588 wrote to memory of 3556	3588	msedge.exe	83
PID 3588 wrote to memory of 3556	3588	msedge.exe	83
PID 3588 wrote to memory of 3556	3588	msedge.exe	83
PID 3588 wrote to memory of 3556	3588	msedge.exe	83
PID 3588 wrote to memory of 3556	3588	msedge.exe	83
PID 3588 wrote to memory of 3556	3588	msedge.exe	83
PID 3588 wrote to memory of 3556	3588	msedge.exe	83
PID 3588 wrote to memory of 3556	3588	msedge.exe	83
PID 3588 wrote to memory of 3556	3588	msedge.exe	83
PID 3588 wrote to memory of 3556	3588	msedge.exe	83
PID 3588 wrote to memory of 3556	3588	msedge.exe	83
PID 3588 wrote to memory of 3556	3588	msedge.exe	83
PID 3588 wrote to memory of 3556	3588	msedge.exe	83
PID 3588 wrote to memory of 3556	3588	msedge.exe	83
PID 3588 wrote to memory of 3556	3588	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://scrive.com/s/9222115557520720139/9221402946417830671/9c8546a7371d1cb0
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffbf743cb8,0x7fffbf743cc8,0x7fffbf743cd8
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,16620099086582052738,16965882015972668334,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,16620099086582052738,16965882015972668334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,16620099086582052738,16965882015972668334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16620099086582052738,16965882015972668334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16620099086582052738,16965882015972668334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,16620099086582052738,16965882015972668334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,16620099086582052738,16965882015972668334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16620099086582052738,16965882015972668334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16620099086582052738,16965882015972668334,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16620099086582052738,16965882015972668334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16620099086582052738,16965882015972668334,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,16620099086582052738,16965882015972668334,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1632 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
64f055a833e60505264595e7edbf62f6

SHA1
dad32ce325006c1d094b7c07550aca28a8dac890

SHA256
7172dc46924936b8dcee2d0c39535d098c2dbf510402c5bbb269399aed4d4c99

SHA512
86644776207d0904bc3293b4fec2fa724b8b3c9c3086cd0ef2696027ab3d840a8049b6bde3464c209e57ffa83cbc3df6115500fbe36a9acb222830c1aac4dc7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a74887034b3a720c50e557d5b1c790bf

SHA1
fb245478258648a65aa189b967590eef6fb167be

SHA256
f25b27187fad2b82ac76fae98dfdddc1c04f4e8370d112d45c1dd17a8908c250

SHA512
888c3fceb1a28a41c5449f5237ca27c7cbd057ce407f1542973478a31aa84ce9b77943130ca37551c31fa7cd737b9195b7374f886a969b39148a531530a91af3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9b7b32669348d44f588727f3f0e3c5be

SHA1
190e0eb1da2b48f438cfdf7eddfdf5d228e59319

SHA256
6b3ab357b8689fa0b351762e55f1ae7e02883a508e3674ed6f5f571587751a49

SHA512
dff9e1201f1de68e5c78ef4f473cd5b631fe8da0ea7f5bcfd849c20ca1b5f426c521f059e25cc0c9888ecd08c450a5020f923b91cebee90897338987af1573c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
447B

MD5
2969750cccab817220a205b0b324ffc3

SHA1
bf51e8e893fc2a55b41d6289983be01283951796

SHA256
24429c9fb9c90be42a4a4a798d8b277ba74d389b1af75ea988e4d13e95060044

SHA512
d51458398bdd9b89b4d3fa12d7c83b9b50d19e87db547ba1e2379683fe6d874e1ad135cc71c9719d76c73b5bea3803fe8f60df4ff29bfa8a1a4949353b202c62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c6e64fd7d8504c721c4d7815f9a84685

SHA1
8e40371614dbdef6b0d6fa88ee9a2ea83db3f1e8

SHA256
0f058afc0badb5437735e6114bca17e740261aa25107d277f324322432346b7c

SHA512
2c30e606062f09fa83117cfaad7c28f28b4c22ec8f18f6ea883d511ebda1923a06e8e1802ecaacb1f9ad8145640a6f5660c9481930fe8d9086f098b0998a25de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e6fbe3b54e40805385a47b5f2b17a5c4

SHA1
3256247dc1970cf716c796a2d00c6130b16a139c

SHA256
e2fe5d4240513814ee1244fe2accab70c311aacf4d361272028609a06b623f13

SHA512
dae76325cdc370d5f1c79bd07213518a8bb6e6f8f78a0705f1e115c5b01ca9f1531a6462f69bcf075c4482a67649010560e9c31e0c18f0d22f82ddb7cdbe053b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
49ea709b9fe7ac3d9096bb184ef56670

SHA1
1e9ad84935599ee39955fb6a8fcd9aa7973621d5

SHA256
e844319dcb09a82a430cbc08149969d51792c7c31f793fb366a01023a56d64b1

SHA512
0e6e921837a9cdb0781c78fa4124ef22707cba743680656be586ff12c9c43dd7e7779b348d86bf235b0d46de19feeda7045b1aa0e59d3000393516ac8b9c2434

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3a51784c15ada5b215ff0a7c013651dc

SHA1
027959ebbe6b4478ec806ce8a459a09589620ee0

SHA256
7a643ac952a01ac9f9758230cd3fb0178da0470d919a42773387afd0bf6db0c9

SHA512
ec53e246dfdfbf4cb97c72a96122c098984af24016e1755993a9e5ea650f61717aa38e3e22803ed165c22a12d07260f65afb8aee14b4b0e57e40ab7a66d1b204

Download Submit