Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
26-06-2024 16:25
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1255165018316476447/1255511838292971550/3CXLoader_.exe?ex=667d6604&is=667c1484&hm=3dfb0e5e516e2709cfc51305ca6edf7d1956e3bcbab56a2d64f29b61a1fd9037&
Resource
win11-20240508-en
General
-
Target
https://cdn.discordapp.com/attachments/1255165018316476447/1255511838292971550/3CXLoader_.exe?ex=667d6604&is=667c1484&hm=3dfb0e5e516e2709cfc51305ca6edf7d1956e3bcbab56a2d64f29b61a1fd9037&
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1564 msedge.exe 1564 msedge.exe 3252 msedge.exe 3252 msedge.exe 3784 msedge.exe 3784 msedge.exe 2256 identity_helper.exe 2256 identity_helper.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe 3252 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3252 wrote to memory of 4800 3252 msedge.exe 77 PID 3252 wrote to memory of 4800 3252 msedge.exe 77 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 2404 3252 msedge.exe 78 PID 3252 wrote to memory of 1564 3252 msedge.exe 79 PID 3252 wrote to memory of 1564 3252 msedge.exe 79 PID 3252 wrote to memory of 3248 3252 msedge.exe 80 PID 3252 wrote to memory of 3248 3252 msedge.exe 80 PID 3252 wrote to memory of 3248 3252 msedge.exe 80 PID 3252 wrote to memory of 3248 3252 msedge.exe 80 PID 3252 wrote to memory of 3248 3252 msedge.exe 80 PID 3252 wrote to memory of 3248 3252 msedge.exe 80 PID 3252 wrote to memory of 3248 3252 msedge.exe 80 PID 3252 wrote to memory of 3248 3252 msedge.exe 80 PID 3252 wrote to memory of 3248 3252 msedge.exe 80 PID 3252 wrote to memory of 3248 3252 msedge.exe 80 PID 3252 wrote to memory of 3248 3252 msedge.exe 80 PID 3252 wrote to memory of 3248 3252 msedge.exe 80 PID 3252 wrote to memory of 3248 3252 msedge.exe 80 PID 3252 wrote to memory of 3248 3252 msedge.exe 80 PID 3252 wrote to memory of 3248 3252 msedge.exe 80 PID 3252 wrote to memory of 3248 3252 msedge.exe 80 PID 3252 wrote to memory of 3248 3252 msedge.exe 80 PID 3252 wrote to memory of 3248 3252 msedge.exe 80 PID 3252 wrote to memory of 3248 3252 msedge.exe 80 PID 3252 wrote to memory of 3248 3252 msedge.exe 80
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1255165018316476447/1255511838292971550/3CXLoader_.exe?ex=667d6604&is=667c1484&hm=3dfb0e5e516e2709cfc51305ca6edf7d1956e3bcbab56a2d64f29b61a1fd9037&1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd1a5f3cb8,0x7ffd1a5f3cc8,0x7ffd1a5f3cd82⤵PID:4800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,15698162434417079941,15821583588410608078,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:22⤵PID:2404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,15698162434417079941,15821583588410608078,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,15698162434417079941,15821583588410608078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:82⤵PID:3248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,15698162434417079941,15821583588410608078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵PID:2416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,15698162434417079941,15821583588410608078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:4776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,15698162434417079941,15821583588410608078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:12⤵PID:3240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,15698162434417079941,15821583588410608078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:12⤵PID:4004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,15698162434417079941,15821583588410608078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4384 /prefetch:12⤵PID:1512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,15698162434417079941,15821583588410608078,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:12⤵PID:1656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1948,15698162434417079941,15821583588410608078,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4392 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,15698162434417079941,15821583588410608078,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:12⤵PID:4696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,15698162434417079941,15821583588410608078,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,15698162434417079941,15821583588410608078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:12⤵PID:4172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,15698162434417079941,15821583588410608078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4416 /prefetch:12⤵PID:4160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,15698162434417079941,15821583588410608078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1744 /prefetch:12⤵PID:1452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,15698162434417079941,15821583588410608078,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4788 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,15698162434417079941,15821583588410608078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4440 /prefetch:12⤵PID:3572
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1832
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD50d84d1490aa9f725b68407eab8f0030e
SHA183964574467b7422e160af34ef024d1821d6d1c3
SHA25640c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e
SHA512f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00
-
Filesize
152B
MD50c705388d79c00418e5c1751159353e3
SHA1aaeafebce5483626ef82813d286511c1f353f861
SHA256697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d
SHA512c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f
-
Filesize
5KB
MD56f240c743cb2efecc96037b0a777ee7d
SHA161e82efa1ec00e464ee56c742861f18783ec5941
SHA256473a3ece3bdfd5d39726c6db3bb9e9911fb043fd64067aab174643cf7c04189d
SHA5124fcc86922425e19a4188b0d381979c0d57f09f49c3d0e2c669f284b52b24450438914463635a4c729ffbd38ea3ea4760644b145ae3dd649a5c8a2dba12176e79
-
Filesize
6KB
MD5cf7bf9169854ad3d652de9250afc1ae3
SHA1939b84e67af0407861a4e5c43582c669be1ff4c2
SHA2567a4cde52a0b223931f65123a3bd8599ce4d5efb48c1b0f3ad7a4e952b5675c7d
SHA51220eeb17288c83567722f9beab903b29dac5c263493867bab16c95b4616b91f1ccf3ce4fbc370adb4faa33015580b38d442ae092a9993c8e8a6587712195b1648
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD547d5eb4903c4c4c3cf912f6e84a55c4c
SHA177d97612587e7671061b76a036913c094d53cfad
SHA256d99577e9c0b634d6875a53208cfbed4ea4cba9e4897bae7c55c656ada19105cb
SHA51212ac788469349f7b5b4d9d5fff0a068763e7941a43c5f91b0ef279910941f081cadebe25623837fb9c879eba85a4eb18c0ddc5f8eb54be9e361cdc3ee944edc1