Analysis
-
max time kernel
100s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 03:31
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://pub-4df7e5086998456e8f47dc24b08f20f2.r2.dev/complete.html
Resource
win10v2004-20240611-en
General
-
Target
https://pub-4df7e5086998456e8f47dc24b08f20f2.r2.dev/complete.html
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid process 1584 msedge.exe 1584 msedge.exe 1508 msedge.exe 1508 msedge.exe 3108 identity_helper.exe 3108 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1508 wrote to memory of 3180 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 3180 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 4980 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1584 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1584 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 2856 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 2856 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 2856 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 2856 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 2856 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 2856 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 2856 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 2856 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 2856 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 2856 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 2856 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 2856 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 2856 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 2856 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 2856 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 2856 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 2856 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 2856 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 2856 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 2856 1508 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pub-4df7e5086998456e8f47dc24b08f20f2.r2.dev/complete.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff94a3546f8,0x7ff94a354708,0x7ff94a3547182⤵PID:3180
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,8461002554932850314,18394976874264268096,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:22⤵PID:4980
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,8461002554932850314,18394976874264268096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1584 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,8461002554932850314,18394976874264268096,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:82⤵PID:2856
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,8461002554932850314,18394976874264268096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:1912
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,8461002554932850314,18394976874264268096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:2560
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,8461002554932850314,18394976874264268096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:12⤵PID:3160
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,8461002554932850314,18394976874264268096,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:12⤵PID:4796
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,8461002554932850314,18394976874264268096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:82⤵PID:536
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,8461002554932850314,18394976874264268096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3108 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,8461002554932850314,18394976874264268096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵PID:4472
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,8461002554932850314,18394976874264268096,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:12⤵PID:2788
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3516
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5dabfafd78687947a9de64dd5b776d25f
SHA116084c74980dbad713f9d332091985808b436dea
SHA256c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201
SHA512dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b
-
Filesize
152B
MD5c39b3aa574c0c938c80eb263bb450311
SHA1f4d11275b63f4f906be7a55ec6ca050c62c18c88
SHA25666f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c
SHA512eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize96B
MD545549b508ac68bdcdee3fda2a98703a8
SHA1360bfe5d9f62b3392527d3552dce19635b1e797e
SHA25653f166b73388fb75e21f08f46aff242d74f968a06e3d2e1dcd29eb4c69c0c44c
SHA512a540b3da527511564f1ab6e7713aba6bf518f315c3a81ee25b15c7100e7ab0bd089499d6799987915e1f639f6cc9aa60e6d4416d69ebfb07b1a5f0653b6a0aae
-
Filesize
332B
MD5efc4e9ce72b59da084092b94548f386b
SHA1901ab8d6efac95f3d0a8e74fd94b43aaf00f9960
SHA256db862d8d6fbd855c5e9bca7dd93cee08bd16207bf531ebe9ec668be3863a1da3
SHA512a37b806cb1837e9d44d8d7d0217ee55946b3c34e6a6df2b8d870f575b84413afdef6d48e6f6308a60411645e1a787a481fcf9fa1ea3324c23f98d7c47946f28e
-
Filesize
5KB
MD5d23160f3ea0cdf1d690e0292c8faa500
SHA1ef15605cadb5443bf8d7a4675bc7d1496fc28a6d
SHA25600b862189b56e657bff9a193c7d682f3f466b3841042bb8fe781e95ec00aaaa7
SHA512e1a1241ea9c1c6a2bae9f0bed394f91f1394881f51598c6ae4f598258fc163974c50593ed0d4f0101d9d5c2dc7ccd1fb02315068378bce822e42ea81e5334618
-
Filesize
6KB
MD52cbe96d75170a8936ee4e3b840d88db4
SHA1494f336bb9a82ea14d7fb4fd1cc8fb2ac40ec486
SHA256bcc752c1beccfa0c28d680f48afbe9c148443a0318f64f0b013e448434206660
SHA512769edc42ae3c7c224f02fbe3909991e5a346cd006f92949abe1b30938bac41cf90aa85674fe368f3569fb31328e48f69fceb2ee1d235a27b417b25cf7bb5ebbe
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD552732958e832dc1972e39443a80377a5
SHA142bdabf28907ec2caf78565acc1d78a0be2ddff9
SHA25695f23a31154e8a3047b298c8f7ad7d0a56d857c092f150b7d8af27da6f693a53
SHA51203c46e9da3188e38b013fb482e6f96f5dcd566b1d4834641b9270a8a7b354d454534693439720e804d5a20497e693937b8ba10387051b92a984bc2f24f17a103
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e