hxxps://www[.]nticorp[.]com/NTI-HD-SSD-Upgrade-Kit-V5[.]html?gad_source=1&gclid=Cj0KCQjw1qO0BhDwARIsANfnkv-SgTp0GFgeNT0JgXByZcg7bU7om6YQ-gC9Ov-uoTSdCRHeL1SWBrIaAjiqEALw_wcB

Analysis

max time kernel
152s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.nticorp.com/NTI-HD-SSD-Upgrade-Kit-V5.html?gad_source=1&gclid=Cj0KCQjw1qO0BhDwARIsANfnkv-SgTp0GFgeNT0JgXByZcg7bU7om6YQ-gC9Ov-uoTSdCRHeL1SWBrIaAjiqEALw_wcB

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1896	msedge.exe
1896	msedge.exe
916	msedge.exe
916	msedge.exe
556	identity_helper.exe
556	identity_helper.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 2732	916	msedge.exe	82
PID 916 wrote to memory of 2732	916	msedge.exe	82
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 3792	916	msedge.exe	83
PID 916 wrote to memory of 1896	916	msedge.exe	84
PID 916 wrote to memory of 1896	916	msedge.exe	84
PID 916 wrote to memory of 3428	916	msedge.exe	85
PID 916 wrote to memory of 3428	916	msedge.exe	85
PID 916 wrote to memory of 3428	916	msedge.exe	85
PID 916 wrote to memory of 3428	916	msedge.exe	85
PID 916 wrote to memory of 3428	916	msedge.exe	85
PID 916 wrote to memory of 3428	916	msedge.exe	85
PID 916 wrote to memory of 3428	916	msedge.exe	85
PID 916 wrote to memory of 3428	916	msedge.exe	85
PID 916 wrote to memory of 3428	916	msedge.exe	85
PID 916 wrote to memory of 3428	916	msedge.exe	85
PID 916 wrote to memory of 3428	916	msedge.exe	85
PID 916 wrote to memory of 3428	916	msedge.exe	85
PID 916 wrote to memory of 3428	916	msedge.exe	85
PID 916 wrote to memory of 3428	916	msedge.exe	85
PID 916 wrote to memory of 3428	916	msedge.exe	85
PID 916 wrote to memory of 3428	916	msedge.exe	85
PID 916 wrote to memory of 3428	916	msedge.exe	85
PID 916 wrote to memory of 3428	916	msedge.exe	85
PID 916 wrote to memory of 3428	916	msedge.exe	85
PID 916 wrote to memory of 3428	916	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.nticorp.com/NTI-HD-SSD-Upgrade-Kit-V5.html?gad_source=1&gclid=Cj0KCQjw1qO0BhDwARIsANfnkv-SgTp0GFgeNT0JgXByZcg7bU7om6YQ-gC9Ov-uoTSdCRHeL1SWBrIaAjiqEALw_wcB
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc42b46f8,0x7ffcc42b4708,0x7ffcc42b4718
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,14137339034228636099,15035462882854640683,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,14137339034228636099,15035462882854640683,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,14137339034228636099,15035462882854640683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
  2⤵
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14137339034228636099,15035462882854640683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14137339034228636099,15035462882854640683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,14137339034228636099,15035462882854640683,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 /prefetch:8
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,14137339034228636099,15035462882854640683,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14137339034228636099,15035462882854640683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14137339034228636099,15035462882854640683,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14137339034228636099,15035462882854640683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14137339034228636099,15035462882854640683,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,14137339034228636099,15035462882854640683,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3544 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3c78617ec8f88da19254f9ff03312175

SHA1
344e9fed9434d924d1c9f05351259cbc21e434d3

SHA256
3cb47fcdca33bb3c8f4acc98424140987235ad79815da4f0e7593e4591ae90ed

SHA512
5b58675088b0fc2b2d705cb648ea89385b80c7cf908b0f4f95a9acdbd350b50754e1b586202db6a918eef70029fafb210947f3c43c570ecf7657e08939fd7e9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
09c7ae658385f6de986103443217840b

SHA1
298d880503edce4413337c09d3525f27a2edcd28

SHA256
91e04ec38abdb0204458543592c4621b7bc0306407884f764aa9596a52454cd7

SHA512
4e1272b209487d1e9e7d8502be49ebce91c76718410e817b3ac7faf47d9b699210aab1b941fbb5ddafc192ddf4b2ba151afd47fab753ec62bc0bca36039c55c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
9ac338872d6fbde2a24adab2dfc590d5

SHA1
ddf92f94d4db289374df05d05d1b604e45ca9f8f

SHA256
d832d56a85b521c90ccf56a4bf99a8284e12eba39d6f67e0c7f84fdaa9193f20

SHA512
74b0fea43fb90a784dae9d22eafb0bfff007b17e3927a75dd26668f0ae42eae5e7ada5ce72c472cc412d53aea67ab725f9460e89db08e325d605ae10a52b84ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ed17612944cc02de1bbff5dd2ca46a8d

SHA1
7d51f4b5fcbfd5effadc53db7f15b44910a93656

SHA256
9bb31d65cf1bf34800ced03788f4634ea369887b795f596469f980f7e030ab24

SHA512
fd9a6fe81ccc01b097abd9c7e9dc4c998bf0f20a2f2b78973544c1f7ee29cc17ae6ebdc676ce230fc868c0b50d4984b19cef32b6a70e38bab58b099a8a0a2f03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ace419051300e9905a3ea117fdc068a8

SHA1
85c2e0a13e532fa571bc64e896ae3eb838b686ee

SHA256
6db63411ceb48571f164fd1195cfe61c81248d6883ef95d0229ad32f6016c68f

SHA512
cc6755b7afafbc5bee226bae89a358e63b011ca0f1795a68968cb290a9752116b030c5dae242bdebff85fcf0544d9c7b506789b39c63acb1989e87930ab0dad3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f99d127c653851d0c052d705808dff7d

SHA1
a112a000770dbf24896efb24b01061e296cafbd7

SHA256
5fbf8afcdedf706f2597b94e7783ccbbf4eb40131f7e0b8d31277beedf159f42

SHA512
8d842e9c3fcf9e107fcbc551128aa841e00a4f38ef54850e7eb3a6849034ba6203d66d55f7d1f128f2908bf65fa46dc1c40b9fa83eae4401fdc3036f945f7488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
12ff518dbac4488c26a6f8e04e5cf350

SHA1
d55e4207cfbd08c86c02dccd5d8c03a655e96ce4

SHA256
82240af0deaefd365acc82164a8a02c4439c3a37419662f9538d2ce2df8d5183

SHA512
0c1e22b733d295f0c7fee431bb9813af7147ee7a467c35c4dc8f7d3cf069faae11fec93e6c32ce576db0b94ae7a5cfaa2e54cc38cc41543db149242e5711c19e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
703B

MD5
1aa627c4173cbe2228d6e189b688a5ab

SHA1
a0b69e76c602b175e82ab5025d00f4ea25c6e6ee

SHA256
ea623e22ae6180787faed9a183b9be9b9d02ad929fb8ae3f2b8263cec60a2c97

SHA512
c91adf25d7ce8a9f1b6296547356ed2573c2db462fe5ac7801a7225008852446a0a7746b44cc654422f97e2a6e8739d3b7bf029e99f930bb8dd7ccd980ebe381

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581cab.TMP

Filesize
538B

MD5
1d81fabf0de632388dbd7099b0223e9b

SHA1
f805196a847cabdfa80f21c4abeab481a10290c2

SHA256
9c18003c5233f173e4b1e09fd9b770028c5a969ec204911243e970c01c3bbf80

SHA512
bf91d02047a03490c57931ee6a98b4eac7c38be35950bc5868453167e8ea97a8b825c331cbac4c84118a9ef8a593fbdae4943558616e7157e73fef0afbacd7de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bf934bbe36d097de0715e3d8feb9c178

SHA1
4e633dd2a9e25dbec152fceb7802545f6fbfc9ce

SHA256
618bf0aac43c2c831196e7c2807ebd02a018e0c229a23671da4c7c07bbbeefc2

SHA512
3025076188e99393ded67362e46531f7d3d6db9f83924d4d265eafdfce84faf92a923616e7096ba95409622828684171bbd817df09f67a9472e849eded0a66b9

Download Submit