hxxps://sameapk[.]com/avow-hospice/

Analysis

max time kernel
40s
max time network
40s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 09:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://sameapk.com/avow-hospice/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
776	msedge.exe
776	msedge.exe
4800	msedge.exe
4800	msedge.exe
4324	identity_helper.exe
4324	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 4208	4800	msedge.exe	85
PID 4800 wrote to memory of 4208	4800	msedge.exe	85
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 1144	4800	msedge.exe	86
PID 4800 wrote to memory of 776	4800	msedge.exe	87
PID 4800 wrote to memory of 776	4800	msedge.exe	87
PID 4800 wrote to memory of 1176	4800	msedge.exe	88
PID 4800 wrote to memory of 1176	4800	msedge.exe	88
PID 4800 wrote to memory of 1176	4800	msedge.exe	88
PID 4800 wrote to memory of 1176	4800	msedge.exe	88
PID 4800 wrote to memory of 1176	4800	msedge.exe	88
PID 4800 wrote to memory of 1176	4800	msedge.exe	88
PID 4800 wrote to memory of 1176	4800	msedge.exe	88
PID 4800 wrote to memory of 1176	4800	msedge.exe	88
PID 4800 wrote to memory of 1176	4800	msedge.exe	88
PID 4800 wrote to memory of 1176	4800	msedge.exe	88
PID 4800 wrote to memory of 1176	4800	msedge.exe	88
PID 4800 wrote to memory of 1176	4800	msedge.exe	88
PID 4800 wrote to memory of 1176	4800	msedge.exe	88
PID 4800 wrote to memory of 1176	4800	msedge.exe	88
PID 4800 wrote to memory of 1176	4800	msedge.exe	88
PID 4800 wrote to memory of 1176	4800	msedge.exe	88
PID 4800 wrote to memory of 1176	4800	msedge.exe	88
PID 4800 wrote to memory of 1176	4800	msedge.exe	88
PID 4800 wrote to memory of 1176	4800	msedge.exe	88
PID 4800 wrote to memory of 1176	4800	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://sameapk.com/avow-hospice/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaac3346f8,0x7ffaac334708,0x7ffaac334718
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,11609623828792667498,10782113761123514379,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,11609623828792667498,10782113761123514379,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,11609623828792667498,10782113761123514379,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8
  2⤵
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11609623828792667498,10782113761123514379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11609623828792667498,10782113761123514379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,11609623828792667498,10782113761123514379,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3964 /prefetch:8
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,11609623828792667498,10782113761123514379,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3964 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11609623828792667498,10782113761123514379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11609623828792667498,10782113761123514379,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11609623828792667498,10782113761123514379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11609623828792667498,10782113761123514379,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:2968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
584971c8ba88c824fd51a05dddb45a98

SHA1
b7c9489b4427652a9cdd754d1c1b6ac4034be421

SHA256
e2d8de6c2323bbb3863ec50843d9b58a22e911fd626d31430658b9ea942cd307

SHA512
5dbf1a4631a04d1149d8fab2b8e0e43ccd97b7212de43b961b9128a8bf03329164fdeb480154a8ffea5835f28417a7d2b115b8bf8d578d00b13c3682aa5ca726

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b28ef7d9f6d74f055cc49876767c886c

SHA1
d6b3267f36c340979f8fc3e012fdd02c468740bf

SHA256
fa6804456884789f4bdf9c3f5a4a8f29e0ededde149c4384072f3d8cc85bcc37

SHA512
491f893c8f765e5d629bce8dd5067cef4e2ebc558d43bfb05e358bca43e1a66ee1285519bc266fd0ff5b5e09769a56077b62ac55fa8797c1edf6205843356e75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
dabfa011d22a9a13101ae716545a2832

SHA1
459feabf2fe7d7d0f1957d12b44b1c4831e7900f

SHA256
d4ac45e822f8ebe5985070dca523f816cf848789c9ff557f44771d29f6623838

SHA512
a5e8128c62c3423c022f52cbc5746400913bb9cea7e3e5c84404876915a7a587bda1dd640696f1b60bf3c570c02fe39e7ad1cdd3fac7e40b765f687c73d9bcad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
aeecb7ff6a4f8ea313a634fefb202ddc

SHA1
a65257a1022ad7bc3a16b349e7b8748268d29ada

SHA256
473f028dd46146c357e49ce81ca60d196dbef1b93c7319f97b23cd8dcb79775e

SHA512
9514cc26937f1a5bdbeed0d82eaec8fadb7054d0da97b5f8b432e0a8963323b69a1fc8370e56ad34ff66537e0f627b63d25fc425f7894dbbd60eff4fdcde24e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
68670a002e6450c6715373b2351f891c

SHA1
7c34d50a45182375e52db7497256fe71c9081678

SHA256
49cdbff8e24b69fac58f287b612afaf1b5ae8022fabdd5aeddae37411675f6c1

SHA512
336c19a6ab8237e361e11649a7f1ddd16c6ae57441441e10a50f44cb5c262275c1011a3ddab747535c3bbfe1bc6c1852a0c62786c70d46e31641286ec7062b3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3d22d45b5a45a3d384247955f8721e14

SHA1
54dd1976f702ca0058c5f5a3aeb9cbf3e7aa069f

SHA256
8b6ec462128422447dddefac8013f5d00985581164861e00e9cf7e3b3d270b8c

SHA512
a17626af86cf079ff80117f75ff24fde662e4f49e6a95fbaeb594bc54cbd99abaa120fb30e04c213c76b5cb6202af09e80836adac65317a31aefe9039fb21c1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
350c571c0c00c77bdb1607bab97d7c25

SHA1
213a151c085ef5bac8d1588fcaf9dc873425e322

SHA256
723d0052f7a13785b3335f03cfb5a862f5e0ddc6620c3bae7ed2d993cab0d095

SHA512
1610bdd3383afe85487d70e72533a9c4ea659540ea55ee869288d63e135597ab1f6ff2665e73f08480f341e193f2499c78f8d1f28c55c53b1cf33c4a56c3d01e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57cfd3.TMP

Filesize
706B

MD5
5b09913c7e3c5bfe06d46665dbd1c6f9

SHA1
1a69b53ebd75053f6f67898efd28116b9171807f

SHA256
cc5cc64ddd9de19f6bf070e0b2f6b5e6d72c75afde214286542cbe7ece1d5ce6

SHA512
8eaf685036d85872116cc439d286f2a6f7e64c2fa93514458857267c809a75d46098dcd7f01f7e966d66434f8b8c03f14544a859fbf002fdf8b049e4c96c5dde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\bc8097b9-97d7-4a1b-bc73-5fcf09dfbb7a.tmp

Filesize
11KB

MD5
212432f41717676a89a90e66db46efcb

SHA1
95f3647b29fb086a6a09da6fe9c66e82b973de78

SHA256
ca0c550c526b7faf2ad93aafb60cd60a987ade4e4316c2609b179f21774667d5

SHA512
eba7bcffddcfa4a7367913a358df20188e132d862dbd289e109bc751b5f75670fdfc75cb1814b9efe672f4df1c9e2552f61157d34f4d9b9f02cfa62770e6f33d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit