bb596bf7474941c03af2c33a64800d93456baa25c0622ce251e2910aec6f0ae1

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12-07-2024 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

magiceden.io/about.html
Size

57KB
MD5

ea703f24dc4edcb8147b4bf5b40565a5
SHA1

bf0d519f39903e8a9d21ca14dc5536ff7e24899e
SHA256

695351214fdc6b7bb1af341a87422a9535a59d30e7529b3787400b9bc6d61f99
SHA512

f4b89f8f62f5d20bd02137322dc666f23fac36eecff42a76d884a9655656ba1b5e3ae62fb61b10c6330318a02ff6b16c005598f225956767a53a94173daf73c5
SSDEEP

384:6HvfWHL7xwh0k6+5SNic15eZcTQj545e2nYroWz5ebaRGh7O5eAdup+gx5e9gfMr:6HX0J0TONwXKl13m4Y0MCmd4OQSOhqt

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3932	msedge.exe
3932	msedge.exe
1264	msedge.exe
1264	msedge.exe
3044	identity_helper.exe
3044	identity_helper.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 736	1264	msedge.exe	84
PID 1264 wrote to memory of 736	1264	msedge.exe	84
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 4892	1264	msedge.exe	85
PID 1264 wrote to memory of 3932	1264	msedge.exe	86
PID 1264 wrote to memory of 3932	1264	msedge.exe	86
PID 1264 wrote to memory of 2848	1264	msedge.exe	87
PID 1264 wrote to memory of 2848	1264	msedge.exe	87
PID 1264 wrote to memory of 2848	1264	msedge.exe	87
PID 1264 wrote to memory of 2848	1264	msedge.exe	87
PID 1264 wrote to memory of 2848	1264	msedge.exe	87
PID 1264 wrote to memory of 2848	1264	msedge.exe	87
PID 1264 wrote to memory of 2848	1264	msedge.exe	87
PID 1264 wrote to memory of 2848	1264	msedge.exe	87
PID 1264 wrote to memory of 2848	1264	msedge.exe	87
PID 1264 wrote to memory of 2848	1264	msedge.exe	87
PID 1264 wrote to memory of 2848	1264	msedge.exe	87
PID 1264 wrote to memory of 2848	1264	msedge.exe	87
PID 1264 wrote to memory of 2848	1264	msedge.exe	87
PID 1264 wrote to memory of 2848	1264	msedge.exe	87
PID 1264 wrote to memory of 2848	1264	msedge.exe	87
PID 1264 wrote to memory of 2848	1264	msedge.exe	87
PID 1264 wrote to memory of 2848	1264	msedge.exe	87
PID 1264 wrote to memory of 2848	1264	msedge.exe	87
PID 1264 wrote to memory of 2848	1264	msedge.exe	87
PID 1264 wrote to memory of 2848	1264	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\magiceden.io\about.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff60dd46f8,0x7fff60dd4708,0x7fff60dd4718
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,10172006504625414365,11516805698879160631,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,10172006504625414365,11516805698879160631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,10172006504625414365,11516805698879160631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,10172006504625414365,11516805698879160631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,10172006504625414365,11516805698879160631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,10172006504625414365,11516805698879160631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,10172006504625414365,11516805698879160631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,10172006504625414365,11516805698879160631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,10172006504625414365,11516805698879160631,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,10172006504625414365,11516805698879160631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,10172006504625414365,11516805698879160631,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,10172006504625414365,11516805698879160631,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4128 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
04b60a51907d399f3685e03094b603cb

SHA1
228d18888782f4e66ca207c1a073560e0a4cc6e7

SHA256
87a9d9f1bd99313295b2ce703580b9d37c3a68b9b33026fdda4c2530f562e6a3

SHA512
2a8e3da94eaf0a6c4a2f29da6fec2796ba6a13cad6425bb650349a60eb3204643fc2fd1ab425f0251610cb9cce65e7dba459388b4e00c12ba3434a1798855c91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9622e603d436ca747f3a4407a6ca952e

SHA1
297d9aed5337a8a7290ea436b61458c372b1d497

SHA256
ace0e47e358fba0831b508cd23949a503ae0e6a5c857859e720d1b6479ff2261

SHA512
f774c5c44f0fcdfb45847626f6808076dccabfbcb8a37d00329ec792e2901dc59636ef15c95d84d0080272571542d43b473ce11c2209ac251bee13bd611b200a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\85a898ee-c118-4b56-a458-341a5f1e4fd8.tmp

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
328B

MD5
6d2b3268ca56b34f5608100107e0d24a

SHA1
9c8c97a7c62fa8ad56785369e496a1aae65cd445

SHA256
283d45af35139ccbf945f4920a17a33dcb445dfb3f60485a89266d8d697aa7af

SHA512
2296893557bd60ea871f247e5d666fc5b84f416a2007150f0d42177a6e8f3ab01eec43f5533307f18af5eb59ab9074185005994063340de68ef3d3cb73240be0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4e5f2b00b5b823ed776a9918e42a7c38

SHA1
2cf639ada297804eed60341d10f2fd924f367e67

SHA256
a035ac0e0d48d2c1f5d8768e6754b66047d1297c314a9ee20c0fd0fa04e52c4b

SHA512
b871fe14f964465297ae66f9d87027e7d5af8d705080f8da7d2c4eb8da23800dc25d42f631002399ff96e811d68a4e8624602f4b373a0e7148d9a5fac6ec504e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2cf07305d5a656da2de3ff0cb339c1f2

SHA1
5e891945dd05243ff7acb54b027362be5df5b484

SHA256
f0be7f569a6716e353623614dcb909172d512d6148448a53f16d88d03c4d84bc

SHA512
b9d54d3025a70c86c3ed794ae1ee2eee22d3392a5c06d176f20f5e4f00b8cb43a0e2d4c80db41cd67104e89a897d0847ee3bc59f959fffc5057c52d2ead77af0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
521172e8ec79cd7406ff17fe4085a281

SHA1
2970a28c751e0f93f39cdc2ef7f690b5d143f7b4

SHA256
bd507d29b598ce24937a6ee4f16ac8b947ae927c1f048d5027571744bc59b1eb

SHA512
5be36d454d094504e159d06351365b36bc2d299a5c09c40272107ad471d1735f6f2809d5e92ad1a8b9d034889a988f9b02c0e85cb2a73234ed7318bb82e0e361

Download Submit