hxxps://78341595nvqvyteoldiocat069128369[.]nwmountainsports[.]com/[.]alldcn[.]/[.]00[.]/709583844887060NVQvYTeOlDIocAt709583844887060/amFjay5sZWVAc2suY29t

Analysis

max time kernel
240s
max time network
285s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 06:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://78341595nvqvyteoldiocat069128369.nwmountainsports.com/.alldcn./.00./709583844887060NVQvYTeOlDIocAt709583844887060/amFjay5sZWVAc2suY29t

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1672	msedge.exe
1672	msedge.exe
3580	msedge.exe
3580	msedge.exe
1540	identity_helper.exe
1540	identity_helper.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 2500	3580	msedge.exe	83
PID 3580 wrote to memory of 2500	3580	msedge.exe	83
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 2792	3580	msedge.exe	85
PID 3580 wrote to memory of 1672	3580	msedge.exe	86
PID 3580 wrote to memory of 1672	3580	msedge.exe	86
PID 3580 wrote to memory of 2848	3580	msedge.exe	87
PID 3580 wrote to memory of 2848	3580	msedge.exe	87
PID 3580 wrote to memory of 2848	3580	msedge.exe	87
PID 3580 wrote to memory of 2848	3580	msedge.exe	87
PID 3580 wrote to memory of 2848	3580	msedge.exe	87
PID 3580 wrote to memory of 2848	3580	msedge.exe	87
PID 3580 wrote to memory of 2848	3580	msedge.exe	87
PID 3580 wrote to memory of 2848	3580	msedge.exe	87
PID 3580 wrote to memory of 2848	3580	msedge.exe	87
PID 3580 wrote to memory of 2848	3580	msedge.exe	87
PID 3580 wrote to memory of 2848	3580	msedge.exe	87
PID 3580 wrote to memory of 2848	3580	msedge.exe	87
PID 3580 wrote to memory of 2848	3580	msedge.exe	87
PID 3580 wrote to memory of 2848	3580	msedge.exe	87
PID 3580 wrote to memory of 2848	3580	msedge.exe	87
PID 3580 wrote to memory of 2848	3580	msedge.exe	87
PID 3580 wrote to memory of 2848	3580	msedge.exe	87
PID 3580 wrote to memory of 2848	3580	msedge.exe	87
PID 3580 wrote to memory of 2848	3580	msedge.exe	87
PID 3580 wrote to memory of 2848	3580	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://78341595nvqvyteoldiocat069128369.nwmountainsports.com/.alldcn./.00./709583844887060NVQvYTeOlDIocAt709583844887060/amFjay5sZWVAc2suY29t
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff266346f8,0x7fff26634708,0x7fff26634718
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2256,6982569563576716348,16788399024296507290,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2264 /prefetch:2
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2256,6982569563576716348,16788399024296507290,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2256,6982569563576716348,16788399024296507290,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,6982569563576716348,16788399024296507290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,6982569563576716348,16788399024296507290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,6982569563576716348,16788399024296507290,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,6982569563576716348,16788399024296507290,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,6982569563576716348,16788399024296507290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,6982569563576716348,16788399024296507290,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,6982569563576716348,16788399024296507290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,6982569563576716348,16788399024296507290,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2256,6982569563576716348,16788399024296507290,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1844 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bafce9e4c53a0cb85310891b6b21791b

SHA1
5d70027cc137a7cbb38f5801b15fd97b05e89ee2

SHA256
71fb546b5d2210a56e90b448ee10120cd92c518c8f79fb960f01b918f89f2b00

SHA512
c0e4d3eccc0135ac92051539a18f64b8b8628cfe74e5b019d4f8e1dcbb51a9b49c486a1523885fe6be53da7118c013852e753c26a5490538c1e721fd0188836c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a499254d6b5d91f97eb7a86e5f8ca573

SHA1
03dbfebfec8c94a9c06f9b0cd81ebe0a2b8be3d1

SHA256
fb87b758c2b98989df851380293ff6786cb9a5cf2b3a384cec70d9f3eb064499

SHA512
d7adcc76d0470bcd68d7644de3c8d2b6d61df8485979a4752ceea3df4d85bd1c290f72b3d8d5c8d639d5a10afa48d80e457f76b44dd8107ac97eb80fd98c7b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
510B

MD5
dfb63838ba9a9f7baea9ca56eb2f8a16

SHA1
d16479ea48aac2c92c899b5d3913125bc4828b81

SHA256
a68aeef9f7e18e378ce120a621511e088286f3697a20e525eb68e6e9e4567c84

SHA512
efa7a7895f25f6b9ab8d2873fcbc5ab2f13ccf8a7fb8106c071c6e22317021ffe5527a3ab727a7bcb2135b3be0b604198d3d8dabd305f719af40e515b1e36a4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
479B

MD5
4946babe8ab525592e7f7d682ec136cf

SHA1
d4f657911f3ddbe23159c0d40751b7232fd2b837

SHA256
c9736b6a1f6b109e1ef41e420c36b923c623db92f45ad49789992b25f3dc8af2

SHA512
d3fb5340ef1a374650a418cca5b816b6f0195f3639db9a45f12e9803f0dc1914ed12ad340bb711d43b838c6567a20fd63f929dbe43bce1aa1df38881f1a12542

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
510B

MD5
f319976cf98c05c084d33803ad628e6f

SHA1
cecb616645a71a151f07e485b9f7a3c6a86e4e9c

SHA256
a06613c508b11e57211bb892b14f40bd4b86d0c156870c2ab1ed7a880de13f5e

SHA512
a768ec90c9434367efe1db69ff6e8632c4fa3aa8176cc8495553f4f0aca73fa082668ee5830a65b58312e0a8a866ff8babb005a68c8f8119140f36280dd390be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5de3070a0655820703f691a97827d61e

SHA1
54bc64f15fb3ac7ab8fccaea4885e8dca0f9eca1

SHA256
7a1e2632c50a52e9dad1a0b57fd5e49ca9fd5318153a7739793ade5e9fcb054a

SHA512
785899dfba3cb96367dc75bb9e783dd6d83b9392d4e7e618f0524aa273403cf1e59945bf9e4f4fc81a613a9f5bae46b904ba0549a6ca70367abea37a623703e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
df6a94834f207ad433e00a98c86f9530

SHA1
a618bd0240b8bb2e49bcb30d91447f68e6d3d33e

SHA256
c423725044f45355300813854e7e6e7f7179d8a03e348e092304c886518ff3f0

SHA512
a131fce181ce8a3fd01755bd29f0aa9a44d2bf3b00856702d9808dc7e18936071950542ceb1b6d157e3dece66c3046f64f40808f22e655463c1b8d1e3ea0c499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1cff89733294eccaa9210ad69124f1b8

SHA1
2a2aa54c20736508f39e4652e82afd46f2ab3e0f

SHA256
991e3f7379c642c34ba7010576dd2dbf5872495fdd18edcfe20efd5996bad502

SHA512
88f19f8b0c59e65ac07ae464ebf5ecfbec3adea476647bf04b6dfaf3875b10e187e1dbf06d12267bf8182bcd2e45da8fdda508a3c9bc73525d9f3fe73a330682

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3798d7ace9e73da9d82fa7e1ce9a1ff1

SHA1
a99034f1e83174592146f20d1349b380dff3f16f

SHA256
eb7332a7e31d2632d190a5f9780570b1f22bf19bddd839b662c8605c2aeabc2a

SHA512
fe3b9fd8ea1e6229c7002cc0f1932bcd096e94a0c34d650c8ef845ecdff9e7c0ddda82f0d724809d9cffbb4ae537bf8ee46883d6d9d7fc83b0660593cead4d2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
79042c45aeafc96d40aaac80b02549d4

SHA1
179ee13dcf6c28a1fa8cfef96c731f04d9d14e81

SHA256
0ff76e1bc4e9786fc91be8a0aa538b6cad870b7817eff7bbf2ccc69b0d8cfb3b

SHA512
8f0b6d8f29caa47928b5b31eeadbfe26750a588bc8b37441cedda074f7c7e1dc6fd44160517e8a77e364f57aa9672071f5b8f8d115d70d891a01099108630212

Download Submit