hxxps://github[.]com/FormidableLabs/envy/blob/main/packages/core/package[.]json

Analysis

max time kernel
240s
max time network
244s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/FormidableLabs/envy/blob/main/packages/core/package.json

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
736	msedge.exe
736	msedge.exe
3524	msedge.exe
3524	msedge.exe
2232	identity_helper.exe
2232	identity_helper.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 3940	3524	msedge.exe	84
PID 3524 wrote to memory of 3940	3524	msedge.exe	84
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 3856	3524	msedge.exe	85
PID 3524 wrote to memory of 736	3524	msedge.exe	86
PID 3524 wrote to memory of 736	3524	msedge.exe	86
PID 3524 wrote to memory of 1148	3524	msedge.exe	87
PID 3524 wrote to memory of 1148	3524	msedge.exe	87
PID 3524 wrote to memory of 1148	3524	msedge.exe	87
PID 3524 wrote to memory of 1148	3524	msedge.exe	87
PID 3524 wrote to memory of 1148	3524	msedge.exe	87
PID 3524 wrote to memory of 1148	3524	msedge.exe	87
PID 3524 wrote to memory of 1148	3524	msedge.exe	87
PID 3524 wrote to memory of 1148	3524	msedge.exe	87
PID 3524 wrote to memory of 1148	3524	msedge.exe	87
PID 3524 wrote to memory of 1148	3524	msedge.exe	87
PID 3524 wrote to memory of 1148	3524	msedge.exe	87
PID 3524 wrote to memory of 1148	3524	msedge.exe	87
PID 3524 wrote to memory of 1148	3524	msedge.exe	87
PID 3524 wrote to memory of 1148	3524	msedge.exe	87
PID 3524 wrote to memory of 1148	3524	msedge.exe	87
PID 3524 wrote to memory of 1148	3524	msedge.exe	87
PID 3524 wrote to memory of 1148	3524	msedge.exe	87
PID 3524 wrote to memory of 1148	3524	msedge.exe	87
PID 3524 wrote to memory of 1148	3524	msedge.exe	87
PID 3524 wrote to memory of 1148	3524	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/FormidableLabs/envy/blob/main/packages/core/package.json
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ff8b47846f8,0x7ff8b4784708,0x7ff8b4784718
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,600155285934608089,6126115441885626804,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,600155285934608089,6126115441885626804,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,600155285934608089,6126115441885626804,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,600155285934608089,6126115441885626804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,600155285934608089,6126115441885626804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,600155285934608089,6126115441885626804,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,600155285934608089,6126115441885626804,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,600155285934608089,6126115441885626804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,600155285934608089,6126115441885626804,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,600155285934608089,6126115441885626804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,600155285934608089,6126115441885626804,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,600155285934608089,6126115441885626804,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2944 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
584971c8ba88c824fd51a05dddb45a98

SHA1
b7c9489b4427652a9cdd754d1c1b6ac4034be421

SHA256
e2d8de6c2323bbb3863ec50843d9b58a22e911fd626d31430658b9ea942cd307

SHA512
5dbf1a4631a04d1149d8fab2b8e0e43ccd97b7212de43b961b9128a8bf03329164fdeb480154a8ffea5835f28417a7d2b115b8bf8d578d00b13c3682aa5ca726

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b28ef7d9f6d74f055cc49876767c886c

SHA1
d6b3267f36c340979f8fc3e012fdd02c468740bf

SHA256
fa6804456884789f4bdf9c3f5a4a8f29e0ededde149c4384072f3d8cc85bcc37

SHA512
491f893c8f765e5d629bce8dd5067cef4e2ebc558d43bfb05e358bca43e1a66ee1285519bc266fd0ff5b5e09769a56077b62ac55fa8797c1edf6205843356e75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0e8fe3236171567279bfd8020e8e66f3

SHA1
d3315583d024434a8a612fafd80f2b4873426444

SHA256
9dea94f60cb58067af2b39c5a2b1cbc3e2ff001491f1370ba4e38a5d14052f93

SHA512
f8fa6d1227daefffdb7784fb794a5f5bc9b6c5f8263b694d67a3daee2c073890e85ebed57fc05de12d7d4f20af6bd1ace74dabb106d7c59cef0ce9599a7f93d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
c4897aa78d9edac4710b6abd9081210d

SHA1
82fff6d6a6c64af2e1e64a0a56c46cfc2a3470bf

SHA256
1c2dbad9b7fe623f7907fe8875ae1df241de6ea09e8dbb063b885983420fc005

SHA512
207439940f16c3a029f465c4f4b6d290f15deea00c5d46365d2bbe5a27c48371315a7a5e39366638a4d256c843470b6e9acd6fc7c0b85aac10dde6176aba026c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a1de379835eabe6d70819e27eaedcb55

SHA1
5447db9ad6c1223236b599a6b25b81483486da1a

SHA256
994c482b767e45406f1b3e07a735bccb15191650cde89ca9f5cd45fd6aa477a2

SHA512
2d8a6a355added886073b45c2d7154e6bd65cba84974dee0555fd8e3ccc8b56e4a32fd9254592c2a9585250bde5c897bf3bf991c1e8904b77909ec7138400476

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
65709bf4b3666cd94abb7de66e93f7f2

SHA1
9b18a34fbb4ba0379f34a4e75c4a532580890b5f

SHA256
80a203e5b0d03d6a9387b9a641c971e61c10b9354cf756404e70cb18d73571ee

SHA512
4a33470aff4c7aa3ea442f9f68988ed1791a4dce1fae703a885e7ef652eeea6420213216233f8a97661bf1c30a1aaf9e099ab6350e464bb5e88a6d8aaad3b87d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
265217162daa9ec327445cc07fe964c2

SHA1
83a5ab4001f526275764454412cc5d1dbba28d6e

SHA256
247e933d6c7b5f78535fdb45e44c528cdf8db563b6e4e6a45c7cf49c268c813e

SHA512
231af29a22b76b38410b24e6a3700f8be57f47239a97a1eab01aceb4c286e55b760b15f2508ece06c2df2f8663bf5a1f80f181140848d27e057fa221b696dc9f

Download Submit