hxxp://cheezit[.]xyz

Analysis

max time kernel
289s
max time network
288s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2024, 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://cheezit.xyz

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2300	msedge.exe
2300	msedge.exe
3120	msedge.exe
3120	msedge.exe
3696	identity_helper.exe
3696	identity_helper.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 4088	3120	msedge.exe	85
PID 3120 wrote to memory of 4088	3120	msedge.exe	85
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2468	3120	msedge.exe	86
PID 3120 wrote to memory of 2300	3120	msedge.exe	87
PID 3120 wrote to memory of 2300	3120	msedge.exe	87
PID 3120 wrote to memory of 2304	3120	msedge.exe	88
PID 3120 wrote to memory of 2304	3120	msedge.exe	88
PID 3120 wrote to memory of 2304	3120	msedge.exe	88
PID 3120 wrote to memory of 2304	3120	msedge.exe	88
PID 3120 wrote to memory of 2304	3120	msedge.exe	88
PID 3120 wrote to memory of 2304	3120	msedge.exe	88
PID 3120 wrote to memory of 2304	3120	msedge.exe	88
PID 3120 wrote to memory of 2304	3120	msedge.exe	88
PID 3120 wrote to memory of 2304	3120	msedge.exe	88
PID 3120 wrote to memory of 2304	3120	msedge.exe	88
PID 3120 wrote to memory of 2304	3120	msedge.exe	88
PID 3120 wrote to memory of 2304	3120	msedge.exe	88
PID 3120 wrote to memory of 2304	3120	msedge.exe	88
PID 3120 wrote to memory of 2304	3120	msedge.exe	88
PID 3120 wrote to memory of 2304	3120	msedge.exe	88
PID 3120 wrote to memory of 2304	3120	msedge.exe	88
PID 3120 wrote to memory of 2304	3120	msedge.exe	88
PID 3120 wrote to memory of 2304	3120	msedge.exe	88
PID 3120 wrote to memory of 2304	3120	msedge.exe	88
PID 3120 wrote to memory of 2304	3120	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cheezit.xyz
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff90a6f46f8,0x7ff90a6f4708,0x7ff90a6f4718
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,10376867930886593722,11012907072899715113,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,10376867930886593722,11012907072899715113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,10376867930886593722,11012907072899715113,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2356 /prefetch:8
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10376867930886593722,11012907072899715113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10376867930886593722,11012907072899715113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,10376867930886593722,11012907072899715113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:8
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,10376867930886593722,11012907072899715113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10376867930886593722,11012907072899715113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10376867930886593722,11012907072899715113,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10376867930886593722,11012907072899715113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10376867930886593722,11012907072899715113,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,10376867930886593722,11012907072899715113,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4864 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
210676dde5c0bd984dc057e2333e1075

SHA1
2d2f8c14ee48a2580f852db7ac605f81b5b1399a

SHA256
2a89d71b4ddd34734b16d91ebd8ea68b760f321baccdd4963f91b8d3507a3fb5

SHA512
aeb81804cac5b17a5d1e55327f62df7645e9bbbfa8cad1401e7382628341a939b7aedc749b2412c06174a9e3fcdd5248d6df9b5d3f56c53232d17e59277ab017

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4e6521c03f1bc16d91d99c059cc5424

SHA1
043665051c486192a6eefe6d0632cf34ae8e89ad

SHA256
7759c346539367b2f80e78abca170f09731caa169e3462f11eda84c3f1ca63d1

SHA512
0bb4f628da6d715910161439685052409be54435e192cb4105191472bb14a33724592df24686d1655e9ba9572bd3dff8f46e211c0310e16bfe2ac949c49fbc5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
517d67ae5bb465b53b821102c97c730b

SHA1
17328daa0c9b5f60edbde254d074995f35bd8159

SHA256
2d504e2ccd98bdd4fc2bab5528a4febcd7f43003d72a4843940f1db52fd5f5bf

SHA512
4f8e681929ce0ab7aa8654ae96f9895f9ecab23d3b20caf791e1611d61a01d6ac9c626be6b6d73bbface2b0b1bb1d51305ea50e078c69a7776907db8e4102486

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d3665aa8c0d339577f9c60b91de9de33

SHA1
f4a748954f9df0832f889872e8bd2bcd4a7ce72f

SHA256
a91084e10aabc9ffbeedd26ab2832c014994e3cd9e90f812a54a652cfd7a0df7

SHA512
960155b08667d10b07ef72a74abfae5445f9f5150d0d5fcf8cd39d2eaef5212cac49f7af50d09e5293591f102aec5092aea2aa02c70ba75380aa11e884a0a18c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
42ed19da255f25c08a81b1f067d2ccc7

SHA1
d74bb3fa6051753c4b99c225d1d1b56103a27b21

SHA256
e8ae7882ff4e68c572277f82962734e0e48d34f0ac5e29642c806e364265d21d

SHA512
bda8dd87f974a1ce9c643c57280c2a7e86a98c63200203b534cc7f497f1f6e19f2132d9ed7f7a690d855c13ba7fb2e6f51bcbad99c5ebc3f88e0d3ccfd78d875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5c85de333314227fb43c9697e3cd295f

SHA1
1b253a1fe516a7cd89704d6bb91ba7812ef25f97

SHA256
ee66a70ff0a3abb89a855ba9bee2c487e249c9ea4ad79fd556d80dfc068ca432

SHA512
ddc2e4589da7d32833d5b256ab0ae24c887f34cfa16b76649ae24e626478ba2fdf77e7cada7c8108d1e34d9bc95d7f14fa8648635c5dd10868de4a5656411ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5026a25b76d10a89638c7b2d9011dbab

SHA1
d2f6558a4c5393fb280acf2afa9da55f0a59022a

SHA256
ccae650ca8c2fa4483dd15734544d1f49a1fcfef936698d724d46b1a6d134f16

SHA512
c169b390dadfd1d133a12ccb5ec13a567bd4b92fdd84670ff7342a41ab132becde4ab3cbcb1945e6208a0231eab91bf3d2a51c257a0807b46154b25e572cebca

Download Submit