hxxps://t[.]co/9YyPQhwHTm

Analysis

max time kernel
63s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://t.co/9YyPQhwHTm

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5100	msedge.exe
5100	msedge.exe
3104	msedge.exe
3104	msedge.exe
4644	identity_helper.exe
4644	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 4336	3104	msedge.exe	87
PID 3104 wrote to memory of 4336	3104	msedge.exe	87
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 428	3104	msedge.exe	88
PID 3104 wrote to memory of 5100	3104	msedge.exe	89
PID 3104 wrote to memory of 5100	3104	msedge.exe	89
PID 3104 wrote to memory of 3024	3104	msedge.exe	90
PID 3104 wrote to memory of 3024	3104	msedge.exe	90
PID 3104 wrote to memory of 3024	3104	msedge.exe	90
PID 3104 wrote to memory of 3024	3104	msedge.exe	90
PID 3104 wrote to memory of 3024	3104	msedge.exe	90
PID 3104 wrote to memory of 3024	3104	msedge.exe	90
PID 3104 wrote to memory of 3024	3104	msedge.exe	90
PID 3104 wrote to memory of 3024	3104	msedge.exe	90
PID 3104 wrote to memory of 3024	3104	msedge.exe	90
PID 3104 wrote to memory of 3024	3104	msedge.exe	90
PID 3104 wrote to memory of 3024	3104	msedge.exe	90
PID 3104 wrote to memory of 3024	3104	msedge.exe	90
PID 3104 wrote to memory of 3024	3104	msedge.exe	90
PID 3104 wrote to memory of 3024	3104	msedge.exe	90
PID 3104 wrote to memory of 3024	3104	msedge.exe	90
PID 3104 wrote to memory of 3024	3104	msedge.exe	90
PID 3104 wrote to memory of 3024	3104	msedge.exe	90
PID 3104 wrote to memory of 3024	3104	msedge.exe	90
PID 3104 wrote to memory of 3024	3104	msedge.exe	90
PID 3104 wrote to memory of 3024	3104	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.co/9YyPQhwHTm
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff91d1546f8,0x7ff91d154708,0x7ff91d154718
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,6773073241159325227,12702875730713768251,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
  2⤵
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,6773073241159325227,12702875730713768251,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,6773073241159325227,12702875730713768251,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,6773073241159325227,12702875730713768251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,6773073241159325227,12702875730713768251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,6773073241159325227,12702875730713768251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,6773073241159325227,12702875730713768251,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:8
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,6773073241159325227,12702875730713768251,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,6773073241159325227,12702875730713768251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2292 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,6773073241159325227,12702875730713768251,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,6773073241159325227,12702875730713768251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,6773073241159325227,12702875730713768251,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:5216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
584971c8ba88c824fd51a05dddb45a98

SHA1
b7c9489b4427652a9cdd754d1c1b6ac4034be421

SHA256
e2d8de6c2323bbb3863ec50843d9b58a22e911fd626d31430658b9ea942cd307

SHA512
5dbf1a4631a04d1149d8fab2b8e0e43ccd97b7212de43b961b9128a8bf03329164fdeb480154a8ffea5835f28417a7d2b115b8bf8d578d00b13c3682aa5ca726

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b28ef7d9f6d74f055cc49876767c886c

SHA1
d6b3267f36c340979f8fc3e012fdd02c468740bf

SHA256
fa6804456884789f4bdf9c3f5a4a8f29e0ededde149c4384072f3d8cc85bcc37

SHA512
491f893c8f765e5d629bce8dd5067cef4e2ebc558d43bfb05e358bca43e1a66ee1285519bc266fd0ff5b5e09769a56077b62ac55fa8797c1edf6205843356e75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
dad51bb131e0a6280e252e3261281223

SHA1
f09ba3b46cd90de16aec20600f93fa57ab372c62

SHA256
e181ea231674b22bed6825314c8aa9bc93c05dc69260f2cb134fa62b315c7a19

SHA512
1dbecc25043c629a235262a12f5f6ed82a7938f50db4f19088134bb6ff6c3bb56dd4d8a313a24e7b2c23f0b5c56e05e7e1d045b981b19bd30e20a330dc90357d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1e11bee0cf015029698be3bb39c3eca2

SHA1
34f5b10217ccfa66e3b6a93c645e3384a4369405

SHA256
b02bd7448a5f24ec7223f48582024d407d3dc4e3ee89c7ff88855795d26440f3

SHA512
7b4f14d656202455519aeca51d0c518a5bf0dcec5c5cec0fd766ae56e80f9eab0bf119af3002c1070f33c062fb2d1a05e28415454cc2f8b7404a1ebc3e1f4c62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ce063d9b000709b642b0a16ae8651a06

SHA1
dc819a0e16e6aa088ad849f9c028a26c647705f3

SHA256
8f4f5d9d0c370c23e07ab736b087918e985c6ed5820394fb881b34ab2ab43204

SHA512
df93f3304d5bf8c3d57f441073cea18aabadb0af95c8c7e1aa25e7186204ad627561afba7f4c398407c656a6eeb8a960f4498bc98de77a535951ca66081d4acc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
367B

MD5
f8ebd11ac878d7e22af20d9d2cd22887

SHA1
c595e312b3877bc5591c10269ab25dc9e8af11d1

SHA256
c24a42cb49252aa4e5d20ac2d0a9752c26d23ef03819d07dbdb114570ec8e48a

SHA512
a58e9e8d23c96bba9d2db337db2f77ec8d80a97f6d6a72ce10985f0c880ed0a30a2554c014ddd96d929de1f24a3e27e7fa329ec76f6c454e0877b063bfa6d11c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f82b.TMP

Filesize
367B

MD5
fcf4aba85b828581b36d716e8bc71e2b

SHA1
e5866713a2b6fe174a2b58f59f53119e8b2a89a6

SHA256
55b607c867fafab42ec7ff8e8da72528b72c1c88f3dadd1a7cccf9469df790c9

SHA512
e513da34eef908385a284c648f8ea79b320c8ceda12231173a2995711f94f3ef94a7a489dbb970bdd349b9616473445cf5c5fe2e800a6f1d576f59242e7c5f50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
53ef67f8414440d9e10b1acec1130695

SHA1
00cdaa2e21df55960b6f2c29953f6f7549e44b45

SHA256
bdb0b75f6c25a10aa921641706bfad1eb273ce0f2951b2a80d18085807276b96

SHA512
8ef34219e64c9846d09cc186fc80d50c985e3461510e0325b0c2b500c5092b3ecfeb50f1523169dc161c831c253504e3223014ef13038b9c891f47c444dcc221

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit