hxxp://cgexchange[.]com

Analysis

max time kernel
100s
max time network
97s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
19/07/2024, 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://cgexchange.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5084	msedge.exe
5084	msedge.exe
3584	msedge.exe
3584	msedge.exe
1964	msedge.exe
1964	msedge.exe
4656	identity_helper.exe
4656	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 812	3584	msedge.exe	78
PID 3584 wrote to memory of 812	3584	msedge.exe	78
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 2696	3584	msedge.exe	79
PID 3584 wrote to memory of 5084	3584	msedge.exe	80
PID 3584 wrote to memory of 5084	3584	msedge.exe	80
PID 3584 wrote to memory of 4196	3584	msedge.exe	81
PID 3584 wrote to memory of 4196	3584	msedge.exe	81
PID 3584 wrote to memory of 4196	3584	msedge.exe	81
PID 3584 wrote to memory of 4196	3584	msedge.exe	81
PID 3584 wrote to memory of 4196	3584	msedge.exe	81
PID 3584 wrote to memory of 4196	3584	msedge.exe	81
PID 3584 wrote to memory of 4196	3584	msedge.exe	81
PID 3584 wrote to memory of 4196	3584	msedge.exe	81
PID 3584 wrote to memory of 4196	3584	msedge.exe	81
PID 3584 wrote to memory of 4196	3584	msedge.exe	81
PID 3584 wrote to memory of 4196	3584	msedge.exe	81
PID 3584 wrote to memory of 4196	3584	msedge.exe	81
PID 3584 wrote to memory of 4196	3584	msedge.exe	81
PID 3584 wrote to memory of 4196	3584	msedge.exe	81
PID 3584 wrote to memory of 4196	3584	msedge.exe	81
PID 3584 wrote to memory of 4196	3584	msedge.exe	81
PID 3584 wrote to memory of 4196	3584	msedge.exe	81
PID 3584 wrote to memory of 4196	3584	msedge.exe	81
PID 3584 wrote to memory of 4196	3584	msedge.exe	81
PID 3584 wrote to memory of 4196	3584	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cgexchange.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff94ca23cb8,0x7ff94ca23cc8,0x7ff94ca23cd8
  2⤵
  PID:812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,976196696380429912,8186349510972190506,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,976196696380429912,8186349510972190506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,976196696380429912,8186349510972190506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,976196696380429912,8186349510972190506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,976196696380429912,8186349510972190506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,976196696380429912,8186349510972190506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,976196696380429912,8186349510972190506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,976196696380429912,8186349510972190506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,976196696380429912,8186349510972190506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,976196696380429912,8186349510972190506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,976196696380429912,8186349510972190506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,976196696380429912,8186349510972190506,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,976196696380429912,8186349510972190506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,976196696380429912,8186349510972190506,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:1144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b26cef15e9a3cc82fb429a163f96ac6b

SHA1
718ac4822198b1a21f43b6941d0d8df107fd0015

SHA256
73af2c2ebc9187187d887e4abc8b04561c55f36f7f9cdf20293d522ce5c2f506

SHA512
87f96314ea9a1f394d24de5657e61cc6809c961fd05280b4875a06bb928f4e19dadf725fcd0417f16c93cdceca349dd27dd95d0f8f0f756020322803b2f91cdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5efcc43219d778bd14d32016100f2708

SHA1
b06f6726698a68781854bc342a54e06bc4562217

SHA256
a7534c7d125854f7fe662a7951443cad1d1ff0d8d3eb537dde5a381cd3415666

SHA512
6bbdf16b41bbc3ac5d4e2b93683a712d56eb58719799f69cb7240a77f799928b48af2771f76d9d7829846db12d0116e3a8ea6c5d0f02d5e840db1b3c018480b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
74e6ca36228c4cb1c7c939c98ca15eb5

SHA1
2892586cd75f07b48566be3cf6115d4972b56101

SHA256
312de814d16a907b1b4114f7775dbbc232425d89439fe2743b8780b917f3fc1f

SHA512
994b57b8d71c252cc83ac4d4b6c471d11d7cae9bebb5c4ced8fdad7f895499103bfa4b30eddac26d9ddcb16b86c0959e19b5784af6b6035e5c5ea12df72eb1ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
3fdbe2a452ca5014c221e2126154eaae

SHA1
bcb09187d91f4cc443ce24cd8930310edd4eb3e8

SHA256
dce662409e097541a4492edae8804b754b5de82c2588b348c75600bbdec96738

SHA512
ae80bac5589ebbf2f49eba5e285cee4d38d1cd681878e13782506dd710e77bda8f3915cf2e4bd8201292348b972b7b41275fda74b1c134a40ba93e1f3dd93556

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
66fae7f4de0926296dcfeb34bba41f62

SHA1
6016579040bf002dd1a229cb4cf464270c5fde61

SHA256
6011a46ac35f9d11de58cee6a47a3925084412bd52821f5f2328d91d233feb8d

SHA512
3cd3b6e0b585f53566d7e6efaec55ab07f3d223ffb5256dc7f45d1eaa84e696c8f7fdfbb4678e988821bb213d2fa8314ef08fbc288874b10b5ea0dab2853559e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b627d732acc37c009403ab16019952e9

SHA1
cb407941167f5b74ccb353480a2feba7472beb90

SHA256
a287073ab72ffc540a46e5c2ed0d92bc2deb9d4592d44c16507da764abd2b821

SHA512
07970d6540eb704161ca576168a53db2af96b471f4fce2fb2ab66c5398e55a057f716ae1490aa60493e95326b084789911b6bc5255829c568cf40e0deed3dba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
aee60c51b685de3f4a98ac41a06062c4

SHA1
d9481192608edd4cc067859e8fca7c6b6f92e5da

SHA256
9448ba4eabbf9881c0cbfc843363f8f7584e2a6a6e4ca899b0dfc978b929f9ff

SHA512
aa749b26ca2ad4ed6972d865ffafb54ad1dce8ab23d01d2fe893b78d4d60484a5ea552690a92b6c3df8e44f0f0e8923125d60d482bc63b2d64483af5151acecb

Download Submit