hxxp://msig[.]dodeveloper[.]com/articles[.]html

Resubmissions

23/07/2024, 07:56

240723-jswexawdqp 1

23/07/2024, 07:45

240723-jldlhsvejf 1

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 07:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://msig.dodeveloper.com/articles.html

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3048	msedge.exe
3048	msedge.exe
540	msedge.exe
540	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
2880	identity_helper.exe
2880	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 4808	540	msedge.exe	84
PID 540 wrote to memory of 4808	540	msedge.exe	84
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 1020	540	msedge.exe	85
PID 540 wrote to memory of 3048	540	msedge.exe	86
PID 540 wrote to memory of 3048	540	msedge.exe	86
PID 540 wrote to memory of 3296	540	msedge.exe	87
PID 540 wrote to memory of 3296	540	msedge.exe	87
PID 540 wrote to memory of 3296	540	msedge.exe	87
PID 540 wrote to memory of 3296	540	msedge.exe	87
PID 540 wrote to memory of 3296	540	msedge.exe	87
PID 540 wrote to memory of 3296	540	msedge.exe	87
PID 540 wrote to memory of 3296	540	msedge.exe	87
PID 540 wrote to memory of 3296	540	msedge.exe	87
PID 540 wrote to memory of 3296	540	msedge.exe	87
PID 540 wrote to memory of 3296	540	msedge.exe	87
PID 540 wrote to memory of 3296	540	msedge.exe	87
PID 540 wrote to memory of 3296	540	msedge.exe	87
PID 540 wrote to memory of 3296	540	msedge.exe	87
PID 540 wrote to memory of 3296	540	msedge.exe	87
PID 540 wrote to memory of 3296	540	msedge.exe	87
PID 540 wrote to memory of 3296	540	msedge.exe	87
PID 540 wrote to memory of 3296	540	msedge.exe	87
PID 540 wrote to memory of 3296	540	msedge.exe	87
PID 540 wrote to memory of 3296	540	msedge.exe	87
PID 540 wrote to memory of 3296	540	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://msig.dodeveloper.com/articles.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc82e546f8,0x7ffc82e54708,0x7ffc82e54718
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,4299470822665750356,8043779588064353374,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:2
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,4299470822665750356,8043779588064353374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,4299470822665750356,8043779588064353374,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4299470822665750356,8043779588064353374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4299470822665750356,8043779588064353374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,4299470822665750356,8043779588064353374,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4852 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,4299470822665750356,8043779588064353374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,4299470822665750356,8043779588064353374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4299470822665750356,8043779588064353374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1708 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4299470822665750356,8043779588064353374,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4299470822665750356,8043779588064353374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4299470822665750356,8043779588064353374,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
  2⤵
  PID:3420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
75c9f57baeefeecd6c184627de951c1e

SHA1
52e0468e13cbfc9f15fc62cc27ce14367a996cff

SHA256
648ba270261690bb792f95d017e134d81a612ef4fc76dc41921c9e5b8f46d98f

SHA512
c4570cc4bb4894de3ecc8eee6cd8bfa5809ea401ceef683557fb170175ff4294cc21cdc6834db4e79e5e82d3bf16105894fff83290d26343423324bc486d4a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
10fa19df148444a77ceec60cabd2ce21

SHA1
685b599c497668166ede4945d8885d204fd8d70f

SHA256
c3b5deb970d0f06a05c8111da90330ffe25da195aafa4e182211669484d1964b

SHA512
3518ce16fef66c59e0bdb772db51aeaa9042c44ca399be61ca3d9979351f93655393236711cf2b1988d5f90a5b9318a7569a8cef3374fc745a8f9aa8323691ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
38ef5dec9812f6ba82aab084231d2abc

SHA1
1770af2ff7cbe03114b047dd72ff8b1df997a13a

SHA256
7a46e22b3b4327f593c7395ff967337976f2ed20a4b7c68f6327b7fc02101e2a

SHA512
3330f3b349e9347e6d7a405e13f3aa9be5eb95af95af767fb6e57fc897ebc7dfb1b6740cf8773912f6c6ea0f8bb3bf4efe265bc31b55acdcb38ecf597775b317

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
3f0bb74de1466ca024bbdcc32a17a14d

SHA1
7c7a5c6082180da23ff2da34e95c1e34512fd778

SHA256
04eb068e6490b4e47c6daac94958dfd37bf08a4463b58464f7d47958ef3ca2f8

SHA512
d74f17fb876279fcd093138e573c9d69115541cd5b10e9d77664c5876d25fd61702389677e7607e5ccb3f462922534450dcc6203e1c7cb3383b17b3c3c2cc544

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
505B

MD5
c655c791f1bcea7d03521187117feee1

SHA1
1ed2030eddfd8397e9d27e266fc1e30f6f63f024

SHA256
6aae1a320f4a932137f10da9410c5aca468d0a44ecef7363bd9244777a65a7ee

SHA512
41aa659c8277e019ae53b2b0dca3961c593dd81a7c96f5c9772d44db45982c6021ca77aa3dd6bcbfc3fa54529b54bcbb48ab9c8f1f118f768a9db19131eb02af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7ccf6a68b2a948f72cb70ecabc67ff68

SHA1
060d9273c7404f4d138dae5918e0bf7bdcea946f

SHA256
2d608caad98199cb6c65ab3f2de122707c31c6e2058600595b40b75905acce7b

SHA512
d20a90b61f77442360259ffe23497617160b515066f47bd0e8bd0b621fc86b00be4c085cbbb181f53fdc5230802283b2cff6d71d7c20f0440e59de80be189fdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b42d0cedfa4326291fab7f5631929980

SHA1
af37591c9fef6a4ab4e4daf7efe289d0b4864e74

SHA256
a521e58a949b33b25898e7d1b997e0d5a02972bb5bd98924b0c9b0503f1408c6

SHA512
d63f1e61ae45253cf38c1d6a57faaa6625b40314402e2079a2b0a39e1966f78c349c8cbd7dd2bf304f1bec5ff7a299968e0f152bb88ad5150aee366e4629e7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
474dba7d2f4d0b3dbaf7788e4ac08607

SHA1
eabe99f63bad59f3178a0b79415ad84df1c85d68

SHA256
3eaf28ce9d1b414fd2d58bc9c5762822b33b8584af2cf98fe569cb808965a6be

SHA512
638d897ff5899f079ebacd53e172c5c1dad3d00c1bb4b8a6340b5a6f82a4598d514b68743cdaf0d489104b8a951baa93a9d74704510e75d59a6648ff5733d200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f303b360824d759c5f5becd3c881ccef

SHA1
85b8a1748d1e59a1fafac172a4667ccf5081d909

SHA256
a138e3faac6d06071d70e65a94370d81a6b9bf09035cfeea50f4f2d283a51635

SHA512
6365d7765f208cfff22504c0719bfd2215304c5da34cf5ddb63e64e05fb92e84a9fc42864768489fdfa9bd64e17038b60bb3ffa3c7685c13fd6df35621cc6626

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
51174d89aa7b38bc12bd00ee8e53eb74

SHA1
8f02049f81d0e3f9d13f35aa2bc68650bef10a3a

SHA256
9f521fc527c085c203093e34c75b1ba3e836b3de7ca01788985c094b475dabc2

SHA512
856baedd2ebea7dd80cbc97e3734af92bd551df4041656307373168cf324bff406a46bbdd79de5c3c2454442d0f1a1e6faaea1363c5386ce83814adb2d8979a2

Download Submit