hxxp://juvotusasaw[.]yenene[.]co[.]za

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://juvotusasaw.yenene.co.za

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3868	msedge.exe
3868	msedge.exe
380	msedge.exe
380	msedge.exe
4888	identity_helper.exe
4888	identity_helper.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 3484	380	msedge.exe	84
PID 380 wrote to memory of 3484	380	msedge.exe	84
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3904	380	msedge.exe	85
PID 380 wrote to memory of 3868	380	msedge.exe	86
PID 380 wrote to memory of 3868	380	msedge.exe	86
PID 380 wrote to memory of 4052	380	msedge.exe	87
PID 380 wrote to memory of 4052	380	msedge.exe	87
PID 380 wrote to memory of 4052	380	msedge.exe	87
PID 380 wrote to memory of 4052	380	msedge.exe	87
PID 380 wrote to memory of 4052	380	msedge.exe	87
PID 380 wrote to memory of 4052	380	msedge.exe	87
PID 380 wrote to memory of 4052	380	msedge.exe	87
PID 380 wrote to memory of 4052	380	msedge.exe	87
PID 380 wrote to memory of 4052	380	msedge.exe	87
PID 380 wrote to memory of 4052	380	msedge.exe	87
PID 380 wrote to memory of 4052	380	msedge.exe	87
PID 380 wrote to memory of 4052	380	msedge.exe	87
PID 380 wrote to memory of 4052	380	msedge.exe	87
PID 380 wrote to memory of 4052	380	msedge.exe	87
PID 380 wrote to memory of 4052	380	msedge.exe	87
PID 380 wrote to memory of 4052	380	msedge.exe	87
PID 380 wrote to memory of 4052	380	msedge.exe	87
PID 380 wrote to memory of 4052	380	msedge.exe	87
PID 380 wrote to memory of 4052	380	msedge.exe	87
PID 380 wrote to memory of 4052	380	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://juvotusasaw.yenene.co.za
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffce80b46f8,0x7ffce80b4708,0x7ffce80b4718
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,10963044392615257870,13864540152150379564,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,10963044392615257870,13864540152150379564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,10963044392615257870,13864540152150379564,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10963044392615257870,13864540152150379564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10963044392615257870,13864540152150379564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10963044392615257870,13864540152150379564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10963044392615257870,13864540152150379564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,10963044392615257870,13864540152150379564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,10963044392615257870,13864540152150379564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10963044392615257870,13864540152150379564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10963044392615257870,13864540152150379564,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10963044392615257870,13864540152150379564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10963044392615257870,13864540152150379564,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,10963044392615257870,13864540152150379564,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4912 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c00b0d6e0f836dfa596c6df9d3b2f8f2

SHA1
69ad27d9b4502630728f98917f67307e9dd12a30

SHA256
578481cd359c669455e24983b13723c25584f58925b47283cb580019ef3142b1

SHA512
0e098ab5f5772fec17880e228a0dccbbaa06dc1af14e0fd827f361599c61899fe07d612a7f7b049ff6661d27fdc495566dd20fc28ceed022b87c212bf00be5da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
54f1b76300ce15e44e5cc1a3947f5ca9

SHA1
c978bfaa6ec6dae05464c6426eaa6cb3c3e2f3b7

SHA256
43dec5d87b7ee892a3d99cb61f772ba403882ac0772423f36034e84244c1ca24

SHA512
ac26e5676c675be329eb62b5d5a36a0e6014ab8a6366684b0fc2a59ae5f061f596f462b82eb4e9f135d2235a0cbd4af96680d234eecc873a8397fd81507d277a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
84fbd1dae9f5e2a5c5a2b6c411954300

SHA1
d256ca8408c4e8ff52b7f56db1f6601ed88bcc53

SHA256
a40faf5a79a205e7214e3ea374e87e94e7251d99d1d02d372aced7146ddd0ba8

SHA512
01e5afb4ccdb598f5aa145c44994b20bcbcd56cde8e5bdfb9f0e7095be0ed32042d899c46c605598011a133a42a239618dabf374c56ca5a7f03f6091e0827efd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
193B

MD5
99ae22c3441935823773507e91d038ce

SHA1
29dc5ca8ed6b844aae14c360526cb4c3677838c1

SHA256
a862ee17d7503f740784dc7a4dd81c458bc4ca5e18af54b104d51bbb1b518bf3

SHA512
f715252d5a32c50a11147d416b430028a02b9fd748d14d20754b5d1412f2a97daf770321af3d9a06255698d88d9265782bd6d1017ee82407eaf3ff3a13206691

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a986ab6ff6a53b8665f8be862236e2a9

SHA1
83cd0ed1613af944a6458bf99ad9ea8bdcbc0d9c

SHA256
b60ffcfc2d4d40943853ad591611ee63ffe66b0f4c7fb7bcf45c7196ce44ae14

SHA512
650593779d60f09d28e0458466a30195efbedc42f91c8cfa7639337822369a6819bde9b7e6f7ae85e7779ae7d4e2744e0fb1c4ddddcd50cbc0088b0242c22c53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4107c219f82e056b230490a08fbaedee

SHA1
978091070d6c8c76ba49894a2da77d2d7f23d07c

SHA256
97484df3c7434cad0b36da16eb61ed56e0d4145d6c95b159a0a805e1503e7b4f

SHA512
e57cdb9709c95189f995ea74d7ffd7440450f5269c94bf219fd3ec71111feba8f5f6bdd504481a968735861486606c0ccd5bc793003f92e3fb9a3ca552474aa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f61902196b504e747cbac0b191ecd236

SHA1
02c3c345271f32c7d4cb5a0785bf69d3ee5bc49c

SHA256
c50a21ae017d640ac9d23b05ead628ca9f456fe2998c15678aa6c36b5f4f4072

SHA512
d574e1188afb741f5ea06515d3f7c328702cb2d0f471c52078dd3f1d0a803cbdf6192e59417ce309d76bdc3fccd49e2d6a8777f07916721247d20cfd88d86039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
733b942b001739718a2f142571ff83ca

SHA1
60ae7b1720ee96bf6d4b10ff535e3c53e21c8e4e

SHA256
1e3fbd0d967c1e0c5bba6835613d6034a4f7a7430cea6269cb620e34206ecd63

SHA512
13004c2f76a045ece51c631b12d50d099e98a3d045098aafc1247bce6bb674770b34698f0b052101759eb2df6625d6423d213329d9c2bc578193e42088094943

Download Submit