hxxp://nmreis[.]com

Analysis

max time kernel
18s
max time network
21s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://nmreis.com

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2008	msedge.exe
2008	msedge.exe
1852	msedge.exe
1852	msedge.exe
1588	identity_helper.exe
1588	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 4500	1852	msedge.exe	85
PID 1852 wrote to memory of 4500	1852	msedge.exe	85
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 864	1852	msedge.exe	86
PID 1852 wrote to memory of 2008	1852	msedge.exe	87
PID 1852 wrote to memory of 2008	1852	msedge.exe	87
PID 1852 wrote to memory of 400	1852	msedge.exe	88
PID 1852 wrote to memory of 400	1852	msedge.exe	88
PID 1852 wrote to memory of 400	1852	msedge.exe	88
PID 1852 wrote to memory of 400	1852	msedge.exe	88
PID 1852 wrote to memory of 400	1852	msedge.exe	88
PID 1852 wrote to memory of 400	1852	msedge.exe	88
PID 1852 wrote to memory of 400	1852	msedge.exe	88
PID 1852 wrote to memory of 400	1852	msedge.exe	88
PID 1852 wrote to memory of 400	1852	msedge.exe	88
PID 1852 wrote to memory of 400	1852	msedge.exe	88
PID 1852 wrote to memory of 400	1852	msedge.exe	88
PID 1852 wrote to memory of 400	1852	msedge.exe	88
PID 1852 wrote to memory of 400	1852	msedge.exe	88
PID 1852 wrote to memory of 400	1852	msedge.exe	88
PID 1852 wrote to memory of 400	1852	msedge.exe	88
PID 1852 wrote to memory of 400	1852	msedge.exe	88
PID 1852 wrote to memory of 400	1852	msedge.exe	88
PID 1852 wrote to memory of 400	1852	msedge.exe	88
PID 1852 wrote to memory of 400	1852	msedge.exe	88
PID 1852 wrote to memory of 400	1852	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://nmreis.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd24d546f8,0x7ffd24d54708,0x7ffd24d54718
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,15713991633573132492,5993603470782166672,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,15713991633573132492,5993603470782166672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1800 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,15713991633573132492,5993603470782166672,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2452 /prefetch:8
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15713991633573132492,5993603470782166672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15713991633573132492,5993603470782166672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15713991633573132492,5993603470782166672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2820 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15713991633573132492,5993603470782166672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,15713991633573132492,5993603470782166672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,15713991633573132492,5993603470782166672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bafce9e4c53a0cb85310891b6b21791b

SHA1
5d70027cc137a7cbb38f5801b15fd97b05e89ee2

SHA256
71fb546b5d2210a56e90b448ee10120cd92c518c8f79fb960f01b918f89f2b00

SHA512
c0e4d3eccc0135ac92051539a18f64b8b8628cfe74e5b019d4f8e1dcbb51a9b49c486a1523885fe6be53da7118c013852e753c26a5490538c1e721fd0188836c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a499254d6b5d91f97eb7a86e5f8ca573

SHA1
03dbfebfec8c94a9c06f9b0cd81ebe0a2b8be3d1

SHA256
fb87b758c2b98989df851380293ff6786cb9a5cf2b3a384cec70d9f3eb064499

SHA512
d7adcc76d0470bcd68d7644de3c8d2b6d61df8485979a4752ceea3df4d85bd1c290f72b3d8d5c8d639d5a10afa48d80e457f76b44dd8107ac97eb80fd98c7b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
210KB

MD5
5ac828ee8e3812a5b225161caf6c61da

SHA1
86e65f22356c55c21147ce97903f5dbdf363649f

SHA256
b70465f707e42b41529b4e6d592f136d9eb307c39d040d147ad3c42842b723e7

SHA512
87472912277ae0201c2a41edc228720809b8a94599c54b06a9c509ff3b4a616fcdd10484b679fa0d436e472a8fc062f4b9cf7f4fa274dde6d10f77d378c06aa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
687134c40dea5901e19be46b5f68f14b

SHA1
94e28f264d923ef7ce2d7df10afd3248c609dc55

SHA256
f62038c4631a9db551c7d473a9d6155f5cd4d743b37963a6e5264f2b70390726

SHA512
2948bdbcd45684fe37587e027bf7b31fab78dc4d0b5426ebb3fcfdaa13b9923a0edb7e1a7d00083cf7c0c5557baa608eae775f7da5a151b1bd60704841dca05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
53dbd8f8f5bd3d12ba8966d2e88533e4

SHA1
c02f045459f91714447ae1081a4735880e06a8cf

SHA256
aff4abd6bf943574cc22e3d582f4996f22d7c5a68ac2024966cdef514de545f3

SHA512
6f179e8df44ea00de441980329959bee0d0fb3118a5f0feaa1a1863c2b5bd7ca7d374b8815a8494ac679d31d89494021864a0e2e73b5bf94c7ad795f19177c86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e56b01835b28a0d3f7c7a8a2f055ca2d

SHA1
6aeb4a0c9586b60900430181681b7af3775aa221

SHA256
29a7e10edc9d68da3db56f6eea998d331bdba10ecdd0b0aeceea745e9a7d4ca8

SHA512
1817523813fc4fca914096f15152c042a2c1b27f31430715113dc0f9820be4d303bac9d1bed7f56d776ea4b073d887ab881ded2b3af6d3ad1b309583884a713b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9a960288b651e8a7268622c9165a00ce

SHA1
219293f28f12cb2ba6840b782fa765f929213351

SHA256
963ee87f879897dc2bcaa3044803471d6d43024716fd5952be7535adb8894ade

SHA512
04a2ec338b17ad6d07ee17d18bd334b93be0ba7fdbb7260cae523ab155aba34f93acfcfcef87d8ce2d020e15a41441afe559a5e6ad978a2690fded7e34c49507

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e021101f9cbf5dc41cd9b2d2dcac58ca

SHA1
5d2fde93dd91233dbdcfd021d30539fcf4cd4bd5

SHA256
47d8f0eeaa6693420875f73f64a5cf7626d4fbcb42793e439e5499838457e8d2

SHA512
ce03651a1cdbd79bbec805630cc47a5c5a037ad3dd7e2e2453ba3413d2091f8fa6e077f93ddd2ae84cb3a44c859c694bd898cc13964b2efb633572a5a53ca17a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b5c5973320d9640c2ad4d788a135252e

SHA1
48565057bec9381952f628addac5aa302d571ed1

SHA256
246aaa8470bdeecdd6a5a62bb3bba8f08db956e08e19fab741252a964d3f568a

SHA512
f3f64428c6496fdd675f61ef4d3bf90a0117288a8b49ade51bc7c624a42f7abd2417439fe9c4ddf89374a52bc80af2367756330e6e3cbad2c4a558139a4bf2e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7715e52aa39cafca39e3a0521814326d

SHA1
50e2dce998ceb7fae95a44c0479866531568d971

SHA256
a2b5adbc235f3fea8e2a009b69f8a53482a01ea743b8bc395b5b9fea71f30cb9

SHA512
fc048ced26f68ee52d81789e4580de817dbee251cb39a2bd71fff5429767ba39c71bf0ca9c4a51efa707172e88eae20525502657483a31dff048931cc6034adb

Download Submit