hxxp://tinyurl[.]com/bloxnice

Resubmissions

02/08/2024, 11:10

240802-m9z17szhlf 3

02/08/2024, 11:07

240802-m8apxswbjr 3

Analysis

max time kernel
145s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://tinyurl.com/bloxnice

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2588	msedge.exe
2588	msedge.exe
380	msedge.exe
380	msedge.exe
636	identity_helper.exe
636	identity_helper.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 3716	380	msedge.exe	83
PID 380 wrote to memory of 3716	380	msedge.exe	83
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 1772	380	msedge.exe	84
PID 380 wrote to memory of 2588	380	msedge.exe	85
PID 380 wrote to memory of 2588	380	msedge.exe	85
PID 380 wrote to memory of 4000	380	msedge.exe	86
PID 380 wrote to memory of 4000	380	msedge.exe	86
PID 380 wrote to memory of 4000	380	msedge.exe	86
PID 380 wrote to memory of 4000	380	msedge.exe	86
PID 380 wrote to memory of 4000	380	msedge.exe	86
PID 380 wrote to memory of 4000	380	msedge.exe	86
PID 380 wrote to memory of 4000	380	msedge.exe	86
PID 380 wrote to memory of 4000	380	msedge.exe	86
PID 380 wrote to memory of 4000	380	msedge.exe	86
PID 380 wrote to memory of 4000	380	msedge.exe	86
PID 380 wrote to memory of 4000	380	msedge.exe	86
PID 380 wrote to memory of 4000	380	msedge.exe	86
PID 380 wrote to memory of 4000	380	msedge.exe	86
PID 380 wrote to memory of 4000	380	msedge.exe	86
PID 380 wrote to memory of 4000	380	msedge.exe	86
PID 380 wrote to memory of 4000	380	msedge.exe	86
PID 380 wrote to memory of 4000	380	msedge.exe	86
PID 380 wrote to memory of 4000	380	msedge.exe	86
PID 380 wrote to memory of 4000	380	msedge.exe	86
PID 380 wrote to memory of 4000	380	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://tinyurl.com/bloxnice
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd27146f8,0x7ffcd2714708,0x7ffcd2714718
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,645736919811280994,1774978443028383501,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,645736919811280994,1774978443028383501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,645736919811280994,1774978443028383501,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,645736919811280994,1774978443028383501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,645736919811280994,1774978443028383501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,645736919811280994,1774978443028383501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,645736919811280994,1774978443028383501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3632 /prefetch:8
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,645736919811280994,1774978443028383501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3632 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,645736919811280994,1774978443028383501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,645736919811280994,1774978443028383501,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,645736919811280994,1774978443028383501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
  2⤵
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,645736919811280994,1774978443028383501,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,645736919811280994,1774978443028383501,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1120 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2140

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
94eddc8c760c6582645d582b4f107cca

SHA1
01860648fbebb62eadd53d3bc58471df3b8d211e

SHA256
710d6dcbe48115aecea88b0a8c0124f5ae5f30225e59dde1bdfcc4574b5e5933

SHA512
1cf9e561257755bbf563df4f348bba14ffbce2faa7cfb96738dd2aa4b166d1ddfee114578f8b84b4d7c59f3d18cadd9ebc5b45557116bf68c2eda0867d9e5484

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
71a22f9fe81453c6c788bfe09ab8fe0c

SHA1
f4ee9368e5795c5b3f9470e0434358170e7646b6

SHA256
ca6f5b89e7361282ace0d96bba28c2a4434ccecfd0a97d925e9bc61524efd908

SHA512
a36d9a0c814d4293ae70a62a76e8a98e712ad91674a26cb3d8ffd300e22a6cba134e501b4a7e742229a66005db3b508aa821abcab1347b05457f06c712a1d724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
70a2a8b3368d68ec80174fab4b6c4a46

SHA1
c936252fedaf77a65729274dc1aea9427ad2e60f

SHA256
007d9bc75b522e0974892fe54ba15dbb4f6bf5c1681882ec91e45de9b77b93c5

SHA512
dd4480d7a04a85021718528f4791c7d5edfb098f34b184ab5c118c6fd6f882b81f13df5ddf70ac3591facc27bce86599a71c1db2385c9e3dd9f59da517cb2f77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
e57231567bbd55cc8da76693f450645f

SHA1
21d6bb9d0c666a7e2b298f91257a29e1cfa9de84

SHA256
809b496d55a32882abcc04435d853cb6e99e211a3c6ff178c6e98c4bdac206ac

SHA512
067e6ab0acdce6d39f6ed63b320650090689d62c1c35256fb7f305662fb24d93fdefceb28f3b83c9b0b0c47e6ce406fe139bb9064d38366d252ebf4b318b534f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4471f1b4896f2e4265441a05f31f9c71

SHA1
94cdd7aba50a7c1d6b808f34c5b3eac22e3c21f5

SHA256
6b194fb0079345d482cd44105e0806b03c83b0d7b118b6f3674dbef936d0233c

SHA512
6c5ee6822dc49b63ad518ff870b1cd6b622191d7569ba6b6e4f1a3872b083f8b846dc1a5b386bfc6ac65165c54da171503bee1458032647f7f21221e78c655ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9c94c0398db00867452a9dcf078db82d

SHA1
c659fb3aa8c3e1561c594c4d4c3b121b59f966b5

SHA256
403877d2471082ddaefaaef5dbe23b722337d1f685192627d8494d9e734a2bf9

SHA512
69b20421a501475d1c9010e93e5970eb5db0a697bd1185123a99bc03d0d564c077b76af8ee83a3fa72218d50a8e46f2696ca3ed7f33c78fa9a1ceb32c93621c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
39b6536426bfbc7182a721c8f153667c

SHA1
b802bd497b3145eec73c1950c17de6eb47383f75

SHA256
3db699d27f4eed596bab7f5bec31435a9d327b99129c5f62eb34bdd19b2337f6

SHA512
39c73c6ff5807227aa5730bc444be45210da3ccd71e56cc4f9c9dc9e12847b22601dcba02052c7cc701fe9b26131053f8f7e190641356f16d279d54cf6df35ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit