hxxps://bot-hosting[.]net/?aff=1247568528509501493

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bot-hosting.net/?aff=1247568528509501493

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2116	msedge.exe
2116	msedge.exe
2964	msedge.exe
2964	msedge.exe
2376	identity_helper.exe
2376	identity_helper.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 404	2964	msedge.exe	83
PID 2964 wrote to memory of 404	2964	msedge.exe	83
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 4640	2964	msedge.exe	84
PID 2964 wrote to memory of 2116	2964	msedge.exe	85
PID 2964 wrote to memory of 2116	2964	msedge.exe	85
PID 2964 wrote to memory of 2284	2964	msedge.exe	86
PID 2964 wrote to memory of 2284	2964	msedge.exe	86
PID 2964 wrote to memory of 2284	2964	msedge.exe	86
PID 2964 wrote to memory of 2284	2964	msedge.exe	86
PID 2964 wrote to memory of 2284	2964	msedge.exe	86
PID 2964 wrote to memory of 2284	2964	msedge.exe	86
PID 2964 wrote to memory of 2284	2964	msedge.exe	86
PID 2964 wrote to memory of 2284	2964	msedge.exe	86
PID 2964 wrote to memory of 2284	2964	msedge.exe	86
PID 2964 wrote to memory of 2284	2964	msedge.exe	86
PID 2964 wrote to memory of 2284	2964	msedge.exe	86
PID 2964 wrote to memory of 2284	2964	msedge.exe	86
PID 2964 wrote to memory of 2284	2964	msedge.exe	86
PID 2964 wrote to memory of 2284	2964	msedge.exe	86
PID 2964 wrote to memory of 2284	2964	msedge.exe	86
PID 2964 wrote to memory of 2284	2964	msedge.exe	86
PID 2964 wrote to memory of 2284	2964	msedge.exe	86
PID 2964 wrote to memory of 2284	2964	msedge.exe	86
PID 2964 wrote to memory of 2284	2964	msedge.exe	86
PID 2964 wrote to memory of 2284	2964	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bot-hosting.net/?aff=1247568528509501493
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfe1346f8,0x7ffcfe134708,0x7ffcfe134718
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,14590098225883261096,7199478987335488184,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,14590098225883261096,7199478987335488184,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,14590098225883261096,7199478987335488184,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14590098225883261096,7199478987335488184,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14590098225883261096,7199478987335488184,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,14590098225883261096,7199478987335488184,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,14590098225883261096,7199478987335488184,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14590098225883261096,7199478987335488184,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14590098225883261096,7199478987335488184,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14590098225883261096,7199478987335488184,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14590098225883261096,7199478987335488184,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,14590098225883261096,7199478987335488184,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
4171cef4a995ef53aba80a9d64f82d8d

SHA1
e711841fcca9a03bd80b742a61d58d1ea2435ae4

SHA256
ffcd188320efae0302839f4195a4fe5c3d7e8741f1e28c68edd83a9e8ec8f521

SHA512
6b6fdef9c2b613e6b5bac088d9265335e3d9d340e9961c72d25764efcf0f389581c31245bb8099b42513df3cbcec16f445c44a6c1ca4a3894272b47ae9b97e0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
814B

MD5
3f95c5f41e147a67c1129f25fdd3a69c

SHA1
7566781965d205e181dbe6374c645e763e41e6fe

SHA256
583d7fde082a28ddc7aea669f7dcb4ce50441980f8ccb8a16de9d557638e2995

SHA512
d09c30b1c11eb23f94515e1347370d51e7f35055867920cfda5bc7d03f7ed7d1cefc525988dfe5316c09487cd96b7211d5d1d4c8d8fa129067707f428d3d295a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
629b2781c2a44e2ee04a071f82f2a567

SHA1
788936ddcc533658a0d726af5e45a3adee7aa174

SHA256
0a6400512271e4733396ee4e337f055f17d290bfd29998baf542e9061b196caa

SHA512
f52d2ab9b7486004fe106a29e744f176b18157575f7b5f49d25d8699bb8eda425c9917d3f11849044c0893eda614eeb8e9c0a992020d4df1f9c583292b71a6b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
af0b4e367afde634684f0ab6c8e4546b

SHA1
15b87466957edbc798c3afdf0166ee244d191232

SHA256
b77c65e8377ff991b86d92d3d1e2953d91cd81030ffd002b403f1e32bb49c17d

SHA512
ccb01aee3b1b35b4caa87f88e6802691845bb8283d8522ebdcbb0c845892941463008d6979e9c29f52cb6cb8c51b5b07bfabda0436e3adb79a0a184e4b1919e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eb86e910b9c288817b6dffc71473c8e0

SHA1
71c79d3645ec17a1a311ffab3182a4b255f7e0a7

SHA256
943f2896676292a17ba7147e1d0f8cc71a5d208d7924cf8d1e65d1012333a9ed

SHA512
0bb3577fc574bb2bf6003f95d1a555530f27a11112eeb40272f111fac5fb6edf3ffc2754eee7c4212e737869884e74c8edd6e3f1b9ed2d0438706721d0145bfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
906cb118da2a24939fb0eff78cb06f51

SHA1
c58182d3fd4f4ef55a69c902dc322068c897cdb9

SHA256
16dc5b3138ef42654709f97b01945a6a8d901e597f7037128ecd1e125e75187d

SHA512
d5d604a8754659608804d98e317a1491cebd0b69acea5e23804cbfac611a51a2d09e14710b73b52187898d2c7c8867e65f922edc6dfdf145d0ae27ae6539117a

Download Submit