hxxps://porn[.]com | Triage

Resubmissions

08/09/2024, 12:48

240908-p1slwaygrg 3

08/09/2024, 12:47

240908-p1mqmawhrp 1

08/09/2024, 12:46

240908-pzzzkaygng 3

08/09/2024, 12:46

240908-pzrcesygna 1

06/08/2024, 12:34

240806-pr9h2ayhnk 3

Analysis

max time kernel
4s
max time network
5s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 12:34

Sharing

Report Analysis Logs

General

Target

https://porn.com

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4100	msedge.exe
4100	msedge.exe
4296	msedge.exe
4296	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4296	msedge.exe
4296	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 3040	4296	msedge.exe	83
PID 4296 wrote to memory of 3040	4296	msedge.exe	83
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 3020	4296	msedge.exe	84
PID 4296 wrote to memory of 4100	4296	msedge.exe	85
PID 4296 wrote to memory of 4100	4296	msedge.exe	85
PID 4296 wrote to memory of 3396	4296	msedge.exe	86
PID 4296 wrote to memory of 3396	4296	msedge.exe	86
PID 4296 wrote to memory of 3396	4296	msedge.exe	86
PID 4296 wrote to memory of 3396	4296	msedge.exe	86
PID 4296 wrote to memory of 3396	4296	msedge.exe	86
PID 4296 wrote to memory of 3396	4296	msedge.exe	86
PID 4296 wrote to memory of 3396	4296	msedge.exe	86
PID 4296 wrote to memory of 3396	4296	msedge.exe	86
PID 4296 wrote to memory of 3396	4296	msedge.exe	86
PID 4296 wrote to memory of 3396	4296	msedge.exe	86
PID 4296 wrote to memory of 3396	4296	msedge.exe	86
PID 4296 wrote to memory of 3396	4296	msedge.exe	86
PID 4296 wrote to memory of 3396	4296	msedge.exe	86
PID 4296 wrote to memory of 3396	4296	msedge.exe	86
PID 4296 wrote to memory of 3396	4296	msedge.exe	86
PID 4296 wrote to memory of 3396	4296	msedge.exe	86
PID 4296 wrote to memory of 3396	4296	msedge.exe	86
PID 4296 wrote to memory of 3396	4296	msedge.exe	86
PID 4296 wrote to memory of 3396	4296	msedge.exe	86
PID 4296 wrote to memory of 3396	4296	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://porn.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8af5e46f8,0x7ff8af5e4708,0x7ff8af5e4718
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,2902272316432277822,4300509692967172053,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,2902272316432277822,4300509692967172053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,2902272316432277822,4300509692967172053,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2902272316432277822,4300509692967172053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2902272316432277822,4300509692967172053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
b57ce8d40b5600fcec87674db5670729

SHA1
1493c7d7837c1fbf5594b4d771d3d986e95b72fb

SHA256
0f9895371444132ab8404363e030801ba88f40da776b0eb6717bd10434359f1e

SHA512
9d65c61e29588679fdbb309c52d54a12301ad17e5b0c4a257d48b53a3f3d18ff0393579d7a49ee4b5ca9ab675206c02b815297ed9803a9f203693518f2c5660c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f2654a4e4e101a3a2afbdb59335fed56

SHA1
c5a84187397f78a3a4028b405ab00dc40b3d8730

SHA256
89b75dfde4e3e147acec6b78f66051b32d10a1be9d6c0d37aa885c4f43808a1d

SHA512
4967bd8f3b02e1ab19fe69bfc58679d23a7e2fbc8ac68138551f6033f58b5661ce4da1512bfcca3eebf414b62aab85af232b7b231f98db5dbe8607121cec06af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4362a7554f152a161ffd4798464a3a93

SHA1
e7df665edf70b0db231e549e297071768c995609

SHA256
61bb1e9110aa86cefadb7c0f58ce484ca0c18fab96306b8c0160d8b3d798ba00

SHA512
56159b5b486eb7b523f9293ab32c02facac73587c239c1a7e3420008e70f9001cb5f780d12bfbf5b6e55b8229aa2a49655c6b21c6d935c6d3ab19efb08666daa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
92da71b9097c7a4f75958d5a270d1153

SHA1
5fb75fb2efc6bee36dcbe8765b6d799dc46fe5d9

SHA256
73adc66084ee4411b4dc984c9d6f5af31de53a5f44f8cc1361f0b771c36c24ad

SHA512
35830defd4660cd62ec2546d215f2a6d83fee1254019d35580fdbd7e8b2418ccc6a60d88d97bec0ae1db5a9663cbed8eef6c84cc46ad6a16b30259a87db4b538

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ebaa8feb6f008f223e2c76128a3e9c7e

SHA1
80bc9214af03946094959aaefccef4006be17a4b

SHA256
f3ce439bc0e21a1f79a3fd6914fc51d80c4d3ed7b2ea0b0dae02d6117d6d0bee

SHA512
c17ed0ba1a73034d2c2fbd1ad5c0d050e462857326578c761c4f020dcd6ce250518f92bd2671297678151862b410ea405b20c9b733a1c86f3fde1d2a8406c36d

Download Submit