hxxps://dticket[.]to/de

Analysis

max time kernel
23s
max time network
16s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
07-08-2024 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dticket.to/de

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3192	msedge.exe
3192	msedge.exe
3452	msedge.exe
3452	msedge.exe
5052	msedge.exe
5052	msedge.exe
2008	identity_helper.exe
2008	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 2444	3452	msedge.exe	79
PID 3452 wrote to memory of 2444	3452	msedge.exe	79
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3504	3452	msedge.exe	81
PID 3452 wrote to memory of 3192	3452	msedge.exe	82
PID 3452 wrote to memory of 3192	3452	msedge.exe	82
PID 3452 wrote to memory of 4924	3452	msedge.exe	83
PID 3452 wrote to memory of 4924	3452	msedge.exe	83
PID 3452 wrote to memory of 4924	3452	msedge.exe	83
PID 3452 wrote to memory of 4924	3452	msedge.exe	83
PID 3452 wrote to memory of 4924	3452	msedge.exe	83
PID 3452 wrote to memory of 4924	3452	msedge.exe	83
PID 3452 wrote to memory of 4924	3452	msedge.exe	83
PID 3452 wrote to memory of 4924	3452	msedge.exe	83
PID 3452 wrote to memory of 4924	3452	msedge.exe	83
PID 3452 wrote to memory of 4924	3452	msedge.exe	83
PID 3452 wrote to memory of 4924	3452	msedge.exe	83
PID 3452 wrote to memory of 4924	3452	msedge.exe	83
PID 3452 wrote to memory of 4924	3452	msedge.exe	83
PID 3452 wrote to memory of 4924	3452	msedge.exe	83
PID 3452 wrote to memory of 4924	3452	msedge.exe	83
PID 3452 wrote to memory of 4924	3452	msedge.exe	83
PID 3452 wrote to memory of 4924	3452	msedge.exe	83
PID 3452 wrote to memory of 4924	3452	msedge.exe	83
PID 3452 wrote to memory of 4924	3452	msedge.exe	83
PID 3452 wrote to memory of 4924	3452	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dticket.to/de
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xb8,0x10c,0x7ffff8783cb8,0x7ffff8783cc8,0x7ffff8783cd8
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,6274440976984377374,1187391363056616340,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,6274440976984377374,1187391363056616340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,6274440976984377374,1187391363056616340,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6274440976984377374,1187391363056616340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6274440976984377374,1187391363056616340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2076,6274440976984377374,1187391363056616340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4400 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,6274440976984377374,1187391363056616340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6274440976984377374,1187391363056616340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6274440976984377374,1187391363056616340,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6274440976984377374,1187391363056616340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6274440976984377374,1187391363056616340,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:1572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9af507866fb23dace6259791c377531f

SHA1
5a5914fc48341ac112bfcd71b946fc0b2619f933

SHA256
5fb3ec65ce1e6f47694e56a07c63e3b8af9876d80387a71f1917deae690d069f

SHA512
c58c963ecd2c53f0c427f91dc41d9b2a9b766f2e04d7dae5236cb3c769d1f048e4a342ea75e4a690f3a207baa1d3add672160c1f317abfe703fd1d2216b1baf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b0177afa818e013394b36a04cb111278

SHA1
dbc5c47e7a7df24259d67edf5fbbfa1b1fae3fe5

SHA256
ffc2c53bfd37576b435309c750a5b81580a076c83019d34172f6635ff20c2a9d

SHA512
d3b9e3a0a99f191edcf33f3658abd3c88afbb12d7b14d3b421b72b74d551b64d2a13d07db94c90b85606198ee6c9e52072e1017f8c8c6144c03acf509793a9db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
21KB

MD5
56343d26888641ec6f7c08acc9b0de24

SHA1
9540040542d8aeca7672c4f46a3929a56b36ed0c

SHA256
6723343354840fbe758c4b7e43a5d46b55c92f535a2968b6e524c2347abfaa5e

SHA512
da8ff3dfda77c6147bfa915e492d8622ef8749a52186ebf45b7e27cbb2877a55895e744adc36a8c01daa3845997b03a104acc54be030dc0a9faeaccce79ceb31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
b6f28743718c9586988a621f1fb2cb7f

SHA1
374171c3070b3bd86fea085bee5df6ace26f1f56

SHA256
26413279c823e37f04050dc395b6141ef424e7d97d74ed6edd0b5586cc5d39b7

SHA512
cb7e15a106183bc64489f27ff7c52fd8fe1b331915337db9ff0321124944509f2183c20da8029992f40cb971db72200b1a001f5ecf29e2968e6f9d8caccc128e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ad27e5288031126a132930649744c946

SHA1
c7cee59f30a847fd76e5e4d1457f4084c0a6a985

SHA256
c360959a27b1599fcd8fad485eeee235476dcf496782d2151af3d6cb7e88f29c

SHA512
8967bda62bc6d84360c031c2dc6b9d8041ce8195050381e463614fbb01767403885e6091ba50882792bafeddbe283232f485b2e4c62ce9a861bae98f99126935

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e42911cc78434ae1ca38a3a6747f3789

SHA1
889598be0ac69e6f391ad0de557d2864f88f5177

SHA256
73a6e240ce1e75282abbf16ced3f0bde505aa728beb2fe205227a2d6e37fb50b

SHA512
530a45eaa3798a5595050b10cbcdb1dc7c9468f5c93a275287d1430e1274fdd913767122e0550d56332287678fd8df41939702fa2120e7aac2ec51b49e9ecef3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\b738327d3eac055a84590640d8f953b6593e8b61\index.txt

Filesize
95B

MD5
c8c6f5f95f50cf64b80cce95c993708e

SHA1
e2d3eb03e4b5ab2b228de74e4508912f71d2e634

SHA256
e11849810fb28dbd7e43bbfa39a88e0e8e935288b0d8aeab1a22852d6c7f4315

SHA512
25d7e6ed5ee547821a0bb1296709e470173fa62ebee5e51c6f37fe3a6d42b570d8bbc753db59f4aa02e4647bb7faa7aaa3bb3c90beb2205eb4d88450cdcc21f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
44fa5adccc6e8d5ab721fab09c80efe8

SHA1
48d5520e07fe633b86c53c92772733191e08ef8e

SHA256
1102fc83d6aea6fb23c8618713ebf703a1f15d1e2dd79d9d72cacaa4a7b3bb05

SHA512
223160e7934276facb7e04258adb6b905277c9b805726f0a463c31f303aa51e25afc5e6dfcd6e0f3067fdf5dc2e55a92fcb3ffc4375abd3b98939c3ced12420c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f00d.TMP

Filesize
48B

MD5
c7163bfecea46bd401682cace399fa58

SHA1
3991747a10026cca9a07b9a3a846359fdbab5903

SHA256
c79193536801d630d19c9bffb7f2f4915e6889cb7f1cc7133f297c14ca6f3007

SHA512
eeeb9c1a77c3caf5aa5b016e19be01d69f571b65517f4d20c8628e7cdb7ea703e303f7b75cccc298be383a507fa7d5d9ad375f428be986d3bc33fdf8e287abab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
712ab63401415f12361bddf6913568ec

SHA1
49b92bb1fabc9396fc0846dda785bdf454da93cc

SHA256
12033cf870c0b71c1964af4412b0658f6b3f139d5072bc5a451c707448fbae6a

SHA512
2a846354bda9a504a569866f8d0cb83c456b1dca61f6aaa4a379d8f2fe506837606f1c6be91908ef23502c1e021c82d4d36b7f12d2b6d1b5c9cd0b07f76f4ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
77c9bb6e534b8cb3f7e3e8d14a23e6f5

SHA1
bcd214c9eaab7641989630ce864e09af88ac3224

SHA256
77e04c2e2caf13981d4356c2ee908fac623cd9d03f0c5064390e0457b9798dbf

SHA512
b9010bb7e9108d83c7dbfebe58eab6beb193a783be212228d32ff2be53bd73c81fc2bc23a810904ab67a4af1394f0f8c0a588043679c7b91fbaee4ca820de48f

Download Submit