Analysis
-
max time kernel
145s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-08-2024 19:20
Static task
static1
URLScan task
urlscan1
Malware Config
Signatures
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 102 jsonip.com 103 jsonip.com 104 ipapi.co 105 ipapi.co -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2836 msedge.exe 2836 msedge.exe 4304 msedge.exe 4304 msedge.exe 2228 identity_helper.exe 2228 identity_helper.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4304 wrote to memory of 2584 4304 msedge.exe 84 PID 4304 wrote to memory of 2584 4304 msedge.exe 84 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 3192 4304 msedge.exe 85 PID 4304 wrote to memory of 2836 4304 msedge.exe 86 PID 4304 wrote to memory of 2836 4304 msedge.exe 86 PID 4304 wrote to memory of 3224 4304 msedge.exe 87 PID 4304 wrote to memory of 3224 4304 msedge.exe 87 PID 4304 wrote to memory of 3224 4304 msedge.exe 87 PID 4304 wrote to memory of 3224 4304 msedge.exe 87 PID 4304 wrote to memory of 3224 4304 msedge.exe 87 PID 4304 wrote to memory of 3224 4304 msedge.exe 87 PID 4304 wrote to memory of 3224 4304 msedge.exe 87 PID 4304 wrote to memory of 3224 4304 msedge.exe 87 PID 4304 wrote to memory of 3224 4304 msedge.exe 87 PID 4304 wrote to memory of 3224 4304 msedge.exe 87 PID 4304 wrote to memory of 3224 4304 msedge.exe 87 PID 4304 wrote to memory of 3224 4304 msedge.exe 87 PID 4304 wrote to memory of 3224 4304 msedge.exe 87 PID 4304 wrote to memory of 3224 4304 msedge.exe 87 PID 4304 wrote to memory of 3224 4304 msedge.exe 87 PID 4304 wrote to memory of 3224 4304 msedge.exe 87 PID 4304 wrote to memory of 3224 4304 msedge.exe 87 PID 4304 wrote to memory of 3224 4304 msedge.exe 87 PID 4304 wrote to memory of 3224 4304 msedge.exe 87 PID 4304 wrote to memory of 3224 4304 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://nev.malventor.com/1Zew/1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff914d546f8,0x7ff914d54708,0x7ff914d547182⤵PID:2584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,6093112422767352378,14372978882745359384,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:22⤵PID:3192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,6093112422767352378,14372978882745359384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,6093112422767352378,14372978882745359384,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:82⤵PID:3224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6093112422767352378,14372978882745359384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵PID:3276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6093112422767352378,14372978882745359384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:4732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6093112422767352378,14372978882745359384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:12⤵PID:2396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6093112422767352378,14372978882745359384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:12⤵PID:4004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,6093112422767352378,14372978882745359384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4052 /prefetch:82⤵PID:2092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,6093112422767352378,14372978882745359384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4052 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6093112422767352378,14372978882745359384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:12⤵PID:2732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6093112422767352378,14372978882745359384,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:12⤵PID:3272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6093112422767352378,14372978882745359384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:12⤵PID:4804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6093112422767352378,14372978882745359384,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:12⤵PID:4664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,6093112422767352378,14372978882745359384,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4820 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1576
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:724
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD553bc70ecb115bdbabe67620c416fe9b3
SHA1af66ec51a13a59639eaf54d62ff3b4f092bb2fc1
SHA256b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771
SHA512cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921
-
Filesize
152B
MD5e765f3d75e6b0e4a7119c8b14d47d8da
SHA1cc9f7c7826c2e1a129e7d98884926076c3714fc0
SHA256986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89
SHA512a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize264B
MD5d04f28dbc90031f05a3433becabc4f41
SHA1b91d3d8beaf81c5ef1caebe286cfb53d92c52110
SHA256f01213c0cec01fb165d122a60111456afbd9e07a4b9671b137b205f0afd69f4f
SHA512b44c6f778eb8791a13b6bce914af8374f27bde7d4da1aa079038c85000b1c495e1bc7d7e6007b25b0b0946a9e20e3b382e25cf0d06996dc793cd2033b43d1786
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD50453ae1a324eca2cde00ec808ea03e83
SHA1228c81646bb6f685686023fe0699273e5d5b26d6
SHA2560aaafecb566242017703cec71d1bbc1f53acfbae5df38275bfa57024b5fdbb7f
SHA5122ef50076217511a1628a243ad5c52a03cd68beb90437f9a8192e83dee1d9ffb802d54d2e831664be6c5cd91ae2a72c62a3b379b38fb4d0bef77404bc3538efe5
-
Filesize
1KB
MD5d9b95389b47fd929715784c7119c4e93
SHA1338450daab1c654a85209b7964ef7d6cc975e972
SHA256dd240bba092ee8ad98f8816ed508a175087bb95087908388247bee049da47a83
SHA512c8179217e93c23b247b36ddc8a6bb40e9f267e78d2b79b13a46e2189c242b4f60b4ae9a708108ee0dbb68f981624e925876f0dd91bdda6b4b9c01c9cbe4895c9
-
Filesize
1KB
MD5d3950efd3d9168489dea83ec26ee96f9
SHA1b53d3dd354207d395cff920c62f6af4ea270d13b
SHA256146d699dae6132b572e1456ce82bed2525ab7d62b23e006f71a0a7d63a71879d
SHA51239c852fc54216270430906f4e992d1c9c2729aa6244378f2753576ba608433398e9d3c49498a18225958ee7b4d69ba0964e77dd80d7c4aecdc56ce63d0cefc3f
-
Filesize
6KB
MD58cd55b7042dad6197740aec100809f81
SHA14e355964b6b5db319a3fbf2b9e5e2f725ecd2b29
SHA2561dcf6080c435f3e5c125c1d39d9c1c0d3842942457c3d0136f8f50e0fefbc8a7
SHA51265a72d7152b3b31d2aae1066220eff814236d2676f7baf9e8bbcbc17211c1f93fcea09d7ab01e2d780682402401e853af843845495280b81e2e13512ef317c45
-
Filesize
6KB
MD5286baae3967b4bcbb24617f9ddf54e65
SHA1cbd37fae0bf8cf49d9eb0bbd74c2330c87705977
SHA2565d5d69db1306427d3bfbc92551f4a8914a92bd29548cc8fd10f6e5b43ef5b076
SHA5122126ca630925abdc701fd786420d7cd3ba793597f14a9184d0ba48f0dbe06f9dbe078f60b36d8e9c29f378bb7dd00e21bf5f4e6d0f01ff050ea72d114f053f6c
-
Filesize
698B
MD5ef27874a321516b89e85d077af11f885
SHA1044bc31cf0e0e30f382653b58380b2928a3a43f0
SHA25672457422bff60c7dfc22c325548557e76c8a20a8033d6c40818c8227a6118a47
SHA5123b5d0d4f002c0063c6b7c95688d6cb8bf78df0e54d3130ad097b856396b51928ac691d7f8623babd007c54b8029e4eed6816013e3c1dd5414befdc7f1e4e40d1
-
Filesize
202B
MD59ea3ff1185a4dbe3398bbeebca27fa7c
SHA1f4c8b319087a575215b87cfc66ecccf68a0ace01
SHA256944eb3d3f0d1d8305094ab19b7d50a6840117e3dd43ad179c9c056ad0f8bc77b
SHA512880d854d7a2490370ede0e29bf742b488034de9b19632cd3edbd4d6a82605f54c7319c355379fb0a374b1b7850056ce93a741bc932ccba4221c423d70293d9a3
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD59c672e3b20fa76f5b7608541249b9100
SHA15033c491e92cc00594a387e54819963a671ff1a7
SHA256c65d1249c421ad926558e149e58300a45bcb2fb28b6249850b48121bcbdb4ab8
SHA51262dc04896cd5c7a4ee08866ced3ec848133cb0eb9984aced0a319f74a1e1c9b46003327c36cec5288f5c929f563855120eb54a3c517cab4e64f28a1b75d8f586
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84