hxxps://refundeft[.]life

Analysis

max time kernel
149s
max time network
154s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
20/08/2024, 01:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://refundeft.life

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
788	msedge.exe
788	msedge.exe
3420	msedge.exe
3420	msedge.exe
2780	msedge.exe
2780	msedge.exe
3792	identity_helper.exe
3792	identity_helper.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 3048	3420	msedge.exe	79
PID 3420 wrote to memory of 3048	3420	msedge.exe	79
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 3728	3420	msedge.exe	80
PID 3420 wrote to memory of 788	3420	msedge.exe	81
PID 3420 wrote to memory of 788	3420	msedge.exe	81
PID 3420 wrote to memory of 4716	3420	msedge.exe	82
PID 3420 wrote to memory of 4716	3420	msedge.exe	82
PID 3420 wrote to memory of 4716	3420	msedge.exe	82
PID 3420 wrote to memory of 4716	3420	msedge.exe	82
PID 3420 wrote to memory of 4716	3420	msedge.exe	82
PID 3420 wrote to memory of 4716	3420	msedge.exe	82
PID 3420 wrote to memory of 4716	3420	msedge.exe	82
PID 3420 wrote to memory of 4716	3420	msedge.exe	82
PID 3420 wrote to memory of 4716	3420	msedge.exe	82
PID 3420 wrote to memory of 4716	3420	msedge.exe	82
PID 3420 wrote to memory of 4716	3420	msedge.exe	82
PID 3420 wrote to memory of 4716	3420	msedge.exe	82
PID 3420 wrote to memory of 4716	3420	msedge.exe	82
PID 3420 wrote to memory of 4716	3420	msedge.exe	82
PID 3420 wrote to memory of 4716	3420	msedge.exe	82
PID 3420 wrote to memory of 4716	3420	msedge.exe	82
PID 3420 wrote to memory of 4716	3420	msedge.exe	82
PID 3420 wrote to memory of 4716	3420	msedge.exe	82
PID 3420 wrote to memory of 4716	3420	msedge.exe	82
PID 3420 wrote to memory of 4716	3420	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://refundeft.life
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe42c73cb8,0x7ffe42c73cc8,0x7ffe42c73cd8
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1728,9942748877183986266,149613263351277719,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1728,9942748877183986266,149613263351277719,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1728,9942748877183986266,149613263351277719,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,9942748877183986266,149613263351277719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,9942748877183986266,149613263351277719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,9942748877183986266,149613263351277719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,9942748877183986266,149613263351277719,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,9942748877183986266,149613263351277719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,9942748877183986266,149613263351277719,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1728,9942748877183986266,149613263351277719,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1728,9942748877183986266,149613263351277719,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5884 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1728,9942748877183986266,149613263351277719,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2436 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b4ae6009e2df12ce252d03722e8f4288

SHA1
44de96f65d69cbae416767040f887f68f8035928

SHA256
7778069a1493fdb62e6326ba673f03d9a8f46bc0eea949aabbbbc00dcdaddf9d

SHA512
bb810721e52c77793993470692bb2aab0466f13ed4576e4f4cfa6bc5fcfc59c13552299feb6dfd9642ea07b19a5513d90d0698d09ca1d15e0598133929c05fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4bf4b59c3deb1688a480f8e56aab059d

SHA1
612c83e7027b3bfb0e9d2c9efad43c5318e731bb

SHA256
867ab488aa793057395e9c10f237603cfb180689298871cdf0511132f9628c82

SHA512
2ec6c89f9653f810e9f80f532abaff2a3c0276f6d299dce1b1eadf6a59e8072ed601a4f9835db25d4d2610482a00dd5a0852d0ef828678f5c5ed33fe64dddca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
39871047aa5baefc1221fe90594bb5f9

SHA1
92e7c9fcedb4e23f37ddb7c91a2926eca32aee36

SHA256
e5ed4c6ef835a5b751a02ec4f1cfe3ffdfaf1cc38201d9acc1f879092df2634f

SHA512
6561e1b7265ae341cc348ddca68a0d7598273563093d30d08de8aaa28c64d1fc9a6bd57485ea0c63b7b9197c869ccc3ea6b69c642ba9354ba2b475bd3494b619

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
471B

MD5
bfd82e700fc0af313f69ad2e67d491df

SHA1
9445d5f28234ae8298122447ff6fb56d5f9e8344

SHA256
101239484d68a6e664f96e4b88867cc446ec881184ed1eef9e67b83f59e9f4b9

SHA512
89bb51b524d79c62ce62903b19ff7f86467e72aaba6cd675a386f319c787addc77281e568aa7a514b5188ddb4a2824bf6240d00d90c360b6fba680446a2b6cf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0f4f7a7da8f49eb49efb17f143a5d8f2

SHA1
232f5868af4f7d6f45cc0f6a16f84cdbfa94f42c

SHA256
8073b1b286a2dd784c9b6b2acf19b256a2b8adf517a6a54bd2550552056f39d6

SHA512
6827ac747421850f70cd1e0ca506d0a4226b7f2429652ba36950b6c29819207a35a2e03b6d80bde54598c137cb23f32e1db957efab4b9d1de7681e606dfe79c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1a4f385bb8631ff668af6eba1f6af129

SHA1
e10f318a141aa73cdb7ad05cd7b61977ec081ba7

SHA256
9e2b119e5a4c39524b35766dbe885b62c4b8116636342c387b4ad39bdf552fa5

SHA512
041301bb0ed6b278639a7d29541660b9edffc7046360eee3fae999ccb46acbf0944cc10047f135b6d864f9a7ed5dd770fda45f9bce0d6b736d0b727dca8fbfe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
48abfdb3d9a94c04ceeb3b5b5633937e

SHA1
581a5c294f96ad98694eca76180110da8e5f68bc

SHA256
22c421d48036100231666414aa98634bd4868b90e16fa38ade13bb9c8b6056f8

SHA512
e2c14479f210e0ce8e9f87c4ead3b5dfe26c1abf11a623ee822483ac1d22ffff29f3466b7df927dea31cf6781b22aaed9548b2d02f08a534515c60b2fb5ec46a

Download Submit