hxxps://www[.]youdaoxxv[.]icu

Resubmissions

20-08-2024 11:43

240820-nvn6tszbre 6

20-08-2024 11:32

240820-nnf7mstbjk 6

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youdaoxxv.icu

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1868	msedge.exe
1868	msedge.exe
4620	msedge.exe
4620	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4620	msedge.exe
4620	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 1632	4620	msedge.exe	84
PID 4620 wrote to memory of 1632	4620	msedge.exe	84
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 3692	4620	msedge.exe	85
PID 4620 wrote to memory of 1868	4620	msedge.exe	86
PID 4620 wrote to memory of 1868	4620	msedge.exe	86
PID 4620 wrote to memory of 3004	4620	msedge.exe	87
PID 4620 wrote to memory of 3004	4620	msedge.exe	87
PID 4620 wrote to memory of 3004	4620	msedge.exe	87
PID 4620 wrote to memory of 3004	4620	msedge.exe	87
PID 4620 wrote to memory of 3004	4620	msedge.exe	87
PID 4620 wrote to memory of 3004	4620	msedge.exe	87
PID 4620 wrote to memory of 3004	4620	msedge.exe	87
PID 4620 wrote to memory of 3004	4620	msedge.exe	87
PID 4620 wrote to memory of 3004	4620	msedge.exe	87
PID 4620 wrote to memory of 3004	4620	msedge.exe	87
PID 4620 wrote to memory of 3004	4620	msedge.exe	87
PID 4620 wrote to memory of 3004	4620	msedge.exe	87
PID 4620 wrote to memory of 3004	4620	msedge.exe	87
PID 4620 wrote to memory of 3004	4620	msedge.exe	87
PID 4620 wrote to memory of 3004	4620	msedge.exe	87
PID 4620 wrote to memory of 3004	4620	msedge.exe	87
PID 4620 wrote to memory of 3004	4620	msedge.exe	87
PID 4620 wrote to memory of 3004	4620	msedge.exe	87
PID 4620 wrote to memory of 3004	4620	msedge.exe	87
PID 4620 wrote to memory of 3004	4620	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youdaoxxv.icu
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff51c846f8,0x7fff51c84708,0x7fff51c84718
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,15858674964586368367,3926951016124044965,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,15858674964586368367,3926951016124044965,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,15858674964586368367,3926951016124044965,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15858674964586368367,3926951016124044965,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15858674964586368367,3926951016124044965,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,15858674964586368367,3926951016124044965,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1848 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\67d63454-9ca6-45ee-a1bd-7f4a4caf6b9a.tmp

Filesize
348B

MD5
874a4f524ec489f81cce48b13f7f8ec0

SHA1
23b06454bde23e7f2a68e5fd16a0830965cd0c83

SHA256
821152342cfad33ed419a3976b094a65357f65723d5829139efaa521e03a204e

SHA512
aa62b027b474612f7076c2ce0f17ec6f6a5817d7cf5b1c634cc95792240a2d6398e788251fc53557b6f6f7ffd5980bcce99e2c6ce6781e90c23c7d3ff2a6564b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
cd83e98f02768a47b4dc72bd07a83ede

SHA1
e40584422ed84966b045b9fa27f3e9164a8df1fd

SHA256
aa9bef7a459e321b4c872ede2eb565879201da43443fa62267a2b6f4e5c38a14

SHA512
4796f87ed3db6efd2cd5b209b79d1bf15009cc316959de78da2089213253462dfe39ac5c1e13d7685f680050ffb436cce2c4552a187a42c197ce774f555fd16e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0a75a3644277820860a352800441314d

SHA1
69dfce6dab8bde4ee776a868ead70de3e306f2d6

SHA256
f9d81b14faa6c8c9fb3220c33cfe2589444683801c166071f212879baa9a3873

SHA512
5028e4b29e9b7b78ce400efed1bc8607d6dd6c066afe8c1705ac02174870c5f4f44673a26fa764093e8e60ad9c56d455c58cb63008a6b386d49e332940800b69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
87601ef487b9bb0a7436263baffc262e

SHA1
4a7799f5df23f130f501a5e5eaec41283e51d6a9

SHA256
ffa73dafdc2220d3908444ed09c7e5076d681b2e044e7390f3eb8dab58a2451a

SHA512
818a7caceaf229312c2910cb1c87dd31728db77ad309bf6e9516ec0c6826f5001bf5fb22eff689b1bb9a1c13f60259dbb03a4be9c118852dc2372f1aaa612baf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fd82158022fad64f3e5eed9ff2845b46

SHA1
422da3690dd8c8ca8230c64423b310ec056707a4

SHA256
8160d6ed5c552c4a7464ace083cf00836f5528cfbec02a8d9106aeca32b27d1c

SHA512
411d61eb2ca7369022faa9fa2cdd2375b6b11c109881d24933c1e51e83a35db690d4d73b427354d6062dbdfb8b6ac708e14315b40715955050d34fca0054807e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
daa4255a908386b2e07493e6626f464e

SHA1
4ffe6073269691bffe563b124c41b448e7dfc15a

SHA256
1ba68b46d7e6e2e6cfa1039fa6a9eb04bf3ad4129b0b50055d3043bc302ed5e9

SHA512
a008f9934d12af2004ca96b05fcb5791895a3b96e118793542cfcaae55f81fc2e22b96764a1c26cd30d48798c4af17b672e45dad18a5c6a1e4e8cfa0f60b8c20

Download Submit