Analysis
-
max time kernel
145s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22-08-2024 22:06
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://webmail-mazdac.pages.dev/#cm9iZXJ0LmhlbGx3ZWdAc29hdmVhdXRvLmNvbQ==
Resource
win10v2004-20240802-en
General
-
Target
https://webmail-mazdac.pages.dev/#cm9iZXJ0LmhlbGx3ZWdAc29hdmVhdXRvLmNvbQ==
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 1420 msedge.exe 1420 msedge.exe 1912 msedge.exe 1912 msedge.exe 3156 identity_helper.exe 3156 identity_helper.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe 1912 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1912 wrote to memory of 3120 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 3120 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1752 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1420 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1420 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1844 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1844 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1844 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1844 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1844 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1844 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1844 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1844 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1844 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1844 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1844 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1844 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1844 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1844 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1844 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1844 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1844 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1844 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1844 1912 msedge.exe msedge.exe PID 1912 wrote to memory of 1844 1912 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://webmail-mazdac.pages.dev/#cm9iZXJ0LmhlbGx3ZWdAc29hdmVhdXRvLmNvbQ==1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff97c7046f8,0x7ff97c704708,0x7ff97c7047182⤵PID:3120
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,4127676842845959779,5383447216701854135,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:22⤵PID:1752
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,4127676842845959779,5383447216701854135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1420 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,4127676842845959779,5383447216701854135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:82⤵PID:1844
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4127676842845959779,5383447216701854135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵PID:208
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4127676842845959779,5383447216701854135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:112
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,4127676842845959779,5383447216701854135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:82⤵PID:1660
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,4127676842845959779,5383447216701854135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3156 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4127676842845959779,5383447216701854135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:12⤵PID:2220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4127676842845959779,5383447216701854135,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:12⤵PID:2288
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4127676842845959779,5383447216701854135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:12⤵PID:4048
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4127676842845959779,5383447216701854135,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:12⤵PID:2280
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,4127676842845959779,5383447216701854135,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2428
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3296
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:728
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
893B
MD5d4ae187b4574036c2d76b6df8a8c1a30
SHA1b06f409fa14bab33cbaf4a37811b8740b624d9e5
SHA256a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7
SHA5121f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c
-
Filesize
152B
MD5ab8ce148cb7d44f709fb1c460d03e1b0
SHA144d15744015155f3e74580c93317e12d2cc0f859
SHA256014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff
SHA512f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4
-
Filesize
152B
MD538f59a47b777f2fc52088e96ffb2baaf
SHA1267224482588b41a96d813f6d9e9d924867062db
SHA25613569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b
SHA5124657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize120B
MD515fe49920c8f71ada1200288d1844a93
SHA175613860030133d48c50e9a53a78fb05cd343d78
SHA256bd35e49bd8eecd38d5506d56f46039a9ced69b1b21e3d0ec1fb598a602007551
SHA512c300ebe7ff262147252129f27403300d2d047d4a4f2fc9ef8511e1f3a6cc160b9da86c3a1f23b00f33a20330b90c26178c7ede92cbd40696751e149f7dd931c2
-
Filesize
1KB
MD56da842f5f19a919012f69e8bed9dd31c
SHA1306e31826adbb6013a445144f510b7007fe12c23
SHA25637ae28d8bd77768d3f4fab1167ad46196635ead56eb53b119258a30596d96888
SHA512e3a32aeb9ecda73206f657b894aa2538073424915c59c5d3afdc08ec3f7f6f8ba4d332bc21bfc0dcc416c451460169fe745ff4cd81f4bb9d7b252e721c62c68d
-
Filesize
5KB
MD5b3e204dfd4b3737b7a4c6733fd483199
SHA1d0a3c4c736d96837bf7088b9bce02215d1d2a3cc
SHA256ac2af289d56991431a6a10094e28745214ce2f95240c06285e6049cc111d8086
SHA512a30318e9fbaf76908be0ea9996f32a442a9a429513ec3049f86ae6179fece14143c4eae348b1e7cc02f228670746faf85c2b456ef34c366b0c128c0bbcf3f7d6
-
Filesize
6KB
MD5ae0d5bf3aaf639eb344a2e84bd5eed5d
SHA105912407abbe3205092d1cf8411a995c7d93e125
SHA256f329d098f41b5dd1d6004118f359b3b7b48927b21535dcb6cce02ebef12a792e
SHA512eba66e4871f255ec1a57e84504398f79d50d6e9237347a7703a96dbac2a5bb15fc01d7194a823fa231bc02bae1abbd3e3df38882f0862e50e8c9f58141b4fc6d
-
Filesize
6KB
MD5addde78f776f81c83ced98c8e2b60fc2
SHA150ed0bb87259860d1826c32a207b742e4d5fb0a5
SHA2568d29c87369de35c40521ad5c7e51ce94a50e96be2cb0e976eb7fa5e1ee94112c
SHA51203aa890de4c28ac076b68349ecc147e3243380d5db354344612fd4aaad820473b2d033bad1984ea5c051071c04d89349e9606dcc77ef625da3d481afa4bd2669
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5f35f2c4a6507db4e94fcea76cc7fe98b
SHA1992d72032c92da58d2f6ad4a107b2181a3e174be
SHA256a3f87e0f51f1f18b12a7ed2b805e02f3511fb17ad3d39616c2945404baec08e7
SHA51274fbebc22c108718542b41c8f61cff30075365692ff75f57822af3f9c3170fcec4cd9a75e0756d1e696e1dd755c59ff9aab694af570f69e99304aad55084dfb3
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e