Analysis
-
max time kernel
27s -
max time network
30s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
01/09/2024, 14:56
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://filebin.net/a36oiaw6dro9e2w5
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
https://filebin.net/a36oiaw6dro9e2w5
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
https://filebin.net/a36oiaw6dro9e2w5
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
https://filebin.net/a36oiaw6dro9e2w5
Resource
win11-20240802-en
General
-
Target
https://filebin.net/a36oiaw6dro9e2w5
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2176 msedge.exe 2176 msedge.exe 3040 msedge.exe 3040 msedge.exe 3916 msedge.exe 3916 msedge.exe 4244 identity_helper.exe 4244 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3040 wrote to memory of 4436 3040 msedge.exe 81 PID 3040 wrote to memory of 4436 3040 msedge.exe 81 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2708 3040 msedge.exe 82 PID 3040 wrote to memory of 2176 3040 msedge.exe 83 PID 3040 wrote to memory of 2176 3040 msedge.exe 83 PID 3040 wrote to memory of 3256 3040 msedge.exe 84 PID 3040 wrote to memory of 3256 3040 msedge.exe 84 PID 3040 wrote to memory of 3256 3040 msedge.exe 84 PID 3040 wrote to memory of 3256 3040 msedge.exe 84 PID 3040 wrote to memory of 3256 3040 msedge.exe 84 PID 3040 wrote to memory of 3256 3040 msedge.exe 84 PID 3040 wrote to memory of 3256 3040 msedge.exe 84 PID 3040 wrote to memory of 3256 3040 msedge.exe 84 PID 3040 wrote to memory of 3256 3040 msedge.exe 84 PID 3040 wrote to memory of 3256 3040 msedge.exe 84 PID 3040 wrote to memory of 3256 3040 msedge.exe 84 PID 3040 wrote to memory of 3256 3040 msedge.exe 84 PID 3040 wrote to memory of 3256 3040 msedge.exe 84 PID 3040 wrote to memory of 3256 3040 msedge.exe 84 PID 3040 wrote to memory of 3256 3040 msedge.exe 84 PID 3040 wrote to memory of 3256 3040 msedge.exe 84 PID 3040 wrote to memory of 3256 3040 msedge.exe 84 PID 3040 wrote to memory of 3256 3040 msedge.exe 84 PID 3040 wrote to memory of 3256 3040 msedge.exe 84 PID 3040 wrote to memory of 3256 3040 msedge.exe 84
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://filebin.net/a36oiaw6dro9e2w51⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb03e23cb8,0x7ffb03e23cc8,0x7ffb03e23cd82⤵PID:4436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,10776382752752411721,17028470584608402791,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1852 /prefetch:22⤵PID:2708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1844,10776382752752411721,17028470584608402791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1844,10776382752752411721,17028470584608402791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:82⤵PID:3256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,10776382752752411721,17028470584608402791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2984 /prefetch:12⤵PID:2960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,10776382752752411721,17028470584608402791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:12⤵PID:336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1844,10776382752752411721,17028470584608402791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4060 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1844,10776382752752411721,17028470584608402791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,10776382752752411721,17028470584608402791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:12⤵PID:2596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,10776382752752411721,17028470584608402791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:12⤵PID:4388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,10776382752752411721,17028470584608402791,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:12⤵PID:3956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,10776382752752411721,17028470584608402791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:12⤵PID:240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,10776382752752411721,17028470584608402791,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:12⤵PID:2380
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2764
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:652
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD570e969d4a2b40aef8eb0736379c0bcfb
SHA1608c4fdf0e6b820eed23b793884e11210b32be58
SHA25682e6cd647225c2781d32207ca56e1bf5e85dddabdfdf67a469c6e8910062975c
SHA512e38f13e75d7a74400b1c21be8c5d8045c366078c4bfd7a25de86a872a22db8b383484c4f044d433f557ba3f181670398eeb7322fb6946a3bfff03875576b596d
-
Filesize
152B
MD5fc36221d3cc9a4657faeb51e3ea7023a
SHA122e3f8e68b2dd3992d544f8ca57c48c6878f77f9
SHA256f393d5cc1a1b59d1bf0f19ade21515652b60bdea4b2d11780b904eb90fdd7b4b
SHA5121d831b911b8e6970f3c829d7aed3c7d0faeb3f986fa029c8db8e2b2ced40898ad96b26311e620300ecd6d5a71f444582052b9ae11c4231224010096105bdb117
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD58d1dbe6519d666c61e0f3c11a4881b07
SHA1ea329699cb773eafabb6b192f64a0908fbbb9502
SHA2566f51f4fb7c8153716f59d6815f1d7e2e362c6774ce5de371384b3dcd6c4009b4
SHA5126f7546cda1bb0581f13aa03b3ad3aa58564a9141c4c58b347a6f9a6ecef822c904b34ccf976565a223276bb2c7f1ef1ef886ce0c695d3dbefde51d42b5af323f
-
Filesize
5KB
MD5a28fa9db9cd95d20033946447e886b40
SHA1dba9c20e316723fee1bd39ea1d0480950cec170d
SHA256343e1cb381176b14c2e401efcaccbaaf300c93baf4dbab0614fc0d642c60ba0c
SHA5127ed430cadc886f842bc41a59907d4e0a5391c39109072fcaf8efb83cf6213a69f0f1567a5003f29664577e469f5d9637bd034f257dae01417c7f704e7d8cdfaa
-
Filesize
5KB
MD5ec499eddcf45da5217b2498a9e7b54a5
SHA1b17974a759e361ba4bab1b1a3fdda33c1a24cea3
SHA2567348e2603912d7571574c487cfac41e8e1274d9f17ace2148b5682b8f630b005
SHA512a502378874f5c53aed724fbdfb6d74f2c6dfcc9fee61be48b1eeb9cb59a134ad68efd17ee3e9dc22d6ca2bd70bcccaa98d66f6c720e93afb502eddc504888fda
-
Filesize
25KB
MD58c0d6616af07f61a695d23555f03afb5
SHA14d920d7f35be99217c86ea4dc2396a55e960a537
SHA256ecc17c289b6a0f4fe10cae7e9eed2413279d3d4354d82fcc9bc672b7bd7493aa
SHA512f903fe7977d14cc2d021bbf54f103421d0500cbf7b7f3cfd4ba93ae56af294307ec1b7d82c93d1fb530bb132ef4d009aa244ce2a60c23d7748b5ca08e4c7a2d0
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD52ea7ee16e1e9518423195c7cf10e53aa
SHA1c62e7168f93bb00481f9f645635488c6b7ce400a
SHA25637bc4ed61301e4d7dc23dd08c2653328f9fc1a492ddcb1262a281379049d1b74
SHA512c871842649bafeedd70ca957803b728e36b007ae39125bd255fe0d9ba38a2b87ea62c949c2106cd8c19c65933616cb789a1c68ca42352cf2c7996ecef18500f4
-
Filesize
10KB
MD5683db786d7f64e2922392d458de7dd39
SHA149f94b98e0b2c734870b175b394104d18cefcc5f
SHA256a177a2cc551f21581a6643c680a1a61c2e9ebdd1d7346ffe82354646430d0dd2
SHA512186e36f9965a63351f13cfbe75ecce8086196d089c0a56fe420d8f603e29ad77ada497565acd4e23a62812191639dae89ce031a7689de8f95227ccc3bb54bf21