hxxp://normalnastrona[.]rf[.]gd

Resubmissions

03/09/2024, 15:57

240903-td5p5ssaqc 8

03/09/2024, 15:55

03/09/2024, 15:54

03/09/2024, 15:53

03/09/2024, 15:53

03/09/2024, 15:50

03/09/2024, 15:45

Analysis

max time kernel
146s
max time network
145s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
03/09/2024, 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://normalnastrona.rf.gd

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4672	msedge.exe
4672	msedge.exe
824	msedge.exe
824	msedge.exe
5104	identity_helper.exe
5104	identity_helper.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 4496	824	msedge.exe	80
PID 824 wrote to memory of 4496	824	msedge.exe	80
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 1784	824	msedge.exe	81
PID 824 wrote to memory of 4672	824	msedge.exe	82
PID 824 wrote to memory of 4672	824	msedge.exe	82
PID 824 wrote to memory of 4004	824	msedge.exe	83
PID 824 wrote to memory of 4004	824	msedge.exe	83
PID 824 wrote to memory of 4004	824	msedge.exe	83
PID 824 wrote to memory of 4004	824	msedge.exe	83
PID 824 wrote to memory of 4004	824	msedge.exe	83
PID 824 wrote to memory of 4004	824	msedge.exe	83
PID 824 wrote to memory of 4004	824	msedge.exe	83
PID 824 wrote to memory of 4004	824	msedge.exe	83
PID 824 wrote to memory of 4004	824	msedge.exe	83
PID 824 wrote to memory of 4004	824	msedge.exe	83
PID 824 wrote to memory of 4004	824	msedge.exe	83
PID 824 wrote to memory of 4004	824	msedge.exe	83
PID 824 wrote to memory of 4004	824	msedge.exe	83
PID 824 wrote to memory of 4004	824	msedge.exe	83
PID 824 wrote to memory of 4004	824	msedge.exe	83
PID 824 wrote to memory of 4004	824	msedge.exe	83
PID 824 wrote to memory of 4004	824	msedge.exe	83
PID 824 wrote to memory of 4004	824	msedge.exe	83
PID 824 wrote to memory of 4004	824	msedge.exe	83
PID 824 wrote to memory of 4004	824	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://normalnastrona.rf.gd
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff15823cb8,0x7fff15823cc8,0x7fff15823cd8
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,4173205977896348933,6322406794577907476,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1868 /prefetch:2
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1844,4173205977896348933,6322406794577907476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1844,4173205977896348933,6322406794577907476,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,4173205977896348933,6322406794577907476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,4173205977896348933,6322406794577907476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,4173205977896348933,6322406794577907476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,4173205977896348933,6322406794577907476,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,4173205977896348933,6322406794577907476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,4173205977896348933,6322406794577907476,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1844,4173205977896348933,6322406794577907476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1844,4173205977896348933,6322406794577907476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1844,4173205977896348933,6322406794577907476,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4584 /prefetch:8
  2⤵
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,4173205977896348933,6322406794577907476,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1680 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3468

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004CC
1⤵
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0487ced0fdfd8d7a8e717211fcd7d709

SHA1
598605311b8ef24b0a2ba2ccfedeecabe7fec901

SHA256
76693c580fd4aadce2419a1b80795bb4ff78d70c1fd4330e777e04159023f571

SHA512
16e1c6e9373b6d5155310f64bb71979601852f18ee3081385c17ffb943ab078ce27cd665fb8d6f3bcc6b98c8325b33403571449fad044e22aa50a3bf52366993

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5578283903c07cc737a43625e2cbb093

SHA1
f438ad2bef7125e928fcde43082a20457f5df159

SHA256
7268c7d8375d50096fd5f773a0685ac724c6c2aece7dc273c7eb96b28e2935b2

SHA512
3b29531c0bcc70bfc0b1af147fe64ce0a7c4d3cbadd2dbc58d8937a8291daae320206deb0eb2046c3ffad27e01af5aceca4708539389da102bff4680afaa1601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
2aefa117aca302290f7d796ff80f1257

SHA1
f1c1654dd14072387a350da7aec2fefbf24becc1

SHA256
9c82ae43f04796323568fc3da051e3eee403af7f5bd461c4d20a15ea0cbfbf66

SHA512
4c7a59464b2a6d39c5fbea946f08937245b30827e53f305892bab872704cc7c8fc7e35d8fd93eb1feeb8823cd4013ed1c00554e6262429a35c1331647dc4cd05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
921B

MD5
c73a1b19491155bfe164d3dd62188471

SHA1
d0c27fd7c48c46308c265566c35ef3e75608b311

SHA256
fc304c7bbbf0fefa42bbbdaf913d75ee108547621d8011b03c8ac2c1e0d702a8

SHA512
2af08a06e8e9183805de9cc3a05c70089c568f116d7c1972a57b71d6765450eab860ffe0b9e3a381cee9cd119314511a35973ffa25c0b21241d1d639809d28c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fb48112b73fa4b29d8fbd6b2b7fd0e2f

SHA1
13b5f1d5722ec4d62e68ddd0d51f568212340ce6

SHA256
f66603e92bfa8687d66fd8b42670dcbdc7b9ccaf2d9a50225bc5580bebbe9648

SHA512
3081b07c01a6ceaeb4eeb5418435effb380ddf0ee2982ea1bb9822fcbcedc285f739c9604b6f73ee98bf3a61d9492ab45bd619778266c090cb2a02eec7661c08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
12616489e527d8112c1a2a89aa59469f

SHA1
45c3e4964b87be4fe9986e7732015a03d82631fc

SHA256
b1936c71a71007ae73deda27a0609bd610ede80e5c629af357d0d1b3a5fbb901

SHA512
11851ff0507db7ac3c547d0f5c2dd6838a71428be8ab57416b9fa2e057b301baa9b32aa876db5b3c559a8a92847cead98a585cb8aa06bb53790d5e65e3d9f91f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
87be610019a22519e8b5270fdf8a8df7

SHA1
397f0bc852bb56a54cfa2b2234c9cc40419da82f

SHA256
a59adde73b0b1f79b73f9ce314e4cc3dcdcdcdf2b141ef4cdfd16b68a99b8fd6

SHA512
1520dee52e0333ec6cf79f9b815a95c3286998340bb3dc00755fd05efe83136a58ce77e00ad7262b01ca7695d51aaaf078e25c846b5094633199ababe424fce8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d4c084bf832b88d4b3640e995aae5b14

SHA1
5c8e478a29541641214964714fe1d552ecbe7422

SHA256
a7213ea9811d7bc8efa9dba3888b3a2dfdc588252bc95375a4c2272e1e25ba82

SHA512
9d4a0ce8a079b202f3d169786df0fc96cb85a26f13493acc432d28ee3d2e214facb9242cbe3e74616c9957cb260dbf3b8b0d178d49cd5c3f70f8f542f2bbb5cd

Download Submit