Analysis
-
max time kernel
112s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-es -
resource tags
arch:x64arch:x86image:win10v2004-20240802-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
18-09-2024 19:25
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://papi3.brws.vc/url/NTUxYmMyZTEtYjExMC00OTRkLTgyYjYtZGY3MWIxNTFmZGYx?q=https://dweb.link/ipfs/bafkreifph63w7jyrivxvyh7tncs6obqddq6gcljtexqyvlpk6knhwfgcwy/#[email protected]
Resource
win10v2004-20240802-es
General
-
Target
https://papi3.brws.vc/url/NTUxYmMyZTEtYjExMC00OTRkLTgyYjYtZGY3MWIxNTFmZGYx?q=https://dweb.link/ipfs/bafkreifph63w7jyrivxvyh7tncs6obqddq6gcljtexqyvlpk6knhwfgcwy/#[email protected]
Malware Config
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 78 api.ipify.org 79 api.ipify.org -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid process 1676 msedge.exe 1676 msedge.exe 2816 msedge.exe 2816 msedge.exe 2856 identity_helper.exe 2856 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe 2816 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2816 wrote to memory of 2468 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 2468 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 4776 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 1676 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 1676 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 3664 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 3664 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 3664 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 3664 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 3664 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 3664 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 3664 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 3664 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 3664 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 3664 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 3664 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 3664 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 3664 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 3664 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 3664 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 3664 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 3664 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 3664 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 3664 2816 msedge.exe msedge.exe PID 2816 wrote to memory of 3664 2816 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://papi3.brws.vc/url/NTUxYmMyZTEtYjExMC00OTRkLTgyYjYtZGY3MWIxNTFmZGYx?q=https://dweb.link/ipfs/bafkreifph63w7jyrivxvyh7tncs6obqddq6gcljtexqyvlpk6knhwfgcwy/#[email protected]1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffea8f046f8,0x7ffea8f04708,0x7ffea8f047182⤵PID:2468
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,2651367160591347266,15487106350010706189,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:22⤵PID:4776
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,2651367160591347266,15487106350010706189,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1676 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,2651367160591347266,15487106350010706189,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:82⤵PID:3664
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2651367160591347266,15487106350010706189,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵PID:3936
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2651367160591347266,15487106350010706189,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:12⤵PID:2184
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2651367160591347266,15487106350010706189,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:12⤵PID:2944
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,2651367160591347266,15487106350010706189,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:82⤵PID:232
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,2651367160591347266,15487106350010706189,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2856 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2651367160591347266,15487106350010706189,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:12⤵PID:5084
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2651367160591347266,15487106350010706189,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:12⤵PID:3920
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2651367160591347266,15487106350010706189,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:12⤵PID:3908
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2651367160591347266,15487106350010706189,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:12⤵PID:3584
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3496
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f9664c896e19205022c094d725f820b6
SHA1f8f1baf648df755ba64b412d512446baf88c0184
SHA2567121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e
SHA5123fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae
-
Filesize
152B
MD5847d47008dbea51cb1732d54861ba9c9
SHA1f2099242027dccb88d6f05760b57f7c89d926c0d
SHA25610292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1
SHA512bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD5f0b10d74e7dc368d6a919e3bb4ced1da
SHA118a46d2b7bb5063bf6fa7e89a1936b414c0c9e34
SHA2564c747786359e2992cffb918cbdcb8d8a4407095f43519eb8906360be8b69ac96
SHA51223d54ff300aab308f222b36669914e65c8343ca28dd849b178ac2ff31bc1528bd90caca4e386cea9498ea7169fcebe397208ca2452ae9505b6bc16b73353eafc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize216B
MD56d03860524904ae157bf30539d73379e
SHA1e0324e5026f849b97f862c4e0c0cca4b4bf11d4a
SHA2561f97bfb2120982df8d45157e18c7bd6047286851ee770a12cd0212dcf09d6a6a
SHA512989fe902611e1f2e5bb85ba17845a32c88accd99bbc58235000caf2c3bb986c351f532861ff6b29d578b70d0667c7abda8b80963993589d602852595f9dc8b01
-
Filesize
1KB
MD546bd6c530f56c685b1acefbffa7b9685
SHA126952cecfa5d65b0a3b62fde4093d9b60e6043c9
SHA256bdcf9f596485e8d53ded8818460db7cdc8d1a885b5dec816ed048684ed6df4fe
SHA512021c2c2d63b2cc835e3a76c6315b53e572f29391fff3f182a9b915c752aec3d93ce1bbcdd5a01887acea2d7845f223471db906a0419ad9ca7dc3174b874c7585
-
Filesize
6KB
MD570fc8b61b3a76d8c42254a98fc6bdb7e
SHA1e698ab0b0191458b3dbe427cb3fb655828bce601
SHA256856ef1f27c4981490085f7dfcf68aeae64e47ac0ff8c5b5a29abecc99083deeb
SHA512f4d1f9262bc3b492954ad776496ccdbcbd52e9a99cd745eecb8a549724bdf9eb54b3869657b6d45dcc71587d7493fedba62437fa323d625508220e390c361e5f
-
Filesize
5KB
MD50bf2e9ac4ed0fbf310a672873685a723
SHA1cae9cd3a24c7ece85e2625538634d0e4592edbba
SHA25634d7726b9e945dbc0325b7dae8726274f98ed7d5d8ea9afd03a72b5015516862
SHA5129060d71fe519a63b258834d6a61ecef972a5b3ca3491b03eed625d4edc6c4799477107131d68edbf59fe9ed40a6b8d16ed8c4f25e988088a647d08bf036ce976
-
Filesize
6KB
MD5ba65d587f3cbd9caf1a8203ebf04cb3a
SHA18e43d849787043a3b8cfa3211d78b6769218654b
SHA25693f6b775cba42e6573e887f4e7381b33798eceb39ae03c107ee14bd59e1f3503
SHA5123f7445419c44ab9031eee5c15f5a300b3e2154e2119915d23aab9d889de7efcbe99986de9a65d83210897c920afdc2dc35330715017f0b13ca8e525abeac5b14
-
Filesize
1KB
MD5b55c1ca50a0edcd7e1211ffb1f5d157c
SHA1bd8fc162be407b377c32d45454fa5915f39fb4b3
SHA256a94da0f1fa657637c6bb367c00e25ff4a8610b7fdc51829581a8704c0208819a
SHA5124c47f3eea2726130cd63b08552bfbc6d9a7bcb46fc8be81ecb7d98e2b30157537bef7c567122fb0e5d2d38e62b777eb84e04e7cf46bae204b946605ade82f8ba
-
Filesize
1KB
MD504a18767c913fc56d999dbfb21cb5603
SHA17d60c6a390a5e870f03a9ee6673105206cec8827
SHA256bb400d50c6f8da6f2bf8778a42797c3468dcfc587f13cc2ff174803430e4c751
SHA512d7372b49ae91eb8d14d407fc222996b75d6c565afddb0c00fe7e54570f331753c68cec0fe72f77538a653323ef50902d188f634f47619ea397acea0514b14ba5
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5a0d80eca2ab5b622e8c89c7dc2cbbc13
SHA17a715fa8b0dd14586245e96894cec0b34cd54d4e
SHA256df9a2ca84fa8fa1031027205496d5e3f1361147b3e7368b1c047d054ceb8e7e4
SHA512003bafcc1f04e3061a3766f1f0d31e38fbe88892cd67d6881277e909540857609563c533809e0f6dad8e8c627e539076ee1c6fac6142ef4fa5a551a6f2a56fd7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e