hxxps://wam-edu-fc[.]jp/wam2/

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://wam-edu-fc.jp/wam2/

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
5100	msedge.exe
5100	msedge.exe
4384	msedge.exe
4384	msedge.exe
4972	identity_helper.exe
4972	identity_helper.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 2956	4384	msedge.exe	82
PID 4384 wrote to memory of 2956	4384	msedge.exe	82
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5096	4384	msedge.exe	83
PID 4384 wrote to memory of 5100	4384	msedge.exe	84
PID 4384 wrote to memory of 5100	4384	msedge.exe	84
PID 4384 wrote to memory of 2916	4384	msedge.exe	85
PID 4384 wrote to memory of 2916	4384	msedge.exe	85
PID 4384 wrote to memory of 2916	4384	msedge.exe	85
PID 4384 wrote to memory of 2916	4384	msedge.exe	85
PID 4384 wrote to memory of 2916	4384	msedge.exe	85
PID 4384 wrote to memory of 2916	4384	msedge.exe	85
PID 4384 wrote to memory of 2916	4384	msedge.exe	85
PID 4384 wrote to memory of 2916	4384	msedge.exe	85
PID 4384 wrote to memory of 2916	4384	msedge.exe	85
PID 4384 wrote to memory of 2916	4384	msedge.exe	85
PID 4384 wrote to memory of 2916	4384	msedge.exe	85
PID 4384 wrote to memory of 2916	4384	msedge.exe	85
PID 4384 wrote to memory of 2916	4384	msedge.exe	85
PID 4384 wrote to memory of 2916	4384	msedge.exe	85
PID 4384 wrote to memory of 2916	4384	msedge.exe	85
PID 4384 wrote to memory of 2916	4384	msedge.exe	85
PID 4384 wrote to memory of 2916	4384	msedge.exe	85
PID 4384 wrote to memory of 2916	4384	msedge.exe	85
PID 4384 wrote to memory of 2916	4384	msedge.exe	85
PID 4384 wrote to memory of 2916	4384	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://wam-edu-fc.jp/wam2/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff636c46f8,0x7fff636c4708,0x7fff636c4718
  2⤵
  PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,2626406272887380199,17295520023204164913,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,2626406272887380199,17295520023204164913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,2626406272887380199,17295520023204164913,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2626406272887380199,17295520023204164913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2626406272887380199,17295520023204164913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,2626406272887380199,17295520023204164913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,2626406272887380199,17295520023204164913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2626406272887380199,17295520023204164913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2626406272887380199,17295520023204164913,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2626406272887380199,17295520023204164913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2626406272887380199,17295520023204164913,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,2626406272887380199,17295520023204164913,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4908 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
1d1d12ab43b088360fd9f06c5f8d6e3d

SHA1
41e7166347cedb013727be292723a9f29a9177c5

SHA256
e6f82048947f2fb33e2104949d440a77eb93be1132408cc3fce5e4971959eb08

SHA512
a5f23189302dc5e74ebeb4857f30bf70a3244ae3c0e2611b972742204d32afcfb307e7d922389335b57e9b657b8dbc52464c8bfb47e2402cb209ff556930aded

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
727B

MD5
47b13ee0488c55363e3287279ca2cba7

SHA1
e3445f532f6ca4176555c99da5a4dcefc0a5baf4

SHA256
26e69eacd49be26f707db4c47a6dd066fd91713f0de1dd8d43dfa6e10d463515

SHA512
e82772461b69b7e19a2ab2f31c7442a8be24b6a25550f511ccb551c00b2c085a44269e2939bc87d732ebe23a88eef7446044c7032ced93a40595c2c9ad97de5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
64ab16129a1b72fb4f53e87644350630

SHA1
f203b78e6e760c0e6ab9626d3a4ca225f9dbadfd

SHA256
1d7c137d95c25c5d7e74ff2af93c61bd0f84ce355ab7e2b39a01013bd2dea7de

SHA512
607d122cf33a3cc650ca3f054fbc0a9ca56d43687c6fb7e12e53750700de1d852117a639a708e6a10ba559a7516f0074d8deb3e34d64bc1a60c4a8f121218178

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9b09303d7f108af092ded80f3298fb05

SHA1
533c032216c9fd201f4c241cc4a13bea29b9cfff

SHA256
3dff69e0a7628d478f1f60359ae2e9b0dfe97a34489e8f69bda4aa01bbebc5ae

SHA512
e8f0b667dcc2d5787f5037c3653436d6accc0b787684d74240e5956d22e73b3a436eaeff2db75ddff1c9c8a8c8a53ea30d26cdb8e3df11f71fa9223bfbff970a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
865ddd74c5c72ba18b857c7105019849

SHA1
4f6a074021ff64a6e76a1122192bf92083e538e3

SHA256
37b485b5c64e499ff8172e1672f71c7fd58426d10b35fa4e0049cfdc439eeacf

SHA512
724ac4bf0ff901c18e45cd8cecc6ad0605da2a0490f50a92537725c084c17c403ea830594a5fa2078b1cefd3800c02b490fde540dfab7d6f4ac09231bb79c283

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
492d255cec8f904990ca6b773c5d8ff2

SHA1
482cd3e635a807b915628a9fc3c9b5b796f6d141

SHA256
7562c4990f6ab7620797fef78ed53a6c1684f486e3edb51e58e2577bd9155f8b

SHA512
5975bbe420c2e89d82bd7c85d51bf09b756fd92534bdef7d5a9aacb70cafd69d05f5313d956c48cf2fadd80f97e12d0d8400d93348c05251481a76f6c654208c

Download Submit