hxxps://pub-9c4ec7f3f95c448b85e464d2b533aac1[.]r2[.]dev/CAptcha-Verifications-Approval[.]html

Resubmissions

05/10/2024, 20:46

241005-zksbaascjn 8

05/10/2024, 20:46

05/10/2024, 20:44

05/10/2024, 20:43

05/10/2024, 17:42

Analysis

max time kernel
35s
max time network
37s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05/10/2024, 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://pub-9c4ec7f3f95c448b85e464d2b533aac1.r2.dev/CAptcha-Verifications-Approval.html

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3372	msedge.exe
3372	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
4288	identity_helper.exe
4288	identity_helper.exe
2728	msedge.exe
2728	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3872 wrote to memory of 232	3872	msedge.exe	77
PID 3872 wrote to memory of 232	3872	msedge.exe	77
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 400	3872	msedge.exe	78
PID 3872 wrote to memory of 3372	3872	msedge.exe	79
PID 3872 wrote to memory of 3372	3872	msedge.exe	79
PID 3872 wrote to memory of 3440	3872	msedge.exe	80
PID 3872 wrote to memory of 3440	3872	msedge.exe	80
PID 3872 wrote to memory of 3440	3872	msedge.exe	80
PID 3872 wrote to memory of 3440	3872	msedge.exe	80
PID 3872 wrote to memory of 3440	3872	msedge.exe	80
PID 3872 wrote to memory of 3440	3872	msedge.exe	80
PID 3872 wrote to memory of 3440	3872	msedge.exe	80
PID 3872 wrote to memory of 3440	3872	msedge.exe	80
PID 3872 wrote to memory of 3440	3872	msedge.exe	80
PID 3872 wrote to memory of 3440	3872	msedge.exe	80
PID 3872 wrote to memory of 3440	3872	msedge.exe	80
PID 3872 wrote to memory of 3440	3872	msedge.exe	80
PID 3872 wrote to memory of 3440	3872	msedge.exe	80
PID 3872 wrote to memory of 3440	3872	msedge.exe	80
PID 3872 wrote to memory of 3440	3872	msedge.exe	80
PID 3872 wrote to memory of 3440	3872	msedge.exe	80
PID 3872 wrote to memory of 3440	3872	msedge.exe	80
PID 3872 wrote to memory of 3440	3872	msedge.exe	80
PID 3872 wrote to memory of 3440	3872	msedge.exe	80
PID 3872 wrote to memory of 3440	3872	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pub-9c4ec7f3f95c448b85e464d2b533aac1.r2.dev/CAptcha-Verifications-Approval.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e1a33cb8,0x7ff9e1a33cc8,0x7ff9e1a33cd8
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,15119253674018379383,7186574721915586796,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,15119253674018379383,7186574721915586796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,15119253674018379383,7186574721915586796,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15119253674018379383,7186574721915586796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15119253674018379383,7186574721915586796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,15119253674018379383,7186574721915586796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,15119253674018379383,7186574721915586796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15119253674018379383,7186574721915586796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2976 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15119253674018379383,7186574721915586796,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1
  2⤵
  PID:1700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9828ffacf3deee7f4c1300366ec22fab

SHA1
9aff54b57502b0fc2be1b0b4b3380256fb785602

SHA256
a3d21f0fb6563a5c9d0f7a6e9c125ec3faaa86ff43f37cb85a8778abc87950f7

SHA512
2e73ea4d2fcd7c8d52487816110f5f4a808ed636ae87dd119702d1cd1ae315cbb25c8094a9dddf18f07472b4deaed3e7e26c9b499334b26bdb70d4fa7f84168d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6fdbe80e9fe20761b59e8f32398f4b14

SHA1
049b1f0c6fc4e93a4ba6b3c992f1d6cecf3ada1f

SHA256
b7f0d9ece2307bdc4f05a2d814c947451b007067ff8af977f77f06c3d5706942

SHA512
cf25c7fd0d6eccc46e7b58949c16d17ebeefb7edd6c76aa62f7ab5da52d1c6fc88bde620be40396d336789bd0d62b2162209a947d7ab69389e8c03682e880234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e56a19f9b1636833ed601c0386b04f44

SHA1
06791e908580a5ca41b22569d9b87e9e33329085

SHA256
a95476df85863783ed30564060bae6c7cb49dbd5249721899434a9e29c0519c6

SHA512
98f17871b81deb857e6d38a0ebbe507bd5b67acaac2d462462c6a4638cda0e4107806b408c1b922faa406522bdd0e499b3d9f38b865dbfd6da4f633a13569fbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
af84a51cf9ab2f2d8a9fc78ff93e451a

SHA1
ef731f15f00e0449d719f43d900632a007feb325

SHA256
d0a633d2060860508e99206ba30aa9758df7161e5fd3e8c26fa72bedeacda62d

SHA512
f1ac2823c6793e1c2801195d563858e0f01535e7122fac6e846d4f3629691cf18ba68dc13979ac0833dc1708aac66bfc2ca5295657cfbf5620b4bf480d394226

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
627370e59dfadc2b81fa2b1c8d175e1c

SHA1
b4e82905319eeee669582582e43de9031ea6403b

SHA256
35ae086a1bc11261804d2445c8965ef934aeba20655b6ec4bc72277939d49fb4

SHA512
78b4d8a485f5298f0222f3d546e25f01af490c8da247dd9dc914196b4da7c68dacdb8d3b9af5269a12fedc5207ad73c56cb475199211463ec23d1faf2ce7034d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3911e34d4b1bf4588c37e1ea7d57dffb

SHA1
7ee6a8ffe8d4f3248c8723090a7ed5506a9fe7e9

SHA256
ae7c382b8a4e7ef9b4e055a70ee6aa9d7a9e1ea232119d2527ee20b5426fb549

SHA512
f54cdf4536d3f8b524bfe0248a473efff5cdf943bc03b78dd3614e8e6fe51290db8d03518d1eef96cf558337fb82eac09475fdf2102042dae37b682d2d3396ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
70c5bcc66af64ee17193472aba38bba9

SHA1
a530f638323b635ddbef0b9b2a395d1d52d3f08e

SHA256
a6f4da424d9cb87ac11c2b31e79842fdf1f8ba13d33c648a4a82dfd8872a559f

SHA512
d51aa55f3c03938886824298d8426df7859ba9beb595a16992c7121661060b30f1a80810a8522bdacf1354dab19563c6009aa00e16f33086d6f71c1d88989887

Download Submit