Resubmissions
06-10-2024 15:46
241006-s7m7hssaqn 306-10-2024 00:27
241006-arq95axcmk 805-10-2024 22:08
241005-12ft9athqn 3Analysis
-
max time kernel
1680s -
max time network
1685s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
06-10-2024 15:46
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://youareaidiot.org
Resource
win11-20240802-en
General
-
Target
http://youareaidiot.org
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid Process 2688 msedge.exe 2688 msedge.exe 1480 msedge.exe 1480 msedge.exe 664 msedge.exe 664 msedge.exe 2348 identity_helper.exe 2348 identity_helper.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid Process 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid Process 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid Process 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid Process procid_target PID 1480 wrote to memory of 4516 1480 msedge.exe 79 PID 1480 wrote to memory of 4516 1480 msedge.exe 79 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 1600 1480 msedge.exe 80 PID 1480 wrote to memory of 2688 1480 msedge.exe 81 PID 1480 wrote to memory of 2688 1480 msedge.exe 81 PID 1480 wrote to memory of 492 1480 msedge.exe 82 PID 1480 wrote to memory of 492 1480 msedge.exe 82 PID 1480 wrote to memory of 492 1480 msedge.exe 82 PID 1480 wrote to memory of 492 1480 msedge.exe 82 PID 1480 wrote to memory of 492 1480 msedge.exe 82 PID 1480 wrote to memory of 492 1480 msedge.exe 82 PID 1480 wrote to memory of 492 1480 msedge.exe 82 PID 1480 wrote to memory of 492 1480 msedge.exe 82 PID 1480 wrote to memory of 492 1480 msedge.exe 82 PID 1480 wrote to memory of 492 1480 msedge.exe 82 PID 1480 wrote to memory of 492 1480 msedge.exe 82 PID 1480 wrote to memory of 492 1480 msedge.exe 82 PID 1480 wrote to memory of 492 1480 msedge.exe 82 PID 1480 wrote to memory of 492 1480 msedge.exe 82 PID 1480 wrote to memory of 492 1480 msedge.exe 82 PID 1480 wrote to memory of 492 1480 msedge.exe 82 PID 1480 wrote to memory of 492 1480 msedge.exe 82 PID 1480 wrote to memory of 492 1480 msedge.exe 82 PID 1480 wrote to memory of 492 1480 msedge.exe 82 PID 1480 wrote to memory of 492 1480 msedge.exe 82
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://youareaidiot.org1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff956e73cb8,0x7ff956e73cc8,0x7ff956e73cd82⤵PID:4516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,8940826257901333769,7554566904476585035,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:22⤵PID:1600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,8940826257901333769,7554566904476585035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,8940826257901333769,7554566904476585035,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:82⤵PID:492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8940826257901333769,7554566904476585035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:12⤵PID:3008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8940826257901333769,7554566904476585035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:12⤵PID:1592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,8940826257901333769,7554566904476585035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8940826257901333769,7554566904476585035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:12⤵PID:1184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8940826257901333769,7554566904476585035,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:12⤵PID:3796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8940826257901333769,7554566904476585035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:12⤵PID:3540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8940826257901333769,7554566904476585035,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:12⤵PID:2536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,8940826257901333769,7554566904476585035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,8940826257901333769,7554566904476585035,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5156 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1244
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1188
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5b4ae6009e2df12ce252d03722e8f4288
SHA144de96f65d69cbae416767040f887f68f8035928
SHA2567778069a1493fdb62e6326ba673f03d9a8f46bc0eea949aabbbbc00dcdaddf9d
SHA512bb810721e52c77793993470692bb2aab0466f13ed4576e4f4cfa6bc5fcfc59c13552299feb6dfd9642ea07b19a5513d90d0698d09ca1d15e0598133929c05fe1
-
Filesize
152B
MD54bf4b59c3deb1688a480f8e56aab059d
SHA1612c83e7027b3bfb0e9d2c9efad43c5318e731bb
SHA256867ab488aa793057395e9c10f237603cfb180689298871cdf0511132f9628c82
SHA5122ec6c89f9653f810e9f80f532abaff2a3c0276f6d299dce1b1eadf6a59e8072ed601a4f9835db25d4d2610482a00dd5a0852d0ef828678f5c5ed33fe64dddca9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD5a3ec451fc0764c43819c2e0a31f124ce
SHA14829f40f810a0f2c0fc1ecac1aa6321226a16ff2
SHA256c7d2a11fce740f681c91c1b45399df1ef03d392624c5219899ab09b022d1f6fe
SHA512c83c966cb3a8f708666171eed5c1e1ea4125cf8e8a9a937b44edfd2524465f3f20d4cff7824f93e354dd951c508eef434cc3752da8f8548f9ea58bf8af791368
-
Filesize
5KB
MD577718f3914a930e66138ded551d081f5
SHA1b5668658ec291123a6f06eb94cf4a6b825df8191
SHA2561f00c5a8f4d4656dc2c54ed6386d454781e62e6c9a542cf15d06ac878f111aa5
SHA5129c22834407504677661f03b55bc9946b3dbf0190c2347cd04775b6753084416ec6bbd6abe0826e17dd24466ef9eec2b7e7408f6eccab2c1f85872918981160ef
-
Filesize
6KB
MD532119bcad65a97ca427532ccbacc8c4a
SHA18f9bee0e9f40ec5ee00c64175dc89a509bb322e4
SHA2561cc6a263cae915ac9a8151f370b42ce0c0fd5c998fcb9c69db680305cf5669de
SHA5126869b52a0a935ea50852ce9e5876377a631a7363d17d8b6399451e8d63ee9a5844018089d82f5d9b7fc42dc5698fd6f01e9ef5e1bc0d2037a8d543337c355066
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5e50595729675196a2e26d11e559a1daf
SHA1d81f24bf4308a8fd035db574db75c8bff1f5242b
SHA2562ff25c354cb765b00c0800ef3b823a0aa59a94b330d9ab65d498a439813160bf
SHA5128a4a0e4936b8eea0481dc73882d78872b8eed3c5473e0fc4e107f97d37070d3f133d623555bcc153293d4f0657402f5414bedf4d9e4cfcf8a6f66c8a899718fc
-
Filesize
10KB
MD567fe1a137035a834659155e4807c2fc1
SHA1a19fbeec21f9822f5d7cd53b86a25fcbb43522db
SHA256d692c5061b4846935d2d036cb1fae9ddaab4dc9ff4e442c50badf872ec59e527
SHA5124d885dd4761ce4f97c8d1fb50d40ad3047901dbf5b93c6c59a0168bbbcfa436e4286e8e6cf60d91029f0b809be33fe42009362c67a3f1d34540d88cac79b534f
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e