hxxps://facebook[.]com/GfAfZIud/ncSy6lce

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2024, 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://facebook.com/GfAfZIud/ncSy6lce

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2596	msedge.exe
2596	msedge.exe
1488	msedge.exe
1488	msedge.exe
1308	identity_helper.exe
1308	identity_helper.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 1824	1488	msedge.exe	83
PID 1488 wrote to memory of 1824	1488	msedge.exe	83
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 4060	1488	msedge.exe	84
PID 1488 wrote to memory of 2596	1488	msedge.exe	85
PID 1488 wrote to memory of 2596	1488	msedge.exe	85
PID 1488 wrote to memory of 2636	1488	msedge.exe	86
PID 1488 wrote to memory of 2636	1488	msedge.exe	86
PID 1488 wrote to memory of 2636	1488	msedge.exe	86
PID 1488 wrote to memory of 2636	1488	msedge.exe	86
PID 1488 wrote to memory of 2636	1488	msedge.exe	86
PID 1488 wrote to memory of 2636	1488	msedge.exe	86
PID 1488 wrote to memory of 2636	1488	msedge.exe	86
PID 1488 wrote to memory of 2636	1488	msedge.exe	86
PID 1488 wrote to memory of 2636	1488	msedge.exe	86
PID 1488 wrote to memory of 2636	1488	msedge.exe	86
PID 1488 wrote to memory of 2636	1488	msedge.exe	86
PID 1488 wrote to memory of 2636	1488	msedge.exe	86
PID 1488 wrote to memory of 2636	1488	msedge.exe	86
PID 1488 wrote to memory of 2636	1488	msedge.exe	86
PID 1488 wrote to memory of 2636	1488	msedge.exe	86
PID 1488 wrote to memory of 2636	1488	msedge.exe	86
PID 1488 wrote to memory of 2636	1488	msedge.exe	86
PID 1488 wrote to memory of 2636	1488	msedge.exe	86
PID 1488 wrote to memory of 2636	1488	msedge.exe	86
PID 1488 wrote to memory of 2636	1488	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://facebook.com/GfAfZIud/ncSy6lce
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad17946f8,0x7ffad1794708,0x7ffad1794718
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,8640106007406102547,11945298028325186918,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,8640106007406102547,11945298028325186918,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,8640106007406102547,11945298028325186918,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8640106007406102547,11945298028325186918,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8640106007406102547,11945298028325186918,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,8640106007406102547,11945298028325186918,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,8640106007406102547,11945298028325186918,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8640106007406102547,11945298028325186918,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8640106007406102547,11945298028325186918,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8640106007406102547,11945298028325186918,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8640106007406102547,11945298028325186918,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,8640106007406102547,11945298028325186918,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4796 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
ce9aa70725b8f766115189821f5fc974

SHA1
16f42f66fabeb5f725560d8f11e79e3401b18abd

SHA256
91b6af589cd99aa0c4692eda500bb548864423fcdc104d1042ac02094d715789

SHA512
4a51e6c38e9d8713aea63a5e4af24fb7e5bb081a0881c34945d78c791d41c4c04d7716addd037659f9789eca72071379ab3427d894459268e8a1d7e629d962d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
324B

MD5
cd4dc48b31da2546e47cb462de5c8169

SHA1
85a1b0db8a604f55dabeea9917f40ba9451bc206

SHA256
2bcd3b8fdabd475e8610f6e4295084cf3b53655117b338dfbd8f6ce1b6bf3e22

SHA512
c41d83bee70f6d575580348fe96d8d5d23830069b7c522c294892c5b0e74f6dd3385096eadcbb81d71dcdceeebc7c7bad59b9c6eacebba9ad73b59f78e8e3887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0c5c702742acd54f9ee1b2747d7589c7

SHA1
66aa0a25d54621cc433f82baf106dce94ae88884

SHA256
1867bea1c7397394c59d5e0552428712b78dba559d1ee8564b3beec21cb372d4

SHA512
523e296f94c832fda40422b22c21327fdc87810dee6be8304b97c99a1f3285c85472104c3eff7fb830ff7b270f1317b2c5ac85a758176da8be3b63d794bf8959

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
05de2db5eb080ab3de2c91d1f3e81a69

SHA1
e404380fb72f05b77497659e1798efaca238cedc

SHA256
e6a4dea5dc7eeb210b3ce66522c198f3463f9b70d72059cbffe4dd3468f7e40d

SHA512
ef3a520d1241d8164218300497810f54732e6cfcf018d924c7df1a597ad410aa379a7532879a712d2976208a66bb5565c815b2ba62104040c92a3a3fb3312305

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
124ea1102108d8ca7e227fe749061bc1

SHA1
eb976d0a79a3fb11f360640cb6b1afd53ac87021

SHA256
fd4eb63af4b264ba689a1aba3677c331c4fbbd0cc23c02fec8574377743d18b5

SHA512
f2b863136c3246ed4a07115c62ad08bce60503373d6b525830383287c3f1631d9d14a8a1cce0fadcc3e47b20a70b8f41db1252f7e6986c94525a1fd6756fac68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
893b68f611b1ad8d83b3a50cf6976424

SHA1
6be55daf1a6333895d2087ff927ff2b150684932

SHA256
9231ec66a66a42c384464738ff0af7405d6f08adbb3114f9c97531458b52f9fe

SHA512
149061dd860dda0cbd8d8872cd5e732443c9b35a32a4bf2745795398ea8478201abc3ec2bd4c8c366864cc93675397d5b57e9cb362e224528d6f8591958a02cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f01d.TMP

Filesize
872B

MD5
df6a16f72d0c616501f407aa1433da49

SHA1
5bb8174cf0c705f4a30abbf4ea89b83b80224634

SHA256
067fd40ec552ded31f731bca3801e911e4d043a63abaee3dc7e7685496eb13a5

SHA512
3a07464d84c6098c3d4bc30883c633367225591658c417db06c5533dd27de92a9f4d45904339436c08fa6fa880767d13d129b63b8c8eb078ecdd1aba82df441f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e3cf952f0d996c5751527927dda696c3

SHA1
0f65d17bed3693f55084568185f4d635f18d0f9d

SHA256
b7c032434f07138fd59ac468b84af0e4e448dac4c74ef72c0835fff6dad4301f

SHA512
0c0e0e72dc64b681c0767f3a3e9708d6d027e7ca8e5d8553e8c404ffad7f36d2454e280bb0c88076aae9ddca7d3ce9d8542745fe8f94960d5f0819030c145d07

Download Submit