Analysis
-
max time kernel
17s -
max time network
22s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2024 08:23
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://kantarit.service-now.com/mykantarservices?id=sc_cat_item&sys_id=8532c0151b1eddd0fe178551f54bcbb9
Resource
win10v2004-20241007-en
General
-
Target
https://kantarit.service-now.com/mykantarservices?id=sc_cat_item&sys_id=8532c0151b1eddd0fe178551f54bcbb9
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid Process 3656 msedge.exe 3656 msedge.exe 2688 msedge.exe 2688 msedge.exe 2036 identity_helper.exe 2036 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid Process 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid Process 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid Process 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid Process procid_target PID 2688 wrote to memory of 2920 2688 msedge.exe 85 PID 2688 wrote to memory of 2920 2688 msedge.exe 85 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 2360 2688 msedge.exe 86 PID 2688 wrote to memory of 3656 2688 msedge.exe 87 PID 2688 wrote to memory of 3656 2688 msedge.exe 87 PID 2688 wrote to memory of 716 2688 msedge.exe 88 PID 2688 wrote to memory of 716 2688 msedge.exe 88 PID 2688 wrote to memory of 716 2688 msedge.exe 88 PID 2688 wrote to memory of 716 2688 msedge.exe 88 PID 2688 wrote to memory of 716 2688 msedge.exe 88 PID 2688 wrote to memory of 716 2688 msedge.exe 88 PID 2688 wrote to memory of 716 2688 msedge.exe 88 PID 2688 wrote to memory of 716 2688 msedge.exe 88 PID 2688 wrote to memory of 716 2688 msedge.exe 88 PID 2688 wrote to memory of 716 2688 msedge.exe 88 PID 2688 wrote to memory of 716 2688 msedge.exe 88 PID 2688 wrote to memory of 716 2688 msedge.exe 88 PID 2688 wrote to memory of 716 2688 msedge.exe 88 PID 2688 wrote to memory of 716 2688 msedge.exe 88 PID 2688 wrote to memory of 716 2688 msedge.exe 88 PID 2688 wrote to memory of 716 2688 msedge.exe 88 PID 2688 wrote to memory of 716 2688 msedge.exe 88 PID 2688 wrote to memory of 716 2688 msedge.exe 88 PID 2688 wrote to memory of 716 2688 msedge.exe 88 PID 2688 wrote to memory of 716 2688 msedge.exe 88
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://kantarit.service-now.com/mykantarservices?id=sc_cat_item&sys_id=8532c0151b1eddd0fe178551f54bcbb91⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc8f5846f8,0x7ffc8f584708,0x7ffc8f5847182⤵PID:2920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,821689696125125782,17123313491500560894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:22⤵PID:2360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,821689696125125782,17123313491500560894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,821689696125125782,17123313491500560894,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2968 /prefetch:82⤵PID:716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,821689696125125782,17123313491500560894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:12⤵PID:3092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,821689696125125782,17123313491500560894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:12⤵PID:4460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,821689696125125782,17123313491500560894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:82⤵PID:1688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,821689696125125782,17123313491500560894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,821689696125125782,17123313491500560894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:12⤵PID:4656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,821689696125125782,17123313491500560894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:12⤵PID:1516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,821689696125125782,17123313491500560894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:12⤵PID:1388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,821689696125125782,17123313491500560894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:12⤵PID:2912
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2024
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5d7cb450b1315c63b1d5d89d98ba22da5
SHA1694005cd9e1a4c54e0b83d0598a8a0c089df1556
SHA25638355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031
SHA512df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8
-
Filesize
152B
MD537f660dd4b6ddf23bc37f5c823d1c33a
SHA11c35538aa307a3e09d15519df6ace99674ae428b
SHA2564e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\75ef6366-05ca-45be-b8da-9cc8755f0387.tmp
Filesize5KB
MD5d7167a213baf824bdea023add5a8d6ab
SHA1bc625b47d7e7e759ce21e2538415880a7e483c8a
SHA25687da393e6e17bfec286519574c9e3fb7c3092d924d41cac260e377b573aba96b
SHA51265522c47dda19767df45c904a29e4c988a041af7a2fa41f8f6912661906a1527a93f85ec4a8edeb16b0b01a3ea6bedf592c4e5e8fadaee21cde09c4599c34f1a
-
Filesize
6KB
MD56f3c129d19d32e7d9ba8b09e6e5769e2
SHA1d774e0f813f7101cc2c5aeb76fcfffcc301fc3c3
SHA25616c37529fd01826539d93acf22b6544e6af2c824b84c4590a5b4ea5785e3d9c5
SHA51264396f59b3c7af6d38cc33fe92da61fe646caa3c05972831914ed592ecc25fd9f0c9a1dde538d49eb2b3069f49ff83d31d0af39e6be924d096f2c6f3def86914
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD54557d95757b270fdc993ad277ea73d82
SHA1fe461d48fff0834895f0c4f101df693182318afe
SHA256ee4a54b32ea0048f55854a7ead1ad95d3576a24c280efdb526b34a0c7fd23c10
SHA512eb2be4af9d8c405b75258994f6fc341b9b5d39bc2285fed7e9e7d2d520d2eeab35a93c376431eb62ec9f4af66063092fb78c789dbf916ab89f3a57c3beaf3b77
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e