Analysis
-
max time kernel
1680s -
max time network
1687s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
07/11/2024, 21:11
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://pezbelz.store/btk/xls/b1t2k.js
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
https://pezbelz.store/btk/xls/b1t2k.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
https://pezbelz.store/btk/xls/b1t2k.js
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
https://pezbelz.store/btk/xls/b1t2k.js
Resource
win11-20241007-en
General
-
Target
https://pezbelz.store/btk/xls/b1t2k.js
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2840 msedge.exe 2840 msedge.exe 3368 msedge.exe 3368 msedge.exe 2212 msedge.exe 2212 msedge.exe 1604 identity_helper.exe 1604 identity_helper.exe 2636 msedge.exe 2636 msedge.exe 2636 msedge.exe 2636 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3368 wrote to memory of 716 3368 msedge.exe 77 PID 3368 wrote to memory of 716 3368 msedge.exe 77 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 4676 3368 msedge.exe 78 PID 3368 wrote to memory of 2840 3368 msedge.exe 79 PID 3368 wrote to memory of 2840 3368 msedge.exe 79 PID 3368 wrote to memory of 4264 3368 msedge.exe 80 PID 3368 wrote to memory of 4264 3368 msedge.exe 80 PID 3368 wrote to memory of 4264 3368 msedge.exe 80 PID 3368 wrote to memory of 4264 3368 msedge.exe 80 PID 3368 wrote to memory of 4264 3368 msedge.exe 80 PID 3368 wrote to memory of 4264 3368 msedge.exe 80 PID 3368 wrote to memory of 4264 3368 msedge.exe 80 PID 3368 wrote to memory of 4264 3368 msedge.exe 80 PID 3368 wrote to memory of 4264 3368 msedge.exe 80 PID 3368 wrote to memory of 4264 3368 msedge.exe 80 PID 3368 wrote to memory of 4264 3368 msedge.exe 80 PID 3368 wrote to memory of 4264 3368 msedge.exe 80 PID 3368 wrote to memory of 4264 3368 msedge.exe 80 PID 3368 wrote to memory of 4264 3368 msedge.exe 80 PID 3368 wrote to memory of 4264 3368 msedge.exe 80 PID 3368 wrote to memory of 4264 3368 msedge.exe 80 PID 3368 wrote to memory of 4264 3368 msedge.exe 80 PID 3368 wrote to memory of 4264 3368 msedge.exe 80 PID 3368 wrote to memory of 4264 3368 msedge.exe 80 PID 3368 wrote to memory of 4264 3368 msedge.exe 80
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://pezbelz.store/btk/xls/b1t2k.js1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffddaba3cb8,0x7ffddaba3cc8,0x7ffddaba3cd82⤵PID:716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,7558338219165638045,8320813380850951387,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:22⤵PID:4676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,7558338219165638045,8320813380850951387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2612 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,7558338219165638045,8320813380850951387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:82⤵PID:4264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7558338219165638045,8320813380850951387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:12⤵PID:4680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7558338219165638045,8320813380850951387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:12⤵PID:1560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,7558338219165638045,8320813380850951387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,7558338219165638045,8320813380850951387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7558338219165638045,8320813380850951387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:12⤵PID:1912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7558338219165638045,8320813380850951387,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:12⤵PID:4348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7558338219165638045,8320813380850951387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:4132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7558338219165638045,8320813380850951387,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:12⤵PID:4060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,7558338219165638045,8320813380850951387,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2480 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2636
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:900
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3524
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e9a2c784e6d797d91d4b8612e14d51bd
SHA125e2b07c396ee82e4404af09424f747fc05f04c2
SHA25618ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6
SHA512fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1
-
Filesize
152B
MD51fc959921446fa3ab5813f75ca4d0235
SHA10aeef3ba7ba2aa1f725fca09432d384b06995e2a
SHA2561b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c
SHA512899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06
-
Filesize
181B
MD56f39ba8e05adc047275153b7aa6b209c
SHA1e013c0e21adfb97ab2c4832e685545de5526ac07
SHA256c98e8c8df5e9c3c139546ba5065717454f321c21728b7e7ffd081fa0509ccd28
SHA5121628e4ab233e58a16deae1ad518c9909c0f5b50204e1572d28153d569960e37f55fc12c685f76a948a70f375d0e0c8f862b74b2754570e93105b10d159761e10
-
Filesize
5KB
MD5def837936872bb33206a2c89a4c9625e
SHA16742ff82c8163e53a8488935fa49accf153dda72
SHA256250789837495fbbd2551b711f3c2ab4f0e5d4703b208e162234ff5dae6bd9244
SHA512378bccf43002efa3a3c21301cfcf839e594d0eb38c0ad49f65c5bb35ec667cb425e4012758b2db9573c5843da2da1e46c4ab981d70084ee8cc6aa445733c1a26
-
Filesize
6KB
MD5a485dfc76d7bdc77d2d65df364528d25
SHA11e2fa41b5d4eb2d92374c0dde0f221c2982a1e15
SHA256e897b9792dc2423ae0014d64276e000ffbb0413f8be24be501278b8218e95430
SHA5129d5b38a85a260d7312f06172d3392422c4e85dda9190ee3bc2cb9b71a00d507879dddd3bb00d9550100f969729d0271642b421cd2a7f9ad693c6c3ef87fd4de9
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5f3b0acf68462c1b4cf0abfe5c078a154
SHA1d77a9e3e53b51e3525b5109ae68027ac67ab7e17
SHA256849391e77f218d6a5e656d5f4f9f5d8dd7325c9c00345105e1ec9a9a582bef7a
SHA512eede21b76dc3e95d90719d1158909b07a98739b4a9ac3d169e60acdbf13ededfcc56f197ca0285af50262424e9855f97a208972e69f227c8e4dd66620123c0d0