Analysis
-
max time kernel
480s -
max time network
597s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 22:04
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://pixeldrain.com/u/yrMSBJTy
Resource
win10v2004-20241007-en
General
-
Target
https://pixeldrain.com/u/yrMSBJTy
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1052 msedge.exe 1052 msedge.exe 468 msedge.exe 468 msedge.exe 456 identity_helper.exe 456 identity_helper.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 468 wrote to memory of 4456 468 msedge.exe 83 PID 468 wrote to memory of 4456 468 msedge.exe 83 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 5064 468 msedge.exe 85 PID 468 wrote to memory of 1052 468 msedge.exe 86 PID 468 wrote to memory of 1052 468 msedge.exe 86 PID 468 wrote to memory of 3400 468 msedge.exe 87 PID 468 wrote to memory of 3400 468 msedge.exe 87 PID 468 wrote to memory of 3400 468 msedge.exe 87 PID 468 wrote to memory of 3400 468 msedge.exe 87 PID 468 wrote to memory of 3400 468 msedge.exe 87 PID 468 wrote to memory of 3400 468 msedge.exe 87 PID 468 wrote to memory of 3400 468 msedge.exe 87 PID 468 wrote to memory of 3400 468 msedge.exe 87 PID 468 wrote to memory of 3400 468 msedge.exe 87 PID 468 wrote to memory of 3400 468 msedge.exe 87 PID 468 wrote to memory of 3400 468 msedge.exe 87 PID 468 wrote to memory of 3400 468 msedge.exe 87 PID 468 wrote to memory of 3400 468 msedge.exe 87 PID 468 wrote to memory of 3400 468 msedge.exe 87 PID 468 wrote to memory of 3400 468 msedge.exe 87 PID 468 wrote to memory of 3400 468 msedge.exe 87 PID 468 wrote to memory of 3400 468 msedge.exe 87 PID 468 wrote to memory of 3400 468 msedge.exe 87 PID 468 wrote to memory of 3400 468 msedge.exe 87 PID 468 wrote to memory of 3400 468 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://pixeldrain.com/u/yrMSBJTy1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0c4c46f8,0x7ffc0c4c4708,0x7ffc0c4c47182⤵PID:4456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,2099073646494621314,12174697394872978641,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:22⤵PID:5064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,2099073646494621314,12174697394872978641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,2099073646494621314,12174697394872978641,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:82⤵PID:3400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2099073646494621314,12174697394872978641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:2332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2099073646494621314,12174697394872978641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:3208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,2099073646494621314,12174697394872978641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:82⤵PID:3604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,2099073646494621314,12174697394872978641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2099073646494621314,12174697394872978641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:12⤵PID:3828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2099073646494621314,12174697394872978641,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:12⤵PID:384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2099073646494621314,12174697394872978641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:12⤵PID:4576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2099073646494621314,12174697394872978641,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:12⤵PID:4816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,2099073646494621314,12174697394872978641,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5128 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3156
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2956
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3504
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5fab8d8d865e33fe195732aa7dcb91c30
SHA12637e832f38acc70af3e511f5eba80fbd7461f2c
SHA2561b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA51239a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43
-
Filesize
152B
MD536988ca14952e1848e81a959880ea217
SHA1a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize96B
MD59f6be03dd52a726cbd5669ddf45ee936
SHA1d4b1b4ecb324779528f7d88d8cc5c13687a8d768
SHA256c77b773a64d23e337ad4ec90a82211aa37729265551bf0069c6586a71a5491cf
SHA512b9eb2cec801c30a4cb0adcbe55e3befbdb7b3b8e70ddc789e65e2acf2ba67481756615d285bd90a0f4b82ce7c871c7ae33a5a822f4634c1cf8f715a903e9de9d
-
Filesize
182B
MD59eb9d67f919ae153884991ffc5223fdb
SHA18ebbb1a763b529cc9bf2839b13f0564f10d10046
SHA25608e4c57ce93d9bce050befa4e516d8aca239010d22692f90ea30a39ba91a1d40
SHA5129aad23e77ff458c7b49381fec4e0c650172314e46cdae969744d948f67eabb8ee25e2d04f6d81d43bc97f2d704fabc43b4b63ece97a14f09fde78c59132a003b
-
Filesize
5KB
MD5c3a3bd210803938108fc5853639e03fe
SHA11e6eb28d7841822c30c9127d2fbe217ce6c63fc3
SHA25632ca68ca39cf73ea8a362755d42faaf82d741f13247e425bdbab72356dfd3246
SHA512403afcac660daa4569e3f0f1986ba3249573b1d923db2f036c70b28a4cb8baeb506fdd7dbb026d17145f42839a56f83a9b84e1c1f8be8edebbd59cc80d20f21c
-
Filesize
6KB
MD59cd1e706586471b88071bec4e265148a
SHA198718a8e48b6183800f161211cab14ffe1fe5b5a
SHA25658b5b554ab9c921772e48828abd34dff269cada258616b3f7cea58f1dfb03deb
SHA5121da8781b866967a8556b123e8abdf17c6bf83ad92f566586955155d9f4ce20915f823c232e9c59a3a7a03204454ea33b77facaf7fcfa224db0e46af0e9e349ea
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5dda076341d5b2f8f30fded1a957587ef
SHA1ddce4d051f2accce4eb3c5e13c3a9905060e459e
SHA25603139c59d90d9291eb6e20e95f594c4f2448fb40ea711ec098d0f0669c7836c4
SHA5125a9ac5da5878929afbde93e4dfe1935c224f132044fd18edfa417609f5a1b01086f789d2d1d1765cdba9170c523e059007f0365ae4e87b91801dafab931cc670