Analysis
-
max time kernel
36s -
max time network
37s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:47
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://alweddca.icu/moneynetwork/390
Resource
win10v2004-20241007-en
General
-
Target
https://alweddca.icu/moneynetwork/390
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4736 msedge.exe 4736 msedge.exe 400 msedge.exe 400 msedge.exe 5056 identity_helper.exe 5056 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe 400 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 400 wrote to memory of 3388 400 msedge.exe 83 PID 400 wrote to memory of 3388 400 msedge.exe 83 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 2632 400 msedge.exe 84 PID 400 wrote to memory of 4736 400 msedge.exe 85 PID 400 wrote to memory of 4736 400 msedge.exe 85 PID 400 wrote to memory of 708 400 msedge.exe 86 PID 400 wrote to memory of 708 400 msedge.exe 86 PID 400 wrote to memory of 708 400 msedge.exe 86 PID 400 wrote to memory of 708 400 msedge.exe 86 PID 400 wrote to memory of 708 400 msedge.exe 86 PID 400 wrote to memory of 708 400 msedge.exe 86 PID 400 wrote to memory of 708 400 msedge.exe 86 PID 400 wrote to memory of 708 400 msedge.exe 86 PID 400 wrote to memory of 708 400 msedge.exe 86 PID 400 wrote to memory of 708 400 msedge.exe 86 PID 400 wrote to memory of 708 400 msedge.exe 86 PID 400 wrote to memory of 708 400 msedge.exe 86 PID 400 wrote to memory of 708 400 msedge.exe 86 PID 400 wrote to memory of 708 400 msedge.exe 86 PID 400 wrote to memory of 708 400 msedge.exe 86 PID 400 wrote to memory of 708 400 msedge.exe 86 PID 400 wrote to memory of 708 400 msedge.exe 86 PID 400 wrote to memory of 708 400 msedge.exe 86 PID 400 wrote to memory of 708 400 msedge.exe 86 PID 400 wrote to memory of 708 400 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://alweddca.icu/moneynetwork/3901⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff829c546f8,0x7ff829c54708,0x7ff829c547182⤵PID:3388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,7827063172360097611,5913675866994113960,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:22⤵PID:2632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,7827063172360097611,5913675866994113960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,7827063172360097611,5913675866994113960,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:82⤵PID:708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7827063172360097611,5913675866994113960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:1988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7827063172360097611,5913675866994113960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,7827063172360097611,5913675866994113960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:82⤵PID:3008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,7827063172360097611,5913675866994113960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7827063172360097611,5913675866994113960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:12⤵PID:4772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7827063172360097611,5913675866994113960,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:12⤵PID:4324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7827063172360097611,5913675866994113960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:12⤵PID:4376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7827063172360097611,5913675866994113960,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:12⤵PID:3496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7827063172360097611,5913675866994113960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:12⤵PID:2736
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3636
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4004
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5dc058ebc0f8181946a312f0be99ed79c
SHA10c6f376ed8f2d4c275336048c7c9ef9edf18bff0
SHA256378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a
SHA51236e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa
-
Filesize
152B
MD5a0486d6f8406d852dd805b66ff467692
SHA177ba1f63142e86b21c951b808f4bc5d8ed89b571
SHA256c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be
SHA512065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD59b2f4f64c3d4a59f675ce281131b2f16
SHA117b3c95f73f8cefa0cbf48d4864221add9e91634
SHA256650366a9249f4a06d1f50f1b579e16fd94d1ace6812a9ededf471597e61c8a0c
SHA51213e2b784340fbd2150d26fd8a7316240c6d6546a592df8576bc0a4eace6e9baea37f836d83651681c47cc59f33dc9228ac7be5966f3d6d91d7003f46a68b5837
-
Filesize
540B
MD5459ed55f96a2f8945f1aff69951c8d5d
SHA1e4de21f1a0b23a83674b278d18984c7089c86383
SHA256b5de098469df3a294ab47b05ef434c8cad513d8d5f2e42b222a640b8ab92298a
SHA51269037f64c28f75199d25d0bc5fe6e328e3ac951dec29c3c5add595fc6f54812962144bfc08a01f3466941ef6fac6742cd74fbfcf6700925b347024d4ccf0d295
-
Filesize
5KB
MD5e449273cfdec888c728065e776df7764
SHA184ff0fecacf15ee05c300aa1696a6f9ace88ae57
SHA256a1daab20448feca2bb8820f01199967f17abb1e8c5773a77671a8c208f5df088
SHA5126e387a67fd6f74fda30e26b1f7abe9a36dc80b46ebbd115b786a61862b2699a2d1960aa750f60d189a140c312b4d9b9f1bdf1d3ba2cfa786fcfb8d7e5bc74af4
-
Filesize
6KB
MD529eca5d4f1d2efec482bcbb1ad09c765
SHA1350d92034b54492c90d12d2f2a5e2edd0f295510
SHA25688de63b26db0507ab3249ba55d07b701ad5d3dcb5ebb8ebe9c7ce7df28b38631
SHA512bd3401cfae9f6f767aece1fee101069aa3db0cb1124e8b0de8a6e2904a25b32897312757ed7879dc5aa5522a38657368ff97005bc9bfff6700f3ed9a8189f84a
-
Filesize
6KB
MD5871ada0d5aa37f2d3633f08576c02476
SHA17f29bfb18368d29a9ab7ab59b324a0b01f21acb9
SHA256560e95fd89545fbfe6995c63c6e09e8865f732d3fdc9e46615b91b132eab814b
SHA5126f6125cda45e19b313963322fdc3f4353da9940f13597c71b354ece242f9004379bfc9aeffb20d6b1b048697491be959e9ad27b2da364990db7f9cd5439c64ec
-
Filesize
6KB
MD53cd9ab0784f179db9128a85390ef6e4f
SHA11a8ff6acf150a2990d5f03d04b15721251445a68
SHA2561c62b280b4b5c2a4e420ea64989f0bbf2c321fcac5b2f1cf4202a35df59210a0
SHA512c81851e81b476682e03d4284019413d00287f0a5c67da5b156c4ca6a83127db5a43f445cb8152f2596191d1e1184323d04675fe69125226f1b32a51ca21fff68
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5d62ba341c275e0e1317defb5746766b1
SHA16258e287e3eb2e4f373bdfc2d7cc106a9fb96d7e
SHA256200cab8fef72e0a0ffa0ca1eb948619bdabb2a7cd9f0df79195600213bebf0a9
SHA512a7a39f568ca1f63a61f391d09abb7726f7553e15f04d4288d69d8bfa23201dab05e189ff9a9abf4519ccc4e9514f4d24e574cab97797f6e4b1bd9ad94d083669
-
Filesize
10KB
MD56306aefdadd6117f2b44046af43a7ff7
SHA10187e05ee29330d2edb9416aac7abd4e5a981006
SHA256f1e830333051dc1552c171a5c736f5d527d9e68948c03bf512c3c98a91e5f253
SHA5129d831c923e3de883b66dd8d6cfe7e35447cff94e12d4f390a6fc52300da9766c1a4e1a8a9f13c8f3fbe2f22f17282255ba472f73d3f30e8babdcd2b9b834d89b