Analysis
-
max time kernel
35s -
max time network
33s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
09/11/2024, 21:21
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://rebrand.ly/freeminecraft
Resource
win11-20241007-en
General
-
Target
https://rebrand.ly/freeminecraft
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 5000 msedge.exe 5000 msedge.exe 812 msedge.exe 812 msedge.exe 1660 msedge.exe 1660 msedge.exe 5008 identity_helper.exe 5008 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 812 wrote to memory of 3132 812 msedge.exe 79 PID 812 wrote to memory of 3132 812 msedge.exe 79 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 4276 812 msedge.exe 80 PID 812 wrote to memory of 5000 812 msedge.exe 81 PID 812 wrote to memory of 5000 812 msedge.exe 81 PID 812 wrote to memory of 4664 812 msedge.exe 82 PID 812 wrote to memory of 4664 812 msedge.exe 82 PID 812 wrote to memory of 4664 812 msedge.exe 82 PID 812 wrote to memory of 4664 812 msedge.exe 82 PID 812 wrote to memory of 4664 812 msedge.exe 82 PID 812 wrote to memory of 4664 812 msedge.exe 82 PID 812 wrote to memory of 4664 812 msedge.exe 82 PID 812 wrote to memory of 4664 812 msedge.exe 82 PID 812 wrote to memory of 4664 812 msedge.exe 82 PID 812 wrote to memory of 4664 812 msedge.exe 82 PID 812 wrote to memory of 4664 812 msedge.exe 82 PID 812 wrote to memory of 4664 812 msedge.exe 82 PID 812 wrote to memory of 4664 812 msedge.exe 82 PID 812 wrote to memory of 4664 812 msedge.exe 82 PID 812 wrote to memory of 4664 812 msedge.exe 82 PID 812 wrote to memory of 4664 812 msedge.exe 82 PID 812 wrote to memory of 4664 812 msedge.exe 82 PID 812 wrote to memory of 4664 812 msedge.exe 82 PID 812 wrote to memory of 4664 812 msedge.exe 82 PID 812 wrote to memory of 4664 812 msedge.exe 82
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://rebrand.ly/freeminecraft1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc976d3cb8,0x7ffc976d3cc8,0x7ffc976d3cd82⤵PID:3132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,14477113417481488532,17848972949310240016,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:22⤵PID:4276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,14477113417481488532,17848972949310240016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,14477113417481488532,17848972949310240016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:82⤵PID:4664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14477113417481488532,17848972949310240016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:1648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14477113417481488532,17848972949310240016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵PID:2348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14477113417481488532,17848972949310240016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:12⤵PID:3164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,14477113417481488532,17848972949310240016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14477113417481488532,17848972949310240016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:12⤵PID:668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,14477113417481488532,17848972949310240016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14477113417481488532,17848972949310240016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:12⤵PID:4404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14477113417481488532,17848972949310240016,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2132 /prefetch:12⤵PID:3144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14477113417481488532,17848972949310240016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:12⤵PID:2772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14477113417481488532,17848972949310240016,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:12⤵PID:4108
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1856
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4444
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5aad1d98ca9748cc4c31aa3b5abfe0fed
SHA132e8d4d9447b13bc00ec3eb15a88c55c29489495
SHA2562a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e
SHA512150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72
-
Filesize
152B
MD5cb557349d7af9d6754aed39b4ace5bee
SHA104de2ac30defbb36508a41872ddb475effe2d793
SHA256cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee
SHA512f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize192B
MD563e89477048a62425363e2610ddec447
SHA192f89be822cc688a7b594ba4dd7a9622f985355b
SHA2560d414d889467ce0f600dfdc19667d2f4bf34730f811a7c2e5be3c840f6dc0449
SHA512c3eb3f6e7dbd967f7f2e5636fc3e71aeb35845f7003fd4d2d11f9fda8868d6a7083f4266672cbe43b0e6e291ef69b82c13b686e907fb5434403ddd07ec529893
-
Filesize
5KB
MD521e7cde390b49e5b7b1d07610b64a93c
SHA19523339f2d71de2344de1ea1bb6c56dd3e652eaa
SHA25613ae054d3594fdbe9ec6a4b849c34e7847ea3fbe403769f8db58ec101f4fc7c6
SHA512feb943878fed66b574f7c0b9a27e0200ddc68af573907eaa013cb59d84d00fb331f65ac6ea29581db1420c4efb5ca0f6b14a228bd4aad840c7b0a91d87e3ee26
-
Filesize
6KB
MD5ac2069503693b7cbe2a7893a8e0eb79d
SHA13c92d570075e5f290fb2e281b65411200af18a9e
SHA25685484ff62d66b950886084555e8aca099cdb6d1a83773341e39cffc5282e8618
SHA512f1943b736c5a1b8dff5c819202387be2405bc2439240b7360a471916f6c4a20af55b18f3bc76ab124918b8e6eeba0df230b6b39bf84b2ad33aadcc46a9111576
-
Filesize
707B
MD50f45d3cba5f4b7e1490b7ffc24acfba0
SHA1c45d4e6cd980f9ca122c02c2e79ecc53c590c674
SHA25689f993687373077a5ddb940c8d4a01e70e1632413ab632f55e25151b5d55543a
SHA5128b667710f57e5c071aded9cadb6e53d3d927e0c97e8a5af85b7641454ea5a6f8f16e26bc678f8e19c1870598c32cbb26e8fda58fb1c8d78fe4ba4699e09ce6ab
-
Filesize
707B
MD58322608dd4bde782c7684431055fb720
SHA147b65b6aade8dad09843f6c8b38d3179fb702070
SHA256c89d02d1e308c047251b0e0f4ece6e21141e2b885a72b99623d8551c13bf6668
SHA512d8beec6300618a7edd593a7447f3636e0b633b26b5686487321461f374c16a9a54b446453e4e3b5d80a96b3f1eead21b9106405b7bb741cab29f7a9d8336044c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5ff324c8c681220aaba12e4f988d7bb24
SHA195c2c968b09669796d512651db04bf1a5cbe6c46
SHA256ea058638410508ff858e1d989f1e292c242973c4a8c92c796d0d5a4a97a8f822
SHA5127e46e5c0461551e17f8ed958f656939591ea52c47e068838217d412a9a1ba7545ba3f08dbd6cca5bf8d10d17991e9d22db45393306ef106cc3a22fab77d23378