Analysis
-
max time kernel
50s -
max time network
61s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19/11/2024, 13:38
General
-
Target
https://eu-west-1.protection.sophos.com/?d=a0b.biz&u=aHR0cHM6Ly9hMGIuYml6L3I_c19rPTd4NHFrVk5wWDI=&i=NTllOTgzNDdiZTFkMTcxMmJkNDIwMWVi&t=UUpTWVRHMXFmQVh0T2Z3MVFmZ2dXRUpua1RISTdyUnZKM3kvZ2FaMDJUaz0=&h=f2b08f70a93d4b31a1bf5f9768fa4576&s=AVNPUEhUT0NFTkNSWVBUSVaBIj3NtGFDJPGniyDqrifb83bsyO7URSZZuJ7U5Xgj0A
Malware Config
Signatures
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://eu-west-1.protection.sophos.com/?d=a0b.biz&u=aHR0cHM6Ly9hMGIuYml6L3I_c19rPTd4NHFrVk5wWDI=&i=NTllOTgzNDdiZTFkMTcxMmJkNDIwMWVi&t=UUpTWVRHMXFmQVh0T2Z3MVFmZ2dXRUpua1RISTdyUnZKM3kvZ2FaMDJUaz0=&h=f2b08f70a93d4b31a1bf5f9768fa4576&s=AVNPUEhUT0NFTkNSWVBUSVaBIj3NtGFDJPGniyDqrifb83bsyO7URSZZuJ7U5Xgj0A1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc8adf46f8,0x7ffc8adf4708,0x7ffc8adf47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,17217210432538237446,3822671008328227401,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,17217210432538237446,3822671008328227401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,17217210432538237446,3822671008328227401,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2508 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17217210432538237446,3822671008328227401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17217210432538237446,3822671008328227401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17217210432538237446,3822671008328227401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17217210432538237446,3822671008328227401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17217210432538237446,3822671008328227401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17217210432538237446,3822671008328227401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,17217210432538237446,3822671008328227401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6208 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,17217210432538237446,3822671008328227401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6208 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17217210432538237446,3822671008328227401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17217210432538237446,3822671008328227401,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17217210432538237446,3822671008328227401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17217210432538237446,3822671008328227401,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5bffcefacce25cd03f3d5c9446ddb903d
SHA18923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA25623e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7
-
Filesize
152B
MD5d22073dea53e79d9b824f27ac5e9813e
SHA16d8a7281241248431a1571e6ddc55798b01fa961
SHA25686713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA51297152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413
-
Filesize
648B
MD582ab0a8d2e410a1f5b694c511373ca20
SHA1d3811b29b2d1a7dd257d598c951968097db44f7c
SHA256775c6737c9cabaf3d9dfaa4dbcd968a29f10646c7b7ec7252ba878bd4b5a7fc3
SHA51255717e32ed6b9841c36a9f6c554180e42e7dd14116755bff401c4004f24544e2fb0dbc245049f6a1cbe6da3283fe5e2e11178b6ca52b267481393fdd2bf535a2
-
Filesize
5KB
MD5c9a30cd431cc9352699917527a32be43
SHA1b9b283070037d39bf363289fddab6d89d1bcc85a
SHA2568a80c46d453b9d0bf3d9b84c20de2e15a225cc25ae80a70769f74fb9112bf781
SHA512a28846d61b3c7579f34cc643352eff373da5ddd6294b68ee8759cdb345ba69f1489cc4daacced9919658f93ed4481650131063c6b4751ca250f4d263350fe156
-
Filesize
8KB
MD56ad5bee0d11a771ef363ce8f26657532
SHA1ca31875fe0eba891c8811fc9649b6d85628adf42
SHA256cdabdb7be24177e0655e362af5e72d783f70388d04f18e7fd1c7216d01e84479
SHA512dd5a216cf39b4b46c0909917192030b790074fe6dd0671f989655617c0346388f053f1c89d927573c2bb2133aed240fb6970a9faba9d3729a1b20c4e4ace4c76
-
Filesize
9KB
MD5fb9c7503b29049664e3c1132693a336a
SHA18ea2572443f826ad9c1b9236c4e5b215d119a52b
SHA256ff0a1a0e452ad23b975de3c7b012d944e26eff0ff4c04b3f9d94cad6da494cf1
SHA5128a17d3f77a5859db9e8b0bb47a691cc8e8d89d736177e603f20db99364bdefb37175bc82efb435ef7add7f6928432e171bad3b41027b617b91b97d962a61c7ce
-
Filesize
96B
MD5023b19861b7c0b8d04fa5111c91aaa83
SHA115c3f97105b972dd55496846fd3babe33c8082e9
SHA256cffd561aee12ba5ca615d270b4eb396fb7ff6d605a959b950fd073310bd91cdb
SHA512aa7c1c6662a5473718d3484720663d566f95effbfc4b70eccf3335d429a9af12331f15158537c275de702bfef8512168a481a5ef81b5fb2f1610e0c9645008a3
-
Filesize
48B
MD5ee00f33eddc519ae298b1887c1d060a5
SHA12fa0cfeb6ded9273cd8064bd37150e176100405d
SHA2561a138d63945b2e98fa0226053aad9805e6a32ec90814b175504a085ada5c99a0
SHA512b8538bf9d897b609fc8bdfbccab29fcbe36123b18392294179c8694160c26c9c6ebe3701fba3fb599e7ed8599649aef57a885eb0671678b174e40dca68ab6976
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5108a759b12b27cfd186ffa359f4683fe
SHA1ee2c9ecf9bb234b5a3e4a70952bd962c17dc17df
SHA2565b07ef277effdfcdd9304fc9c38e65e62baded7aaa695fca48dc0e56d28cdcaf
SHA51276b812efecf020f6986ee9f5a1cd054b9dce7b3c1103f8f322a12fd5f96b285c4eeb0491589a6007e600ec244a7b4a9119c2f6312c33abecfea7426a41a9b19b