hxxp://g[.]deev[.]is

Resubmissions

19-11-2024 15:58

241119-tef36sxpcz 3

19-11-2024 15:53

19-11-2024 15:30

19-11-2024 15:06

19-11-2024 15:04

Analysis

max time kernel
480s
max time network
487s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19-11-2024 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://g.deev.is

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
1408	msedge.exe
1408	msedge.exe
4656	msedge.exe
4656	msedge.exe
2252	identity_helper.exe
2252	identity_helper.exe
4088	msedge.exe
4088	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4656 msedge.exe
4656 msedge.exe
4656 msedge.exe
4656 msedge.exe
4656 msedge.exe
4656 msedge.exe
4656 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4656 wrote to memory of 3860	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 3860	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4888	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 1408	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 1408	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2848	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2848	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2848	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2848	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2848	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2848	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2848	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2848	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2848	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2848	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2848	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2848	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2848	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2848	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2848	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2848	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2848	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2848	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2848	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2848	4656	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://g.deev.is
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb74c23cb8,0x7ffb74c23cc8,0x7ffb74c23cd8
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,7126858557340611828,11448179776033148610,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,7126858557340611828,11448179776033148610,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,7126858557340611828,11448179776033148610,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,7126858557340611828,11448179776033148610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,7126858557340611828,11448179776033148610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,7126858557340611828,11448179776033148610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,7126858557340611828,11448179776033148610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,7126858557340611828,11448179776033148610,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,7126858557340611828,11448179776033148610,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,7126858557340611828,11448179776033148610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,7126858557340611828,11448179776033148610,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,7126858557340611828,11448179776033148610,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,7126858557340611828,11448179776033148610,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5232 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2332

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a2c784e6d797d91d4b8612e14d51bd

SHA1
25e2b07c396ee82e4404af09424f747fc05f04c2

SHA256
18ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6

SHA512
fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1fc959921446fa3ab5813f75ca4d0235

SHA1
0aeef3ba7ba2aa1f725fca09432d384b06995e2a

SHA256
1b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c

SHA512
899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
572B

MD5
7b8bc73e17758a6da40b2938c403f8ec

SHA1
1f488e17aaf7bf81fdafca5c5ba0843705a120df

SHA256
315598c2a5db5464f5c01cec0eec8c6292627e1e05ed96ff44117a31b5f4ff43

SHA512
7c756bf3b1be6ef03f85a8af002e2fe54a8f0de8b8ffb600b13e77b24b1f62f5ff69f4a7ff490d6840fd9357bcd0f07bbf689c28f481f7cc62f3bf8c83609cc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
77c02a83b5959fd934334ed4b4b6dbda

SHA1
e8891f7a756531061c749bbd36421ebe3660f3eb

SHA256
96f90c001f1cc6263f06e1aed91bfbdd00236c19cbb947c29f114ca54456f97e

SHA512
510a6f24b308f07b2be15b77ef9b967bc5fcc059061756396476619372dc5fb8754cae6e4b308ca6e996c559cd22bb3631c6020fa86c506c486b4905f013a5cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a1732b4ada93158caffcd42f0329f25d

SHA1
7151aec098ca646e9eaaf15dd90056afaea7a169

SHA256
ea9ffe83a2493f8ebdc828e27e2ad74f39d0095ac3849ffd5bf7b42f4223af75

SHA512
aad1170ec6194f84fc5bdcd79b78cbd7425e84b59a215e5f377c5794961e5f89d11476dca84b8b9edffb52887071d40b216d812edbbe821dd5729fa81d851f61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e4b69c11bcce327d223046d4df785540

SHA1
40f3618e309435cfc0c346d793eaefbd2a30ada6

SHA256
67ea024fab189e950f529f35ea185ba4c6e88b30fd879a451f09ae818a41416c

SHA512
0a982aabb1707103901e086496db636fa7890b2cb712444774fa72af500d91c5473a14b4f1192ac28edbad925b9c854f090a2ab8ec8a5e189e618d8643dd74f7

Download Submit
\??\pipe\LOCAL\crashpad_4656_WUOMCLPEBHIVERWT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit