Analysis

  • max time kernel
    1681s
  • max time network
    1687s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20/11/2024, 02:20

General

  • Target

    https://the1oomisagency.com/thyu/

Score
5/10

Malware Config

Signatures

  • Probable phishing domain 1 TTPs 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://the1oomisagency.com/thyu/
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2768
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff924a13cb8,0x7ff924a13cc8,0x7ff924a13cd8
      2⤵
        PID:1728
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
        2⤵
          PID:232
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3708
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
          2⤵
            PID:3344
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
            2⤵
              PID:752
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
              2⤵
                PID:3728
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4368 /prefetch:1
                2⤵
                  PID:5964
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:1
                  2⤵
                    PID:5628
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
                    2⤵
                      PID:3152
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:5112
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
                      2⤵
                        PID:4840
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
                        2⤵
                          PID:5092
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
                          2⤵
                            PID:4264
                          • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 /prefetch:8
                            2⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:5528
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
                            2⤵
                              PID:1112
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
                              2⤵
                                PID:1340
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5816 /prefetch:2
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:5920
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:728
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:5776

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                  Filesize

                                  152B

                                  MD5

                                  826c7cac03e3ae47bfe2a7e50281605e

                                  SHA1

                                  100fbea3e078edec43db48c3312fbbf83f11fca0

                                  SHA256

                                  239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab

                                  SHA512

                                  a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                  Filesize

                                  152B

                                  MD5

                                  02a4b762e84a74f9ee8a7d8ddd34fedb

                                  SHA1

                                  4a870e3bd7fd56235062789d780610f95e3b8785

                                  SHA256

                                  366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da

                                  SHA512

                                  19028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                  Filesize

                                  144B

                                  MD5

                                  b393c0866f18a7cb4cc8a86328684dc6

                                  SHA1

                                  f8b7da5f87c39c0cf9ac6a155c1bdb8a3e9329aa

                                  SHA256

                                  8b1ee52b7bc3a9ec03a370d1a35d3522a4bacea59809afb3afd0813ec970e34a

                                  SHA512

                                  380cb6d9fa9097fb740dc62827942fd1b71475e1ca2efc2e6426c420c26b439bb58a5fa8c3d51853aff73dcfb9a7a63b55ffdd5f2ff7622428c86d78709d11b5

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                  Filesize

                                  708B

                                  MD5

                                  a967f0f2980933423617f6b44f200061

                                  SHA1

                                  187d1f173948bc579ad56fdf7c0cb44b862bdca3

                                  SHA256

                                  85fc691c937a3241c269b3fff633547896ef33a67a082434fb6eafd391220cf2

                                  SHA512

                                  1e9bd133e5d25d99a56a5d247a8704df3566b3975106a3182a35aaf1268c462cf47a9c9d39467a14d317122a0d0f1afb7d21060c4b042a098cf8116e1d5fab38

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                  Filesize

                                  708B

                                  MD5

                                  b1a99934476d73ce28f1e010a76ebf61

                                  SHA1

                                  9791d747347f76fcc9335402e871a1747589cfbd

                                  SHA256

                                  919464ccf357857f1eb7069d686f9497806eb801a0e5deda6a5aa8ec3da5f615

                                  SHA512

                                  d5c9f5f90c4e86187ca3967780919d02d4360c4351ecbf0a7d8cf3e375b445c1b4a43703705577f5c303c9025df785d7c625fd5bc743453e7cf920b148309e3b

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                  Filesize

                                  5KB

                                  MD5

                                  0f405470195e223cb8d0be1bdad75fc2

                                  SHA1

                                  61436f775b406285108ea4af362b940806fb8b5c

                                  SHA256

                                  b36ce958e348f3df7813b93017a6545826e685e8766c0a08bee863969a4230bd

                                  SHA512

                                  d588934ba9d0ba8181b88bacb60c13874b85b14e6a7e3cad79afe44df1dd7a72cad67ad06e53251fdca25a7befc0744f1336374cb82d1d7a1bb9aa5cac24561e

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                  Filesize

                                  6KB

                                  MD5

                                  091f67824aff1cb3157048c04c796764

                                  SHA1

                                  b212c82c0e0d697ce196d34800c98fdc51562583

                                  SHA256

                                  49752cb49ea20ad68206f3ddbb547cfc1f75e1e51c042878c1b471a5d1ca06b9

                                  SHA512

                                  1b0ed237154daf54b681576417cfb1c4926fb521b84f32919b1602d9214101d47d09b46e1a5a16ca4e490b6083bc49f1943bfce8746f9fc7cf868d49cf2185b3

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                  Filesize

                                  16B

                                  MD5

                                  6752a1d65b201c13b62ea44016eb221f

                                  SHA1

                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                  SHA256

                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                  SHA512

                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                  Filesize

                                  10KB

                                  MD5

                                  4069c8b919d107805182fc5294a70885

                                  SHA1

                                  e5d54cf93c240758928d2dc9bd314c95c98a2d5f

                                  SHA256

                                  c4e883f4ab93bbba75939747146a9180a3368f4870e55921e58d09adaf589a7c

                                  SHA512

                                  09975c4a4d084801294c1abeda52dbc9b832b4243af368db2bb396e3b228f8a29b5288a392dd7d734ee97a546f200fd13366038dc9cd4094d6418ac12722ae6c