Analysis
-
max time kernel
1681s -
max time network
1687s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
20/11/2024, 02:20
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://the1oomisagency.com/thyu/
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
https://the1oomisagency.com/thyu/
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
https://the1oomisagency.com/thyu/
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
https://the1oomisagency.com/thyu/
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral5
Sample
https://the1oomisagency.com/thyu/
Resource
win11-20241007-en
General
-
Target
https://the1oomisagency.com/thyu/
Malware Config
Signatures
-
Probable phishing domain 1 TTPs 1 IoCs
description flow ioc stream HTTP URL 5 https://the1oomisagency.com/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=8e54f903bd4a7786 3 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3708 msedge.exe 3708 msedge.exe 2768 msedge.exe 2768 msedge.exe 5112 msedge.exe 5112 msedge.exe 5528 identity_helper.exe 5528 identity_helper.exe 5920 msedge.exe 5920 msedge.exe 5920 msedge.exe 5920 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2768 wrote to memory of 1728 2768 msedge.exe 79 PID 2768 wrote to memory of 1728 2768 msedge.exe 79 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 232 2768 msedge.exe 80 PID 2768 wrote to memory of 3708 2768 msedge.exe 81 PID 2768 wrote to memory of 3708 2768 msedge.exe 81 PID 2768 wrote to memory of 3344 2768 msedge.exe 82 PID 2768 wrote to memory of 3344 2768 msedge.exe 82 PID 2768 wrote to memory of 3344 2768 msedge.exe 82 PID 2768 wrote to memory of 3344 2768 msedge.exe 82 PID 2768 wrote to memory of 3344 2768 msedge.exe 82 PID 2768 wrote to memory of 3344 2768 msedge.exe 82 PID 2768 wrote to memory of 3344 2768 msedge.exe 82 PID 2768 wrote to memory of 3344 2768 msedge.exe 82 PID 2768 wrote to memory of 3344 2768 msedge.exe 82 PID 2768 wrote to memory of 3344 2768 msedge.exe 82 PID 2768 wrote to memory of 3344 2768 msedge.exe 82 PID 2768 wrote to memory of 3344 2768 msedge.exe 82 PID 2768 wrote to memory of 3344 2768 msedge.exe 82 PID 2768 wrote to memory of 3344 2768 msedge.exe 82 PID 2768 wrote to memory of 3344 2768 msedge.exe 82 PID 2768 wrote to memory of 3344 2768 msedge.exe 82 PID 2768 wrote to memory of 3344 2768 msedge.exe 82 PID 2768 wrote to memory of 3344 2768 msedge.exe 82 PID 2768 wrote to memory of 3344 2768 msedge.exe 82 PID 2768 wrote to memory of 3344 2768 msedge.exe 82
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://the1oomisagency.com/thyu/1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff924a13cb8,0x7ff924a13cc8,0x7ff924a13cd82⤵PID:1728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:22⤵PID:232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:82⤵PID:3344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:12⤵PID:752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:12⤵PID:3728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4368 /prefetch:12⤵PID:5964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:12⤵PID:5628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:12⤵PID:3152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:12⤵PID:4840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:5092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵PID:4264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:12⤵PID:1112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:12⤵PID:1340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1816,12136106444886017428,6022597742582871164,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5816 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5920
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:728
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5826c7cac03e3ae47bfe2a7e50281605e
SHA1100fbea3e078edec43db48c3312fbbf83f11fca0
SHA256239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab
SHA512a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e
-
Filesize
152B
MD502a4b762e84a74f9ee8a7d8ddd34fedb
SHA14a870e3bd7fd56235062789d780610f95e3b8785
SHA256366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da
SHA51219028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD5b393c0866f18a7cb4cc8a86328684dc6
SHA1f8b7da5f87c39c0cf9ac6a155c1bdb8a3e9329aa
SHA2568b1ee52b7bc3a9ec03a370d1a35d3522a4bacea59809afb3afd0813ec970e34a
SHA512380cb6d9fa9097fb740dc62827942fd1b71475e1ca2efc2e6426c420c26b439bb58a5fa8c3d51853aff73dcfb9a7a63b55ffdd5f2ff7622428c86d78709d11b5
-
Filesize
708B
MD5a967f0f2980933423617f6b44f200061
SHA1187d1f173948bc579ad56fdf7c0cb44b862bdca3
SHA25685fc691c937a3241c269b3fff633547896ef33a67a082434fb6eafd391220cf2
SHA5121e9bd133e5d25d99a56a5d247a8704df3566b3975106a3182a35aaf1268c462cf47a9c9d39467a14d317122a0d0f1afb7d21060c4b042a098cf8116e1d5fab38
-
Filesize
708B
MD5b1a99934476d73ce28f1e010a76ebf61
SHA19791d747347f76fcc9335402e871a1747589cfbd
SHA256919464ccf357857f1eb7069d686f9497806eb801a0e5deda6a5aa8ec3da5f615
SHA512d5c9f5f90c4e86187ca3967780919d02d4360c4351ecbf0a7d8cf3e375b445c1b4a43703705577f5c303c9025df785d7c625fd5bc743453e7cf920b148309e3b
-
Filesize
5KB
MD50f405470195e223cb8d0be1bdad75fc2
SHA161436f775b406285108ea4af362b940806fb8b5c
SHA256b36ce958e348f3df7813b93017a6545826e685e8766c0a08bee863969a4230bd
SHA512d588934ba9d0ba8181b88bacb60c13874b85b14e6a7e3cad79afe44df1dd7a72cad67ad06e53251fdca25a7befc0744f1336374cb82d1d7a1bb9aa5cac24561e
-
Filesize
6KB
MD5091f67824aff1cb3157048c04c796764
SHA1b212c82c0e0d697ce196d34800c98fdc51562583
SHA25649752cb49ea20ad68206f3ddbb547cfc1f75e1e51c042878c1b471a5d1ca06b9
SHA5121b0ed237154daf54b681576417cfb1c4926fb521b84f32919b1602d9214101d47d09b46e1a5a16ca4e490b6083bc49f1943bfce8746f9fc7cf868d49cf2185b3
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD54069c8b919d107805182fc5294a70885
SHA1e5d54cf93c240758928d2dc9bd314c95c98a2d5f
SHA256c4e883f4ab93bbba75939747146a9180a3368f4870e55921e58d09adaf589a7c
SHA51209975c4a4d084801294c1abeda52dbc9b832b4243af368db2bb396e3b228f8a29b5288a392dd7d734ee97a546f200fd13366038dc9cd4094d6418ac12722ae6c