hxxp://www[.]auctim[.]com/ords/wwv_flow[.]ajax?p_context=auctions/auction/12653775554415

Analysis

max time kernel
95s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.auctim.com/ords/wwv_flow.ajax?p_context=auctions/auction/12653775554415

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4208	msedge.exe
4208	msedge.exe
4656	msedge.exe
4656	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 4056	4656	msedge.exe	82
PID 4656 wrote to memory of 4056	4656	msedge.exe	82
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 2516	4656	msedge.exe	83
PID 4656 wrote to memory of 4208	4656	msedge.exe	84
PID 4656 wrote to memory of 4208	4656	msedge.exe	84
PID 4656 wrote to memory of 4996	4656	msedge.exe	85
PID 4656 wrote to memory of 4996	4656	msedge.exe	85
PID 4656 wrote to memory of 4996	4656	msedge.exe	85
PID 4656 wrote to memory of 4996	4656	msedge.exe	85
PID 4656 wrote to memory of 4996	4656	msedge.exe	85
PID 4656 wrote to memory of 4996	4656	msedge.exe	85
PID 4656 wrote to memory of 4996	4656	msedge.exe	85
PID 4656 wrote to memory of 4996	4656	msedge.exe	85
PID 4656 wrote to memory of 4996	4656	msedge.exe	85
PID 4656 wrote to memory of 4996	4656	msedge.exe	85
PID 4656 wrote to memory of 4996	4656	msedge.exe	85
PID 4656 wrote to memory of 4996	4656	msedge.exe	85
PID 4656 wrote to memory of 4996	4656	msedge.exe	85
PID 4656 wrote to memory of 4996	4656	msedge.exe	85
PID 4656 wrote to memory of 4996	4656	msedge.exe	85
PID 4656 wrote to memory of 4996	4656	msedge.exe	85
PID 4656 wrote to memory of 4996	4656	msedge.exe	85
PID 4656 wrote to memory of 4996	4656	msedge.exe	85
PID 4656 wrote to memory of 4996	4656	msedge.exe	85
PID 4656 wrote to memory of 4996	4656	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://www.auctim.com/ords/wwv_flow.ajax?p_context=auctions/auction/12653775554415
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc36c046f8,0x7ffc36c04708,0x7ffc36c04718
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,8414733535318973449,6125713223593977175,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
  2⤵
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,8414733535318973449,6125713223593977175,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,8414733535318973449,6125713223593977175,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,8414733535318973449,6125713223593977175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,8414733535318973449,6125713223593977175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,8414733535318973449,6125713223593977175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,8414733535318973449,6125713223593977175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:3224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
612cf2ff7da4c099882722020d3a7d7c

SHA1
7aae913a51aea5759fb9d5deb21211d18dbb5d60

SHA256
b546b3d060cef3cffdd4dbb2abf79464459be551e33fc252ef6c76bff2055006

SHA512
148f64abc26ae867a2f1cf32a3a2644e227e7a875065bb92e1c952349416072fbf69993d0ace246ee17510670087738aecbe686ddb81a3ab0ea93a432be8dbe5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
f0037a8e691c782d99c1d3ebf124d845

SHA1
804948f26a9748a2248cbedccc9465d85cc95670

SHA256
d8da8fa833a5b1a6b380e7d95f0b0ea5fde7c5608e323471831009bec85ec59d

SHA512
e3ad7b82838b9a1e0ed2e962a4153b4bb49f86b3cf729191bf9439e26e52818c062ccb2b45deb092f46b9f224014a271851ecab40f0e86051a5c60d67aa1e5cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b914947f3216a10b74dcadda9938b808

SHA1
e9f86751677c4193958379d14811422ad3baf0ab

SHA256
4e7d926ac856e02b4784517fdb74da4b4053f8ff8d19dab5e5135a51f57d588c

SHA512
a64df980791ad0b28249b30f10765dd3697d8593608e8ac8b0f62d1979cd064ac757dd7192352da7c9cbea05b1a1cb2e20de2bdb059920ff635dc63820f5b602

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1b3c3dd54b7036de31aec9437c481c13

SHA1
173dc3e8f4e59a342b6e1238bcb848907fd9c368

SHA256
94022d72980eb9abc47ceb8258b677bc7eca5669693d34c56683fc7d7e652cc4

SHA512
440bb56e4a6e30a9c591be309f97c34c484667a029c96405d9dea0e6ce77a0075129fb5d856827802040134ddc8e6e1b3efd9a8c5f0e92acb8768487845b12e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
920bce15c4d622b48c73134295db0c36

SHA1
55795c9576aecc121da793b840b70d11010b5135

SHA256
d7077365d8d99538d1d320b3e6f1b0e661b88e854ae35d4497d05c2a72d5f7e6

SHA512
584b3f2fd7c60aadbabd2bb042c6983d58b1640c907788051d4004fb9c887821146b536b05c711263ed0250a968646111af18a0140584b92c951a8af3f8c7315

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe579b27.TMP

Filesize
48B

MD5
9bf5438edf4b924d661586b4000033ff

SHA1
9dc1e2446debee1e730ab61735981bf39e14b309

SHA256
be57c5dc577edeba8cbe01c9801ad6ce8afd7c5375aad082d9d5ed6db2ee1754

SHA512
d31d69f6b850b4b8a3d10b2f77fb1d5a11f13a351eb472d508abd953f439d7805b20a91821bdffa07184876d3e71e15b2341dd7eb1e04d9db04355ffd7bab6cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0f7071eceefbdd9e6f67e29fb8ad7cc3

SHA1
efd0d401382d764161a6c6c4bca04a60aa1d8c28

SHA256
8fea9c1121144126a6da094e8488043208bf63300cb1b87edc445cc8286fa425

SHA512
f2cd8a0f6bff332494350e2a8b3c61e6e1bbd801b8672ee502bd45347def0ed5599241d69c618d733cd30d2cece50a9acd85bf8a741d667709c9db677df04bce

Download Submit