Resubmissions
20-11-2024 18:03
241120-wneyksvpcl 720-11-2024 17:42
241120-v99jmszqbz 720-11-2024 17:38
241120-v77l9svlhl 7Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
20-11-2024 17:38
General
-
Target
https://secure-web.cisco.com/1YnI6qkhd5GXSkZfZd7WDhVASwUGo4NlSsxzSYIqcF41o8n61pr6FC4SYTa0lDJkhz8jkuMmtnOICFw6udyMC2x8SXpodMh7WcWGCq3xoYUdroAj-Sot9mIF2aNqiGIBJa7MZ_iUpumSn362yJxHxN5g3J3yUWXGjbPsmte9DfNWaLzmrqJVG62mnz_LQ1ThzWP1vDBLWCetR9rH46MElZ7lSp7k4c_V3nR1w45ii_rIEm3GHE3FVW5XAS-XBCtMPAELxfRkuwWtu0QPMqk1RsJLeZrX4IdQYHZLkTCa3Ac_jFJnM8PPskjgYBWJzph3jt1GFEwhv6ItP7MlH_D6eeA/https%3A%2F%2Fapp.box.com%2Fs%2F25nmxk3r6x8jjf97l5nt9o7by0khdb7l
Malware Config
Signatures
-
A potential corporate email address has been identified in the URL: image_loading@2x_fd2a63790bc01d48.min.gif
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://secure-web.cisco.com/1YnI6qkhd5GXSkZfZd7WDhVASwUGo4NlSsxzSYIqcF41o8n61pr6FC4SYTa0lDJkhz8jkuMmtnOICFw6udyMC2x8SXpodMh7WcWGCq3xoYUdroAj-Sot9mIF2aNqiGIBJa7MZ_iUpumSn362yJxHxN5g3J3yUWXGjbPsmte9DfNWaLzmrqJVG62mnz_LQ1ThzWP1vDBLWCetR9rH46MElZ7lSp7k4c_V3nR1w45ii_rIEm3GHE3FVW5XAS-XBCtMPAELxfRkuwWtu0QPMqk1RsJLeZrX4IdQYHZLkTCa3Ac_jFJnM8PPskjgYBWJzph3jt1GFEwhv6ItP7MlH_D6eeA/https%3A%2F%2Fapp.box.com%2Fs%2F25nmxk3r6x8jjf97l5nt9o7by0khdb7l1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa57e046f8,0x7ffa57e04708,0x7ffa57e047182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,8845452718129932492,8525077864033563394,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,8845452718129932492,8525077864033563394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,8845452718129932492,8525077864033563394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8845452718129932492,8525077864033563394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8845452718129932492,8525077864033563394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8845452718129932492,8525077864033563394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2260 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,8845452718129932492,8525077864033563394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,8845452718129932492,8525077864033563394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8845452718129932492,8525077864033563394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8845452718129932492,8525077864033563394,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8845452718129932492,8525077864033563394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8845452718129932492,8525077864033563394,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,8845452718129932492,8525077864033563394,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3840 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD58749e21d9d0a17dac32d5aa2027f7a75
SHA1a5d555f8b035c7938a4a864e89218c0402ab7cde
SHA256915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304
SHA512c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a
-
Filesize
152B
MD534d2c4f40f47672ecdf6f66fea242f4a
SHA14bcad62542aeb44cae38a907d8b5a8604115ada2
SHA256b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33
SHA51250fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6
-
Filesize
192B
MD5e61f7b843229bae868a35fcd2aa70459
SHA18bc8a24938831912916247a2e72d937cbca01659
SHA256afda35c613b0b1fe4eae290ca4932638a51eb7bd88830618fd15711a7cb9b075
SHA5120b7b92ef0cfd03ac6d86f72f5900020ed98ea6e6dd1a7787d706caf430cf0ee73031fbd53d8e2d6b190c1b0e9817efd9c61baa4cc6c0a3db8df158764ca3da45
-
Filesize
1KB
MD534c868a8e927f0a465517ccf4571e057
SHA1d7a61feb69b66242104fac52b78206a4c241d6b1
SHA256709e6fe8a518674e5b8c685b1928eebe411613795f11ae8cc1cf1265675ed428
SHA512640deaedb5660081d0ea89841e8416108e61c869a1791f0b9e7dcbf69d41e7461b8ef9b1ee1d4217281d06d9b49b1dd5bbc50e10663c3ee90e6638c909486604
-
Filesize
5KB
MD5a0b0f03ee017e29505fd5f19628e7f08
SHA10d6faf56040c9e5d5052cef761c836ffdc551bd3
SHA256c630cbea5506478fd621dcfbde2e17e46dce9e78dc5a3e2bdcc4dd9a3ee6be80
SHA512a12740f3eaf451d7fd6d398574fe628b757f0e019b75d9efe15162b43a5fb5c6ea8563363abdd5be9708695455770e25f75d25c235d83a0b38dd3a34ad8e0528
-
Filesize
6KB
MD55a9aea305c166d2a1a725401f4e5ff96
SHA1306aef6cc25d913b67ba81c40d258ba920259134
SHA256c4993253a303ae17c9401ef922128a6a0880799ad6f68debdacf624d8e728c90
SHA51267fd5b01cee59b53de40e5b179c9381cad95b47a8b29f3e20277fb53f61a72132daf6d053508f6ff04b92bde9b7e07a2da481d6c312de138d87b58b6a61d9d67
-
Filesize
876B
MD5291dbab013bc4b3736e67d2bc3f3a604
SHA17446335f99f10f6fc70f42b60cfb53da20cdc26d
SHA2562ef88345887adb8d62017f0e3dd8ebcb6a584457a4b6dad1dcc117d2df7ad983
SHA51250e29f106c8dcb8f93424c1f50c4af5a83451c8d39986ef95e16469c492abcdbb40302e9d9d893e6561ac5193a97dadd47f7961127cb27506609e3b216897450
-
Filesize
876B
MD554840b76d99c9c7e96d5046f3e6a5176
SHA1b2d19b5875502d23da03fc237689a72f9af959b3
SHA256df4aa673c8ceb8c02899e2bd1ed9cbee9b2a8db3e71b535496c6441a431bd70d
SHA51216664f36c87d20c394f78d6ace04ec9445a79a974139d6ff90cd304a4cca9e8fd70a3a330f6bdaab618389099bcf93df7e3898e747345470d94401288f20de77
-
Filesize
876B
MD5996d97b8bfa07e1ab507fb965eac7a6a
SHA126f24087a5224696e92e399a6d0d4e3eb75654ff
SHA25653962f3df7dd599bd5f330e5360d7117ed74a915aca998d69cc695fc29a198a6
SHA51254e87a87c6fa5db3c8d59fa3024f16f5478670c50964b9660dd2912b5f52eff333a67934aa7b1d5004a4bc773af8f74576ea65b804e0c55a5922d960dae5f860
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5d3942e478cfda7a411d5c22e955e024e
SHA11a0eb2929b656ac4e763bf9b571518984dbdbe89
SHA2562b231e7261d85a510848ead1ee80d18d687b777e58dea687286a0af8564b07fa
SHA5120f886e35245ee535a4e8a2e579515d6963eb35f193a0d48cd1fb1d5a9d7423c56c688d6d562ce489e41e66e3e318a0db86a0991073f2a4a406ba80f07cdec5c5