hxxp://safrareal[.]com[.]br/yoya/ecyoovf6nr1zdye7v7dgekhufraq8zdjadg7f/YWdsZW5uQG1vbnRyb3NlLWVudi5jb20=$

Analysis

max time kernel
1716s
max time network
1798s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-11-2024 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://safrareal.com.br/yoya/ecyoovf6nr1zdye7v7dgekhufraq8zdjadg7f/YWdsZW5uQG1vbnRyb3NlLWVudi5jb20=$

Score

5^/10

microsoft discovery phishing

Malware Config

Signatures

Detected potential entity reuse from brand MICROSOFT.
phishing microsoft
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5036	msedge.exe
5036	msedge.exe
4228	msedge.exe
4228	msedge.exe
2356	msedge.exe
2356	msedge.exe
4944	identity_helper.exe
4944	identity_helper.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 4164	4228	msedge.exe	77
PID 4228 wrote to memory of 4164	4228	msedge.exe	77
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 3124	4228	msedge.exe	78
PID 4228 wrote to memory of 5036	4228	msedge.exe	79
PID 4228 wrote to memory of 5036	4228	msedge.exe	79
PID 4228 wrote to memory of 2708	4228	msedge.exe	80
PID 4228 wrote to memory of 2708	4228	msedge.exe	80
PID 4228 wrote to memory of 2708	4228	msedge.exe	80
PID 4228 wrote to memory of 2708	4228	msedge.exe	80
PID 4228 wrote to memory of 2708	4228	msedge.exe	80
PID 4228 wrote to memory of 2708	4228	msedge.exe	80
PID 4228 wrote to memory of 2708	4228	msedge.exe	80
PID 4228 wrote to memory of 2708	4228	msedge.exe	80
PID 4228 wrote to memory of 2708	4228	msedge.exe	80
PID 4228 wrote to memory of 2708	4228	msedge.exe	80
PID 4228 wrote to memory of 2708	4228	msedge.exe	80
PID 4228 wrote to memory of 2708	4228	msedge.exe	80
PID 4228 wrote to memory of 2708	4228	msedge.exe	80
PID 4228 wrote to memory of 2708	4228	msedge.exe	80
PID 4228 wrote to memory of 2708	4228	msedge.exe	80
PID 4228 wrote to memory of 2708	4228	msedge.exe	80
PID 4228 wrote to memory of 2708	4228	msedge.exe	80
PID 4228 wrote to memory of 2708	4228	msedge.exe	80
PID 4228 wrote to memory of 2708	4228	msedge.exe	80
PID 4228 wrote to memory of 2708	4228	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://safrareal.com.br/yoya/ecyoovf6nr1zdye7v7dgekhufraq8zdjadg7f/YWdsZW5uQG1vbnRyb3NlLWVudi5jb20=$
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fa103cb8,0x7ff8fa103cc8,0x7ff8fa103cd8
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,9706185155166934840,17743377889458656077,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,9706185155166934840,17743377889458656077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,9706185155166934840,17743377889458656077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9706185155166934840,17743377889458656077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9706185155166934840,17743377889458656077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9706185155166934840,17743377889458656077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,9706185155166934840,17743377889458656077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,9706185155166934840,17743377889458656077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9706185155166934840,17743377889458656077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9706185155166934840,17743377889458656077,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9706185155166934840,17743377889458656077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9706185155166934840,17743377889458656077,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,9706185155166934840,17743377889458656077,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5424 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aad1d98ca9748cc4c31aa3b5abfe0fed

SHA1
32e8d4d9447b13bc00ec3eb15a88c55c29489495

SHA256
2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

SHA512
150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb557349d7af9d6754aed39b4ace5bee

SHA1
04de2ac30defbb36508a41872ddb475effe2d793

SHA256
cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

SHA512
f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
6740d1a6b9847c8c301d94580b6ab863

SHA1
6fc2f863998e8ad37468443442ff593f1207c2ed

SHA256
9d3429892481ad660f6ac9e68a2ffffa86f69184124f7fa45527e0246ed82c9d

SHA512
806928c7df179d3d9703fe941a32dca49bc713aa97e44c8d52fdf8643a17a2195cdba3c30d9ab14d5e8bbd7c76b92e05387848aba108207997e694bdc933a3a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
317B

MD5
4ebcaf2302c22b1ddbfe77f347eaaf5f

SHA1
558adc9bf77477d054087dd4808cd2a165cc1894

SHA256
7f5046e3d031570c85e5c88f3b7352be3cc0782408e857471d557e3ce651bf9c

SHA512
6299cc60e6e3670ff781b8d0eb77b31d1ea8837e00bd4319559baf4ceaa72534a0d138809e966d41a056d81f0bc76c785504b9db147a5f50dae002d943c69db3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7feead2ed462f043d5a9d3b7f3b9ce8e

SHA1
ba2c46a3ff7cb66b7868737715fb036c1474e233

SHA256
3e369731cf22f6fb975a98163e406de21e853e0495f66b4a29d5415117accdbd

SHA512
9b28dae66ee02b68cfc557d3c9d1e7e72dfe93ef9f85aa0a1ad0c7d87207427b34e61c4552b546a601d6ae6b4b0f9a1721cda50ffe282b30dd3552086bd49288

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3eeb8e58b55bde83dfb4c0c72dc85e12

SHA1
43f6004e18ab346eb92ad32ca745dec7e81ffb27

SHA256
2bf2627293c2ea1504259a78fecb554543ce44a358533806a8e85f3196a5f701

SHA512
55e818b941eaa7a33a9354ba0c7490e96fee2124c3a54bbb0eee610d8652f2ba3b428e325f5d871c7a6930fcd0df99627de09c6844a56b51f88eccc19ff15f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
be13e4c7e92769cdc4595cfde9737ada

SHA1
3694167bdbe5d9fb947e3a5e9b36275d9a958c8a

SHA256
479849aa84ef128220f16c0eee12a1875a5a473ba8d6915ff03af3951ec31f8e

SHA512
7fab36298bc4213fe35394a9b56f0bdfe4b874c36b620b9a7d4869cde8ae532fe190ae8de40cb06fd31eb4c44b46ade5e09a56939bba310105e21fd024a01d26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5c8df5078534bb802f01847553ea7780

SHA1
a748128362b0f229fb3b2cb755744857985fb65b

SHA256
ffe7bdfdba17c9a0103ff172c676a4811f051990a64f584eaf8c11de5526414b

SHA512
02f5fee9e988849d73ca4176abbdbed537e619ec83f128f07ed8998b04bf7c88f94012dc3dc46935a1ae2c5fb80e7453fe1dea4ab5b504639b6d716d7b404f3b

Download Submit