hxxps://bafkreihpneoaanrtqm7jws6g2sgj3mto5db5vxnqqbquwhbtynkanbusfa[.]ipfs[.]flk-ipfs[.]xyz/#ienovatransporte[.]boletines@ienova[.]com[.]mx

Analysis

max time kernel
145s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bafkreihpneoaanrtqm7jws6g2sgj3mto5db5vxnqqbquwhbtynkanbusfa.ipfs.flk-ipfs.xyz/#[email protected]

Score

7^/10

discovery phishing

Malware Config

Signatures

A potential corporate email address has been identified in the URL: [email protected]
phishing
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4676	msedge.exe
4676	msedge.exe
3652	msedge.exe
3652	msedge.exe
4548	identity_helper.exe
4548	identity_helper.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 1456	3652	msedge.exe	82
PID 3652 wrote to memory of 1456	3652	msedge.exe	82
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 2812	3652	msedge.exe	83
PID 3652 wrote to memory of 4676	3652	msedge.exe	84
PID 3652 wrote to memory of 4676	3652	msedge.exe	84
PID 3652 wrote to memory of 4476	3652	msedge.exe	85
PID 3652 wrote to memory of 4476	3652	msedge.exe	85
PID 3652 wrote to memory of 4476	3652	msedge.exe	85
PID 3652 wrote to memory of 4476	3652	msedge.exe	85
PID 3652 wrote to memory of 4476	3652	msedge.exe	85
PID 3652 wrote to memory of 4476	3652	msedge.exe	85
PID 3652 wrote to memory of 4476	3652	msedge.exe	85
PID 3652 wrote to memory of 4476	3652	msedge.exe	85
PID 3652 wrote to memory of 4476	3652	msedge.exe	85
PID 3652 wrote to memory of 4476	3652	msedge.exe	85
PID 3652 wrote to memory of 4476	3652	msedge.exe	85
PID 3652 wrote to memory of 4476	3652	msedge.exe	85
PID 3652 wrote to memory of 4476	3652	msedge.exe	85
PID 3652 wrote to memory of 4476	3652	msedge.exe	85
PID 3652 wrote to memory of 4476	3652	msedge.exe	85
PID 3652 wrote to memory of 4476	3652	msedge.exe	85
PID 3652 wrote to memory of 4476	3652	msedge.exe	85
PID 3652 wrote to memory of 4476	3652	msedge.exe	85
PID 3652 wrote to memory of 4476	3652	msedge.exe	85
PID 3652 wrote to memory of 4476	3652	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://bafkreihpneoaanrtqm7jws6g2sgj3mto5db5vxnqqbquwhbtynkanbusfa.ipfs.flk-ipfs.xyz/#[email protected]
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8236046f8,0x7ff823604708,0x7ff823604718
  2⤵
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,7792945823865606398,8747986388652108983,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,7792945823865606398,8747986388652108983,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2488 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,7792945823865606398,8747986388652108983,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7792945823865606398,8747986388652108983,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7792945823865606398,8747986388652108983,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,7792945823865606398,8747986388652108983,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,7792945823865606398,8747986388652108983,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7792945823865606398,8747986388652108983,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7792945823865606398,8747986388652108983,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7792945823865606398,8747986388652108983,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7792945823865606398,8747986388652108983,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,7792945823865606398,8747986388652108983,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2780 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
2821d51aa1604a3ebc725acfa654da25

SHA1
ac6f9362470e17110e08e19027b361650fd1a1bc

SHA256
c9fceb5fa034ab280e7c345619d86a1d11aca99239c353e0434ff80e768ff870

SHA512
0d741c186802de6bd5896bf9eb0c0588c5cff3cf4bd3dd22a16c3017a63c4adc58e1c6e0d6297f171c8e32c6b65e55c61c8d267db723c7d55709dd415aa68c2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
3d64ff2fde3e3c33cab471b9a070a728

SHA1
bbb0edb1848f6f50fdb4357a47c4ec30c8b5ad5a

SHA256
33b34fcf6e72506cb33a84a7ca53a81c04878f7622192857f3ceba6f6932a551

SHA512
0807c372e46bda859c0ea5b309cd4ab7f04547ffe3af20a410fd314cd7119bcd930724d2aebb8ca1e490ddb877b1ae1ef6aae9a440339010d715dfbf90c633f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c2b60885d964744baa899626320911e5

SHA1
279ea15488b4e3a6d39267f2745d16a00898320d

SHA256
50e6afd54491b7afc0538ebae1d7147f69e7fa843844875e3764d2ce87d50a89

SHA512
7b5fc0e9a58e48bdf089526ba29affc77f0a28592db79061c2e476cfb13c0fe7acbc821cd03dfd9418e62e518145edf6364ba902bf033a9914757f4dc4de1952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5ccebc254d9109eff5f405a44204e4bd

SHA1
106b549f8988be01f2797e8d7719af772658c825

SHA256
3faba44d7bc2af27f4cd574b7d4d6f47d56c40898ece27ef12d0fb00b4ab32d6

SHA512
128da306adf15cfe0900103b243228f3939b980daafa31f62276b068d4e9b46a1c5162ec760db4db65a1f8bb1914ee6e0fd61b0838d13d59e31ee3d5e35f4b72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
182b425f8aa4dd4eca119feae3c2dfc4

SHA1
7fc59aec44a628c807b0dabaa0ecb73bfac46577

SHA256
2ab631a0e454b6e23c7aea0b7fcdf357625221fe888cba8cf556c0685523531f

SHA512
6a3e5abbce2301d0fa436e1329195d6599b9f693fa0b40766c9fd5dc0a0d53f74c751baff56ad2c203c0d33ec0e754f11672c205eb0a02c08f65ea8484be3844

Download Submit