Analysis
-
max time kernel
145s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 02:00
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.paypal.com/myaccount/transfer/claim-money?context_data=Xtd5Xx5V-mwGBLwPPaF6dI_Rpz1xgt2PwM10Vq5GJycqmUd1PptE3Tx8gEd6O8K0-oVY3l4zJUVXZLZjtcUwl30yOUUBxDLsF0m6B57YABA4SAuWVtG3xCDwazoGx4TG28B_5N6_yHx5HvL47eIa2Pu1xO3dO7K402cjPJZfJnWMMuZBQ0J52Pl464t0slQrrFOvKdL8p-uDoLqKYuzziRP2MsMw75tQVlkVIa78EueHfAKZZr0CpSwz2qi
Resource
win10v2004-20241007-en
General
-
Target
https://www.paypal.com/myaccount/transfer/claim-money?context_data=Xtd5Xx5V-mwGBLwPPaF6dI_Rpz1xgt2PwM10Vq5GJycqmUd1PptE3Tx8gEd6O8K0-oVY3l4zJUVXZLZjtcUwl30yOUUBxDLsF0m6B57YABA4SAuWVtG3xCDwazoGx4TG28B_5N6_yHx5HvL47eIa2Pu1xO3dO7K402cjPJZfJnWMMuZBQ0J52Pl464t0slQrrFOvKdL8p-uDoLqKYuzziRP2MsMw75tQVlkVIa78EueHfAKZZr0CpSwz2qi
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1504 msedge.exe 1504 msedge.exe 556 msedge.exe 556 msedge.exe 316 identity_helper.exe 316 identity_helper.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 556 wrote to memory of 5112 556 msedge.exe 82 PID 556 wrote to memory of 5112 556 msedge.exe 82 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 3644 556 msedge.exe 83 PID 556 wrote to memory of 1504 556 msedge.exe 84 PID 556 wrote to memory of 1504 556 msedge.exe 84 PID 556 wrote to memory of 724 556 msedge.exe 85 PID 556 wrote to memory of 724 556 msedge.exe 85 PID 556 wrote to memory of 724 556 msedge.exe 85 PID 556 wrote to memory of 724 556 msedge.exe 85 PID 556 wrote to memory of 724 556 msedge.exe 85 PID 556 wrote to memory of 724 556 msedge.exe 85 PID 556 wrote to memory of 724 556 msedge.exe 85 PID 556 wrote to memory of 724 556 msedge.exe 85 PID 556 wrote to memory of 724 556 msedge.exe 85 PID 556 wrote to memory of 724 556 msedge.exe 85 PID 556 wrote to memory of 724 556 msedge.exe 85 PID 556 wrote to memory of 724 556 msedge.exe 85 PID 556 wrote to memory of 724 556 msedge.exe 85 PID 556 wrote to memory of 724 556 msedge.exe 85 PID 556 wrote to memory of 724 556 msedge.exe 85 PID 556 wrote to memory of 724 556 msedge.exe 85 PID 556 wrote to memory of 724 556 msedge.exe 85 PID 556 wrote to memory of 724 556 msedge.exe 85 PID 556 wrote to memory of 724 556 msedge.exe 85 PID 556 wrote to memory of 724 556 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.paypal.com/myaccount/transfer/claim-money?context_data=Xtd5Xx5V-mwGBLwPPaF6dI_Rpz1xgt2PwM10Vq5GJycqmUd1PptE3Tx8gEd6O8K0-oVY3l4zJUVXZLZjtcUwl30yOUUBxDLsF0m6B57YABA4SAuWVtG3xCDwazoGx4TG28B_5N6_yHx5HvL47eIa2Pu1xO3dO7K402cjPJZfJnWMMuZBQ0J52Pl464t0slQrrFOvKdL8p-uDoLqKYuzziRP2MsMw75tQVlkVIa78EueHfAKZZr0CpSwz2qi1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffce88746f8,0x7ffce8874708,0x7ffce88747182⤵PID:5112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,17388643589295919410,9311630721100007299,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:22⤵PID:3644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,17388643589295919410,9311630721100007299,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,17388643589295919410,9311630721100007299,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:82⤵PID:724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17388643589295919410,9311630721100007299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:1340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17388643589295919410,9311630721100007299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:3568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17388643589295919410,9311630721100007299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:12⤵PID:2144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,17388643589295919410,9311630721100007299,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:82⤵PID:2564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,17388643589295919410,9311630721100007299,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17388643589295919410,9311630721100007299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:12⤵PID:3664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17388643589295919410,9311630721100007299,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:12⤵PID:1628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17388643589295919410,9311630721100007299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2300 /prefetch:12⤵PID:4504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17388643589295919410,9311630721100007299,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:12⤵PID:448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,17388643589295919410,9311630721100007299,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3088 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4300
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4028
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2852
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5dc058ebc0f8181946a312f0be99ed79c
SHA10c6f376ed8f2d4c275336048c7c9ef9edf18bff0
SHA256378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a
SHA51236e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa
-
Filesize
152B
MD5a0486d6f8406d852dd805b66ff467692
SHA177ba1f63142e86b21c951b808f4bc5d8ed89b571
SHA256c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be
SHA512065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a
-
Filesize
215KB
MD52be38925751dc3580e84c3af3a87f98d
SHA18a390d24e6588bef5da1d3db713784c11ca58921
SHA2561412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b
SHA5121341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize576B
MD54a52441cfd8be4018bfce6f6b18e7f21
SHA123cf972d066328359ed7f3720682688493d5dc09
SHA2561e327cfbab21d47a1b47b8c21929d812344190de4146cb7357505bff0738089c
SHA5128239b3922aaf21a4fa04b670ffa340b9770bf1e613a474089545e4a3167ee2076577e2df48bc2e661660b5f5238128408e4dc8b042d30f6a16b332f638d4458a
-
Filesize
1KB
MD5744a9b54d76e9135d3c0eadee70da337
SHA1619b9dad120bdf0b8896d5be3bb51b251b097d28
SHA256dbcf3f9fc099e8caac7d3cd3863486bd5b8e3a7e3d0de35200eab268c354750a
SHA512417031932ad36fcc5258e6961a6e01e2795e9a72df85037d01e464b50ab1ac8dd96f5e146b7f2ede7135bcb99e928847bf87d7cff0d01e1716afe4a8d2a7f832
-
Filesize
6KB
MD5bbcde89ae136b3f967b17712b2c1b6bc
SHA14230a5b8855106955ca4922ed5812c5dfb1447b0
SHA256cc1d4159af66703692b474c063878fed348523c560be280630c4eefd160d5cac
SHA512e4c8c750e43c23ab19a0d1528231ed9bd1a3f13f5fdd1b8104604dd835e5033fa15553f47cadd7a3dcbde743f33f54968f3720ee3480c5902a9d0e5cb4f8e7de
-
Filesize
5KB
MD58504de9fef079ad90f5dc79a64a0a348
SHA10b0c0708480e6d8d1a227fd54a04549bb35520f8
SHA256eb9bc40e902f0ca47d102a8f05c2cd0b9a8be90c19ae1bc289c1b0ab692e73bd
SHA5127725de519fdaa7e3f74b993e0a6eecacb8be942908339476a25efcc34dea2c09cbf2260ed09f829a2f9392dfc96836d9955b7ee29b08aecaf71ab8bc5300cbb6
-
Filesize
537B
MD573310644f4cf545583bdf567b7dc3c6c
SHA1fb09599cd11b28545037231cbbd63be8dbaef837
SHA2565bdee6a6babaa2d043f40c83ecfb9ee148f832d0434dd9998a6c3d4ed1dff314
SHA512eb1e791bcab4f20d464c32726e8a70d4c6fc5be77b80158c03d945251a4f6eb4886b1b39c63129f266c86b2d584cf2d4bf87e114cbf131ac414f3693483c36db
-
Filesize
537B
MD5e29415f62aa88f493958fcac525b071f
SHA1fcf835e0bf6fa573279a442d4817055b314f9e97
SHA256274d6758fe9376c6b2b45c33764ecd36ea3c29b97e16170ca5dd191b99a69d8d
SHA512cfb584ec0368bc507a6171fb55ce43e54ee7e39a8a3122298a5a400273a307e2dfe7856ea6a46f00101794993ad192b78fcbec269e0d8a9cedc5c3795e617de0
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD50d34ee8be930625bc8e59a044ea76cd5
SHA15adf128379a2f7049c7d9147a33d349fa3c7e1c0
SHA25644186e188089c9a2eafc0e646ece44c381d230f3f6c6b0135e3a644a4f486577
SHA51269956dd91186b9a1d682cd734d75c4a3625c999124f2d2df2ebeec1096fbc89eac0705d7b7cf37a98f0757121b9776b564ed8ce147dd9791d3254aea8f123ae9