hxxps://is[.]gd/hCqvxa

Analysis

max time kernel
148s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
09-12-2024 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://is.gd/hCqvxa

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4000	msedge.exe
4000	msedge.exe
2060	msedge.exe
2060	msedge.exe
1952	msedge.exe
1952	msedge.exe
1628	identity_helper.exe
1628	identity_helper.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 3344	2060	msedge.exe	79
PID 2060 wrote to memory of 3344	2060	msedge.exe	79
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 2880	2060	msedge.exe	80
PID 2060 wrote to memory of 4000	2060	msedge.exe	81
PID 2060 wrote to memory of 4000	2060	msedge.exe	81
PID 2060 wrote to memory of 2588	2060	msedge.exe	82
PID 2060 wrote to memory of 2588	2060	msedge.exe	82
PID 2060 wrote to memory of 2588	2060	msedge.exe	82
PID 2060 wrote to memory of 2588	2060	msedge.exe	82
PID 2060 wrote to memory of 2588	2060	msedge.exe	82
PID 2060 wrote to memory of 2588	2060	msedge.exe	82
PID 2060 wrote to memory of 2588	2060	msedge.exe	82
PID 2060 wrote to memory of 2588	2060	msedge.exe	82
PID 2060 wrote to memory of 2588	2060	msedge.exe	82
PID 2060 wrote to memory of 2588	2060	msedge.exe	82
PID 2060 wrote to memory of 2588	2060	msedge.exe	82
PID 2060 wrote to memory of 2588	2060	msedge.exe	82
PID 2060 wrote to memory of 2588	2060	msedge.exe	82
PID 2060 wrote to memory of 2588	2060	msedge.exe	82
PID 2060 wrote to memory of 2588	2060	msedge.exe	82
PID 2060 wrote to memory of 2588	2060	msedge.exe	82
PID 2060 wrote to memory of 2588	2060	msedge.exe	82
PID 2060 wrote to memory of 2588	2060	msedge.exe	82
PID 2060 wrote to memory of 2588	2060	msedge.exe	82
PID 2060 wrote to memory of 2588	2060	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://is.gd/hCqvxa
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff79823cb8,0x7fff79823cc8,0x7fff79823cd8
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,11432100912914236444,3016550456484707320,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,11432100912914236444,3016550456484707320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,11432100912914236444,3016550456484707320,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,11432100912914236444,3016550456484707320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,11432100912914236444,3016550456484707320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,11432100912914236444,3016550456484707320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,11432100912914236444,3016550456484707320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,11432100912914236444,3016550456484707320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4032 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,11432100912914236444,3016550456484707320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,11432100912914236444,3016550456484707320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,11432100912914236444,3016550456484707320,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,11432100912914236444,3016550456484707320,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,11432100912914236444,3016550456484707320,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3364 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5431d6602455a6db6e087223dd47f600

SHA1
27255756dfecd4e0afe4f1185e7708a3d07dea6e

SHA256
7502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763

SHA512
868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7bed1eca5620a49f52232fd55246d09a

SHA1
e429d9d401099a1917a6fb31ab2cf65fcee22030

SHA256
49c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e

SHA512
afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
616B

MD5
3b898b5677a0e711e8805bcdfabac249

SHA1
43ab60aa85b2bbf828bb2c813d5b20ff4baf0ba5

SHA256
f491949b0406a6ce8e48b553001dcf5145bbb761e371f934f59eb4ca0e4d2b27

SHA512
52377e3e45570e18da908f0542e2d184610ccabb0575fdb474c6b66cbd584937b287c5a2678bfc62d543aa370ef5b7e94dbe89ca4469a96e643f4d7130e2e078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dcf8cfcc925664077fe5d4244779fd05

SHA1
622aaa819a7bfcaae0fd369c067f4d1d01f795d2

SHA256
ee32aad1b03b7cbcd481cf2b53f6976a8738eb16a66201daec4e16dfd39d26a7

SHA512
f8e01c685782f4d4b2d0ce5a933a03ee06da953a3e117d180930704b6a3681c34eac8dcbf1dd15c2357e91d569000933ae987e6857b4b4e2d1f12767b6247c8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
09330cd1778cb5b095d9662f9db04186

SHA1
34157ecddd5ac0973a453518657788d579d10b4c

SHA256
594731c3dfd321eb90d4da460b009aa4128ad3cd7858cb75b5f4280cfc8cfe65

SHA512
61258ec5d4fa407fe5bb231afc1de94d26abbcc7865f754486cfd97c1da39ba9f67e8171d1a0f10331a2b6413a7b7b35b53671155397e7713926a44fed5f1c4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f3b8b44bcce6755612e76ac2ab96dfc7

SHA1
46f379b03843ab9d682a57cfc269acbc3bfe1e03

SHA256
7c5d04cbd6bf7045b86e375fc9efc12e211b8d36f04cb5a96e16953b1d44e8eb

SHA512
f39ea53d42e0af380669e374b5f00ddd1ce34538b1a5a86a69e9abb8c9cad52bcbaa9fc332f6f1544d0df8d9a732b7e17127a7c0acfe0abedd495848cf5121aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b9aaf15829abfaece0c26e819fc21efa

SHA1
98bf01388ada19afffb4b62df07289f059d5c9ab

SHA256
e3179c0344df109ff901fb98d664313fee5e128984c0411c9fad898b9dce70a5

SHA512
84f87da7db2d94e0b8e8b1e8802622c02b722a78143d3008f27acf140aff343f02cfb925f2a72c86253bfe8fd37cdc1df4993ec3ebabd733d576ecbc77d33dba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
66d625dc76df5c84c7747b3db3053d16

SHA1
3303f934f0f8a8d4e3e25b6388298412d97a6e12

SHA256
736317af066fc43b1ed1e92ec95acaf55c10fceaf9ddb7bfcd5e50f4f01ac1c0

SHA512
8a878a8f9010acb0f08b2ca2c9c5e3336cff783eaf328776adb2bfb3d08ba6572f213933f8fc3d285bcf4c74832de4681d6bf093db3a33c71e10e7b56201de32

Download Submit