Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 02:32
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://yxyz.zyxy.org/MARBI.mp4?u=6260dccd-a09a-4d27-b615-60ab56088d67
Resource
win10v2004-20241007-en
General
-
Target
https://yxyz.zyxy.org/MARBI.mp4?u=6260dccd-a09a-4d27-b615-60ab56088d67
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2132 msedge.exe 2132 msedge.exe 1948 msedge.exe 1948 msedge.exe 4004 identity_helper.exe 4004 identity_helper.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1948 wrote to memory of 1664 1948 msedge.exe 82 PID 1948 wrote to memory of 1664 1948 msedge.exe 82 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2324 1948 msedge.exe 83 PID 1948 wrote to memory of 2132 1948 msedge.exe 84 PID 1948 wrote to memory of 2132 1948 msedge.exe 84 PID 1948 wrote to memory of 3628 1948 msedge.exe 85 PID 1948 wrote to memory of 3628 1948 msedge.exe 85 PID 1948 wrote to memory of 3628 1948 msedge.exe 85 PID 1948 wrote to memory of 3628 1948 msedge.exe 85 PID 1948 wrote to memory of 3628 1948 msedge.exe 85 PID 1948 wrote to memory of 3628 1948 msedge.exe 85 PID 1948 wrote to memory of 3628 1948 msedge.exe 85 PID 1948 wrote to memory of 3628 1948 msedge.exe 85 PID 1948 wrote to memory of 3628 1948 msedge.exe 85 PID 1948 wrote to memory of 3628 1948 msedge.exe 85 PID 1948 wrote to memory of 3628 1948 msedge.exe 85 PID 1948 wrote to memory of 3628 1948 msedge.exe 85 PID 1948 wrote to memory of 3628 1948 msedge.exe 85 PID 1948 wrote to memory of 3628 1948 msedge.exe 85 PID 1948 wrote to memory of 3628 1948 msedge.exe 85 PID 1948 wrote to memory of 3628 1948 msedge.exe 85 PID 1948 wrote to memory of 3628 1948 msedge.exe 85 PID 1948 wrote to memory of 3628 1948 msedge.exe 85 PID 1948 wrote to memory of 3628 1948 msedge.exe 85 PID 1948 wrote to memory of 3628 1948 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://yxyz.zyxy.org/MARBI.mp4?u=6260dccd-a09a-4d27-b615-60ab56088d671⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff575746f8,0x7fff57574708,0x7fff575747182⤵PID:1664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,2089955807247758812,760643588814322893,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:22⤵PID:2324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,2089955807247758812,760643588814322893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,2089955807247758812,760643588814322893,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:82⤵PID:3628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2089955807247758812,760643588814322893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:2684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2089955807247758812,760643588814322893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵PID:2752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,2089955807247758812,760643588814322893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:82⤵PID:3084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,2089955807247758812,760643588814322893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2089955807247758812,760643588814322893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:12⤵PID:2928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2089955807247758812,760643588814322893,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:12⤵PID:4344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2089955807247758812,760643588814322893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:12⤵PID:1528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2089955807247758812,760643588814322893,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:12⤵PID:3896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2089955807247758812,760643588814322893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:12⤵PID:4772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,2089955807247758812,760643588814322893,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5112
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2088
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2280
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD56960857d16aadfa79d36df8ebbf0e423
SHA1e1db43bd478274366621a8c6497e270d46c6ed4f
SHA256f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32
SHA5126deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe
-
Filesize
152B
MD5f426165d1e5f7df1b7a3758c306cd4ae
SHA159ef728fbbb5c4197600f61daec48556fec651c1
SHA256b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841
SHA5128d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6
-
Filesize
554B
MD57f83628a965700f4fb37ef7aa02a11e6
SHA1439b63b820e561866df52f421729d0eeb3e8c396
SHA256b43e9feb581d9fab66ee33c9920e387ffd508bc8dc50a1160d9bd69808af5ebe
SHA512ac28d5813432c68e5f62fec273fa7aa94dd57947c20eb93551ca278cdacb262fe5b04f3f17b8b6e8b4644c3a9b43ff8cf72116d7a18d1600f2df65b5aef7b671
-
Filesize
6KB
MD55f2b7409cd1845d9dbfa1641b44800c8
SHA1be3ed2e9a1eab35ce1ea8419d343c60cf08583c2
SHA25668e36b7a978325be511ab20511527371099de919a9eb1da12e6b4c628e64f62c
SHA512d9b201183664010e5d62061b3bfe2b6b9b2604770ee3d9cdca133d01cd0f500cddec6b0f470fa155f40f9541ef2a0e00c0b8a16d68c8543e16fbf08ecc507e8a
-
Filesize
6KB
MD5aa277ffb88d9270798c49c60adc898c8
SHA177b5acd376663a76bef72167e59f7727963e4447
SHA256494da12641f6e24668d5bdf03a4d64c405c0a60c8c390bc23adb4d36e293c626
SHA512b2f750c46c08a7297a2931c1255813bbda89ca313d71c6357250ed97cccf1a28cf9f118f4a41e35c30186cf26b445d4d259a7bf45d73724b004ee9d705e24e0b
-
Filesize
5KB
MD5f3dc09500108b6b3c3e7dfca2c5b1b74
SHA1257f9ac35e986ff2a3f3a26d1131a19841f3b7a9
SHA2568cf3a9860cd0eb5c3229845110c14189ab0542758ef57a2178eea68cd44b425a
SHA51273ea32bf530fc00c56dc743868e99925ab0ffc02dc16c1ec02606a74ea10ac38bd19576d0684766c8b2ae5176525857b1e34c23beb9fb2bfe71c14a976aeed79
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD537e5900d407d63251736528e9f988a3a
SHA100a676021e2b763a2a0f88372a72d7233dccb39c
SHA256da1e1086044fb2c460aac0a209b75c3ccfa20f97d996a58b45d3bf58d924771e
SHA5123ba589710b2b46d94e978b5421b3de1f5169c3240709b32f17cbb826d26abf8f502899e5064684d8e820fc97599243056a1d74a4f4010fe03412bdc50df70f44