hxxps://youtube[.]com/@boffy/

Resubmissions

31-12-2024 05:12

241231-fv24pawlhm 7

31-12-2024 04:49

241231-ffsxgaylaw 10

31-12-2024 04:46

241231-fd1jjaykby 7

31-12-2024 04:31

241231-e5vlxsxpd1 10

Analysis

max time kernel
840s
max time network
845s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
31-12-2024 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://youtube.com/@boffy/

Score

7^/10

discovery phishing

Malware Config

Signatures

A potential corporate email address has been identified in the URL: httpswww.youtube.com@boffycbrd1
phishing
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1100	msedge.exe
1100	msedge.exe
2748	msedge.exe
2748	msedge.exe
2808	identity_helper.exe
2808	identity_helper.exe
2328	msedge.exe
2328	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 3948	2748	msedge.exe	77
PID 2748 wrote to memory of 3948	2748	msedge.exe	77
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 2388	2748	msedge.exe	78
PID 2748 wrote to memory of 1100	2748	msedge.exe	79
PID 2748 wrote to memory of 1100	2748	msedge.exe	79
PID 2748 wrote to memory of 5108	2748	msedge.exe	80
PID 2748 wrote to memory of 5108	2748	msedge.exe	80
PID 2748 wrote to memory of 5108	2748	msedge.exe	80
PID 2748 wrote to memory of 5108	2748	msedge.exe	80
PID 2748 wrote to memory of 5108	2748	msedge.exe	80
PID 2748 wrote to memory of 5108	2748	msedge.exe	80
PID 2748 wrote to memory of 5108	2748	msedge.exe	80
PID 2748 wrote to memory of 5108	2748	msedge.exe	80
PID 2748 wrote to memory of 5108	2748	msedge.exe	80
PID 2748 wrote to memory of 5108	2748	msedge.exe	80
PID 2748 wrote to memory of 5108	2748	msedge.exe	80
PID 2748 wrote to memory of 5108	2748	msedge.exe	80
PID 2748 wrote to memory of 5108	2748	msedge.exe	80
PID 2748 wrote to memory of 5108	2748	msedge.exe	80
PID 2748 wrote to memory of 5108	2748	msedge.exe	80
PID 2748 wrote to memory of 5108	2748	msedge.exe	80
PID 2748 wrote to memory of 5108	2748	msedge.exe	80
PID 2748 wrote to memory of 5108	2748	msedge.exe	80
PID 2748 wrote to memory of 5108	2748	msedge.exe	80
PID 2748 wrote to memory of 5108	2748	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://youtube.com/@boffy/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc89243cb8,0x7ffc89243cc8,0x7ffc89243cd8
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,11148450122447670025,9669021291185551257,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,11148450122447670025,9669021291185551257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,11148450122447670025,9669021291185551257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11148450122447670025,9669021291185551257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11148450122447670025,9669021291185551257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11148450122447670025,9669021291185551257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11148450122447670025,9669021291185551257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11148450122447670025,9669021291185551257,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,11148450122447670025,9669021291185551257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11148450122447670025,9669021291185551257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11148450122447670025,9669021291185551257,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,11148450122447670025,9669021291185551257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,11148450122447670025,9669021291185551257,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4972 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a2c784e6d797d91d4b8612e14d51bd

SHA1
25e2b07c396ee82e4404af09424f747fc05f04c2

SHA256
18ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6

SHA512
fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1fc959921446fa3ab5813f75ca4d0235

SHA1
0aeef3ba7ba2aa1f725fca09432d384b06995e2a

SHA256
1b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c

SHA512
899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
1a4fdbbaf8d6ee6a3d74b4bbbd335bb6

SHA1
939e60470dedadbd60c97ac5af560ba9b4b3f292

SHA256
f5dfe71c23464b52b8116d68f64123979ed1d57a46d6672d721d5bbba6dbd923

SHA512
58731411d529b0bd96efcb68ab15e7174f74b73473df70764ea203f69a595ac1af9d25bc79414ea2a897438579a9c73c665417d7803cb8df8e3c8e942ea15af1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c86d9ede9c8b5df5355d6b9c6a4820c6

SHA1
91fb143a62ef4af007d69295c25c90060c30b177

SHA256
4c9eb2aa9cc8ea130ef2e75b6c8d6ce9a3a4091983f2d1d0dd67127e2a50b2aa

SHA512
c565748cff77b6008ae3756c45531c244b722ee8abedde25f486b37c7bb4d0fd9267f292ce28ddc01c96636bbe1852c50fe004d22e60a93f85f161275780c3f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c495054eb9578f95ec886f5546069648

SHA1
5d83b0c2e06a7db178dc3cf08220d9c4b572691f

SHA256
8c103fc0f6b3d74f0a847369872ed4583bb404870f2b3b7378ea089474202893

SHA512
b0d17de3c453ffa49ed07951b946d51111f7a5221f09604fa9942236bbcbd21a7c1d4a0ea8189d4ff78b693528724990d37dfeaef1ee91bca7ee95c705c211d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
052f576670b5267438497bba212730ae

SHA1
890af2e4ff3d4e044377f96f34cb401ae3bf4469

SHA256
7eeb312b2991715ee4c7e924120f8c39178386f4ef14c278de0377c9d9d0b116

SHA512
5772a5b230e1b79d0c5155523b4f5cb97012ac455c609985ca634841108280227eda72dd469248bd76cb9fede37466036e8cd917809db61a2240f59af7035910

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d67cc3844e33ad81b063325c5f2f1f52

SHA1
396c7f8c5fc9c63a782478dca843427be42bde66

SHA256
326b2eb7b836665b25d5d4b0c3a8786931452f9538513557f3ce52b50a2da595

SHA512
b682e5fe703b009a96db13d22fc1481e9e26a1100442662de8cbee8c55f49b9a114faac1f2c41e0213c6d7f520cb747776d9ffbe3f4a14c33f03eda9bf3a542c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8701024bedcf413ea8abb7a1d5a0246a

SHA1
f0cbce50b6526e27bca509b82c068b5c00480856

SHA256
8e9ae4d5250b2bd20c2b83417f9a505da846585e587fa18e4d2b2073f53b9338

SHA512
ce503c7ad08f9bc5185127b68de4b508929e4d859bddae207fe0a9e55e586c7591bec691a661718d6457e9963e7ddd2c7277ebf2cc35434ccd50464c14bedfde

Download Submit