80c4016577c11791f64e2d43e1dfad2b01adf7276100400a4421b48df6e6fbfe

Resubmissions

29/01/2025, 08:13

250129-j4gqwsznaq 3

29/01/2025, 08:08

250129-j11plazmem 3

29/01/2025, 08:01

250129-jwwvvavpfy 3

29/01/2025, 07:41

250129-jjhgpavla1 10

Analysis

max time kernel
840s
max time network
845s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
29/01/2025, 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xeno-v1.1.0-x64/bin/Monaco/index.html
Size

164KB
MD5

001dcbb8f41cdcbf9b4d1e3a0ed4b2d2
SHA1

982a05814546017c40771e59e7677b53d84787e9
SHA256

f1d2c52f2803c29585b81d2eff74c56242d27e9619ee6d38081d5604c5bb1951
SHA512

9a4eba2a9314b6f5851997e1db0ecfae8e40da3443d8a5f9df933ccf6a4d75fc330888c8d14818326e15b3dec9ae2f5f7e73cd08c3822dd7eb0b2d753c8cd8fa
SSDEEP

3072:Nk4J09UmmJv8kBpZaFD48VOAGUWYPjDZlLJbRBiPEP8yKUz2Ojmjr8zM3KP7pblM:64J09BA3pZaFD48VOAGUWYPjdlLJbRBS

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4880	msedge.exe
4880	msedge.exe
4532	msedge.exe
4532	msedge.exe
1768	identity_helper.exe
1768	identity_helper.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe
1720	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 4728	4532	msedge.exe	82
PID 4532 wrote to memory of 4728	4532	msedge.exe	82
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 5216	4532	msedge.exe	83
PID 4532 wrote to memory of 4880	4532	msedge.exe	84
PID 4532 wrote to memory of 4880	4532	msedge.exe	84
PID 4532 wrote to memory of 3004	4532	msedge.exe	85
PID 4532 wrote to memory of 3004	4532	msedge.exe	85
PID 4532 wrote to memory of 3004	4532	msedge.exe	85
PID 4532 wrote to memory of 3004	4532	msedge.exe	85
PID 4532 wrote to memory of 3004	4532	msedge.exe	85
PID 4532 wrote to memory of 3004	4532	msedge.exe	85
PID 4532 wrote to memory of 3004	4532	msedge.exe	85
PID 4532 wrote to memory of 3004	4532	msedge.exe	85
PID 4532 wrote to memory of 3004	4532	msedge.exe	85
PID 4532 wrote to memory of 3004	4532	msedge.exe	85
PID 4532 wrote to memory of 3004	4532	msedge.exe	85
PID 4532 wrote to memory of 3004	4532	msedge.exe	85
PID 4532 wrote to memory of 3004	4532	msedge.exe	85
PID 4532 wrote to memory of 3004	4532	msedge.exe	85
PID 4532 wrote to memory of 3004	4532	msedge.exe	85
PID 4532 wrote to memory of 3004	4532	msedge.exe	85
PID 4532 wrote to memory of 3004	4532	msedge.exe	85
PID 4532 wrote to memory of 3004	4532	msedge.exe	85
PID 4532 wrote to memory of 3004	4532	msedge.exe	85
PID 4532 wrote to memory of 3004	4532	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\Xeno-v1.1.0-x64\bin\Monaco\index.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffa547346f8,0x7ffa54734708,0x7ffa54734718
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,10503179254600062712,12390173166196793272,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,10503179254600062712,12390173166196793272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,10503179254600062712,12390173166196793272,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10503179254600062712,12390173166196793272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:5136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10503179254600062712,12390173166196793272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:324
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,10503179254600062712,12390173166196793272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,10503179254600062712,12390173166196793272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10503179254600062712,12390173166196793272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10503179254600062712,12390173166196793272,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:6124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10503179254600062712,12390173166196793272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10503179254600062712,12390173166196793272,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,10503179254600062712,12390173166196793272,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3048 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5912

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7aa0be13c8d914912341bac39e064869

SHA1
55d20143756d1c85a67d7172682542739d1d1939

SHA256
31f51a011ab2fdcee551b41cee5371b4c3b5be991d2d83700036c062cc41dd9e

SHA512
6693457f475f0ddb71129b0c9e0d4939ca47b732133f6eae8f829286b2a27dc90f17767e7ec413eaf8e30ed2c13645716848a29af0c2fb0f695be1114aeb99c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
193B

MD5
62fc8758c85fb0d08cd24eeddafeda2c

SHA1
320fc202790b0ca6f65ff67e9397440c7d97eb20

SHA256
ee0d15dce841e092ad1a2d4346a612410f8f950fdb019bc7b768f6346f2b5248

SHA512
ca97e615bdcac137a936c10104a702e1529ed3470828f2c3a2f783345ebbef04cac8c051df636c714151671efea53a9b8912b6b0d0b5eafdac5fae1dfdc8f85d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
96ea13bcf0c1c52ac0adaabad6a6499d

SHA1
7d537afa9b8750eade5b269399304289108446e4

SHA256
5d71f7dd3c793913f52dbbfb0da1f8405a26252863230f716cb238aa0f2b719c

SHA512
874161562b35f62a98d5c5bdf28bec4c3ec98c11023f4cf8ff18d177196e0bf49ea4c79ed9d7bb83c9df1cdd0f6adb611c9a38169e1d85e0ec431cd6a91b6a4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
de1982468417f7ed40627d034f184a31

SHA1
509e7d0bc8ca5c7ba0b060e07779a400e8acdc1d

SHA256
90d00b5ca7c0a442b640f4d394bdb84accc8378627c87d4bd2632f6e087e316b

SHA512
87f15dec9de04455265442bfc5d30beec75bd8ed637f0fbc9b207c4747f4b8c9b5f66c9ee80660870e6aa5790a72e1b3a50b56d82de54e5e3e9375ec61bc3e40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
64408354e71c8264df3a538878c38b44

SHA1
7b3e10b9a40323167f8a4f9ab8a2a1c9143c3d46

SHA256
102fce3255edb96139fc78389e2c006ba7b7730f2baa47cdf2bd64a7b7517f51

SHA512
09c9f949c89df940b003bc5b1bc55904a66120e093fe3bd9789f3a772371cb92c71b05de707a3a78ad207478c35de23b15eb521b8173eae93a1278f20c469dfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8c3c8256c58ae1a09eff65f4f9cddbd9

SHA1
da2eecbf75663865c8bb066c6ddd6d9a80679d30

SHA256
1465b78991944ca15507d157c0fd9e90eb405131d2eb690ee6e902b035ed7627

SHA512
9702dbca2276a53ef0a6a6da47f290db3cf8808691ce42cfc946eeba3f17e0ecf3224dbda345877340d225e11a6db92efac136bc04ed03644844267566727858

Download Submit