Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
submitted
20/02/2025, 02:43
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://auspost.ek0y2w.icu/receive/order/enP8SHl347C
Resource
win10v2004-20250217-en
Behavioral task
behavioral2
Sample
https://auspost.ek0y2w.icu/receive/order/enP8SHl347C
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral3
Sample
https://auspost.ek0y2w.icu/receive/order/enP8SHl347C
Resource
android-x64-20240624-en
Behavioral task
behavioral4
Sample
https://auspost.ek0y2w.icu/receive/order/enP8SHl347C
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral5
Sample
https://auspost.ek0y2w.icu/receive/order/enP8SHl347C
Resource
macos-20241101-en
General
-
Target
https://auspost.ek0y2w.icu/receive/order/enP8SHl347C
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4556 msedge.exe 4556 msedge.exe 4472 msedge.exe 4472 msedge.exe 5552 identity_helper.exe 5552 identity_helper.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4472 wrote to memory of 1844 4472 msedge.exe 85 PID 4472 wrote to memory of 1844 4472 msedge.exe 85 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 2728 4472 msedge.exe 86 PID 4472 wrote to memory of 4556 4472 msedge.exe 87 PID 4472 wrote to memory of 4556 4472 msedge.exe 87 PID 4472 wrote to memory of 2148 4472 msedge.exe 88 PID 4472 wrote to memory of 2148 4472 msedge.exe 88 PID 4472 wrote to memory of 2148 4472 msedge.exe 88 PID 4472 wrote to memory of 2148 4472 msedge.exe 88 PID 4472 wrote to memory of 2148 4472 msedge.exe 88 PID 4472 wrote to memory of 2148 4472 msedge.exe 88 PID 4472 wrote to memory of 2148 4472 msedge.exe 88 PID 4472 wrote to memory of 2148 4472 msedge.exe 88 PID 4472 wrote to memory of 2148 4472 msedge.exe 88 PID 4472 wrote to memory of 2148 4472 msedge.exe 88 PID 4472 wrote to memory of 2148 4472 msedge.exe 88 PID 4472 wrote to memory of 2148 4472 msedge.exe 88 PID 4472 wrote to memory of 2148 4472 msedge.exe 88 PID 4472 wrote to memory of 2148 4472 msedge.exe 88 PID 4472 wrote to memory of 2148 4472 msedge.exe 88 PID 4472 wrote to memory of 2148 4472 msedge.exe 88 PID 4472 wrote to memory of 2148 4472 msedge.exe 88 PID 4472 wrote to memory of 2148 4472 msedge.exe 88 PID 4472 wrote to memory of 2148 4472 msedge.exe 88 PID 4472 wrote to memory of 2148 4472 msedge.exe 88
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://auspost.ek0y2w.icu/receive/order/enP8SHl347C1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbb08246f8,0x7ffbb0824708,0x7ffbb08247182⤵PID:1844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,5446306991078362312,3512611340753497913,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:22⤵PID:2728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,5446306991078362312,3512611340753497913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,5446306991078362312,3512611340753497913,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:82⤵PID:2148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5446306991078362312,3512611340753497913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵PID:2040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5446306991078362312,3512611340753497913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵PID:1104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,5446306991078362312,3512611340753497913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:82⤵PID:664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,5446306991078362312,3512611340753497913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5446306991078362312,3512611340753497913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:12⤵PID:236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5446306991078362312,3512611340753497913,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:12⤵PID:216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5446306991078362312,3512611340753497913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:12⤵PID:5208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5446306991078362312,3512611340753497913,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:12⤵PID:5192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,5446306991078362312,3512611340753497913,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5384 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3452
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3712
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f5da507c2059b715761792e7106405f0
SHA1a277fd608467c5a666cf4a4a3e16823b93c6777f
SHA2568c1d99de087ac5f2e7b2afce66eff36a646bef46800c0c1d7737d6f0df74b7e8
SHA51201c92729dd8061aa122b116a674c73bb78016f66d2cb8f7fb64907352758a825e87a1e345334386440699d2a6d1e17baccb400c5aee151eb64e64019cbebb870
-
Filesize
152B
MD53c6e13dc1762aa873320bed152204f3c
SHA138df427d38ca5ce6ce203490a9fb8461c7444e12
SHA2565c441148843b7c8dbff4c4a72962a532aaf0bdd484d07a03dd9a32fd461b1371
SHA512133054cb042e11013bfdad1bd11e3407d08cf26a66d0743bea9708d261aa904a1047bb0097b187ecf8436cb6cff3bec28c89e435862cad0e0fa264799556b70c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize216B
MD5b3d1d7e606f2679af4065753c8c911e6
SHA1b019260c15014b28708b9df1a25a0f369fe2ab04
SHA25612c7536fc63a390bdc45fc82119ddc479472af83c17c3051df6c79e45733d56b
SHA5129c0befc0dd02e30bd19772062318bf6ad2a878fa1247c4cb3965a15b58badb655817dabe4d79c08daa527c9e39804a95d9dad4e67bc7658be8c4c561da4adbc2
-
Filesize
475B
MD5ed786275a053ae57bf84744ea93c401f
SHA1802cf1368c916a6e83310863aa1b6e95b6941257
SHA256824af17b61343b3a87a7590172c47280793ced69eed5565a98016c02013e8ff9
SHA5121005cbbae57e8e5ee0451df883ab292e72e9b6f253ba338fa957968007b7a1b62ebed587e66d72bfaf37b6a6afd2619ac57d826e8151d93d15989211e6ee93da
-
Filesize
6KB
MD571fd0693adf13fe6cd416cf3ab26fb2a
SHA17da0cea1c8f100c61cd930665710231e4188ad72
SHA256e862561c79568f6dfe9e039e6eeb422db9ba648d88b9c0fc1a8f737532c25d8b
SHA512e2e316a8a274952afa598b91e06b43405cfaef1d6232293c7dc3bef2e03a56833d6763080d969a90d9b0e493ef842ad9c6cf74f29445e44dcc52ad48ef7c2d75
-
Filesize
6KB
MD59afdfb8c3a3abe002284f674d94fa34e
SHA17e5f33741317461a01b29c7816b1b7d932c9f18d
SHA256bd174e1efd5237885ee1bde6e22ce8bb1e1a3a7d89027e320ce4abb2b296c7c6
SHA512d8e924e03aa60077ad6142e92a1fb0fe6fe0a0f6d0660e95c153b00c779531cd8fab8fad02479540bf62ed61bf3d08a8e621f5d9c2d60ac9e09bb490b2769336
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD57d45bc27d43aea33454309d4e8e55c8b
SHA1ca020aad9772bb1c7d606fea927c775e93bf3be9
SHA256c082cb20747055abf661233bbcb753f513bbae8a7873a58625f17f0e62ad9696
SHA5121cc8aa57b1adc1728fdc823c6b11ae377dbd04480d96f760ab6720a6869b95e5022ad6f96d43267862f5da366ea045f0c472aca70510f0bac3758bb11d15db69