hxxps://auspost[.]ek0y2w[.]icu/receive/order/enP8SHl347C

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
submitted
20/02/2025, 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://auspost.ek0y2w.icu/receive/order/enP8SHl347C

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4556	msedge.exe
4556	msedge.exe
4472	msedge.exe
4472	msedge.exe
5552	identity_helper.exe
5552	identity_helper.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 1844	4472	msedge.exe	85
PID 4472 wrote to memory of 1844	4472	msedge.exe	85
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 2728	4472	msedge.exe	86
PID 4472 wrote to memory of 4556	4472	msedge.exe	87
PID 4472 wrote to memory of 4556	4472	msedge.exe	87
PID 4472 wrote to memory of 2148	4472	msedge.exe	88
PID 4472 wrote to memory of 2148	4472	msedge.exe	88
PID 4472 wrote to memory of 2148	4472	msedge.exe	88
PID 4472 wrote to memory of 2148	4472	msedge.exe	88
PID 4472 wrote to memory of 2148	4472	msedge.exe	88
PID 4472 wrote to memory of 2148	4472	msedge.exe	88
PID 4472 wrote to memory of 2148	4472	msedge.exe	88
PID 4472 wrote to memory of 2148	4472	msedge.exe	88
PID 4472 wrote to memory of 2148	4472	msedge.exe	88
PID 4472 wrote to memory of 2148	4472	msedge.exe	88
PID 4472 wrote to memory of 2148	4472	msedge.exe	88
PID 4472 wrote to memory of 2148	4472	msedge.exe	88
PID 4472 wrote to memory of 2148	4472	msedge.exe	88
PID 4472 wrote to memory of 2148	4472	msedge.exe	88
PID 4472 wrote to memory of 2148	4472	msedge.exe	88
PID 4472 wrote to memory of 2148	4472	msedge.exe	88
PID 4472 wrote to memory of 2148	4472	msedge.exe	88
PID 4472 wrote to memory of 2148	4472	msedge.exe	88
PID 4472 wrote to memory of 2148	4472	msedge.exe	88
PID 4472 wrote to memory of 2148	4472	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://auspost.ek0y2w.icu/receive/order/enP8SHl347C
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbb08246f8,0x7ffbb0824708,0x7ffbb0824718
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,5446306991078362312,3512611340753497913,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,5446306991078362312,3512611340753497913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,5446306991078362312,3512611340753497913,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5446306991078362312,3512611340753497913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5446306991078362312,3512611340753497913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,5446306991078362312,3512611340753497913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  PID:664
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,5446306991078362312,3512611340753497913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5446306991078362312,3512611340753497913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5446306991078362312,3512611340753497913,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5446306991078362312,3512611340753497913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5446306991078362312,3512611340753497913,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,5446306991078362312,3512611340753497913,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5384 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f5da507c2059b715761792e7106405f0

SHA1
a277fd608467c5a666cf4a4a3e16823b93c6777f

SHA256
8c1d99de087ac5f2e7b2afce66eff36a646bef46800c0c1d7737d6f0df74b7e8

SHA512
01c92729dd8061aa122b116a674c73bb78016f66d2cb8f7fb64907352758a825e87a1e345334386440699d2a6d1e17baccb400c5aee151eb64e64019cbebb870

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3c6e13dc1762aa873320bed152204f3c

SHA1
38df427d38ca5ce6ce203490a9fb8461c7444e12

SHA256
5c441148843b7c8dbff4c4a72962a532aaf0bdd484d07a03dd9a32fd461b1371

SHA512
133054cb042e11013bfdad1bd11e3407d08cf26a66d0743bea9708d261aa904a1047bb0097b187ecf8436cb6cff3bec28c89e435862cad0e0fa264799556b70c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
b3d1d7e606f2679af4065753c8c911e6

SHA1
b019260c15014b28708b9df1a25a0f369fe2ab04

SHA256
12c7536fc63a390bdc45fc82119ddc479472af83c17c3051df6c79e45733d56b

SHA512
9c0befc0dd02e30bd19772062318bf6ad2a878fa1247c4cb3965a15b58badb655817dabe4d79c08daa527c9e39804a95d9dad4e67bc7658be8c4c561da4adbc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
475B

MD5
ed786275a053ae57bf84744ea93c401f

SHA1
802cf1368c916a6e83310863aa1b6e95b6941257

SHA256
824af17b61343b3a87a7590172c47280793ced69eed5565a98016c02013e8ff9

SHA512
1005cbbae57e8e5ee0451df883ab292e72e9b6f253ba338fa957968007b7a1b62ebed587e66d72bfaf37b6a6afd2619ac57d826e8151d93d15989211e6ee93da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
71fd0693adf13fe6cd416cf3ab26fb2a

SHA1
7da0cea1c8f100c61cd930665710231e4188ad72

SHA256
e862561c79568f6dfe9e039e6eeb422db9ba648d88b9c0fc1a8f737532c25d8b

SHA512
e2e316a8a274952afa598b91e06b43405cfaef1d6232293c7dc3bef2e03a56833d6763080d969a90d9b0e493ef842ad9c6cf74f29445e44dcc52ad48ef7c2d75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9afdfb8c3a3abe002284f674d94fa34e

SHA1
7e5f33741317461a01b29c7816b1b7d932c9f18d

SHA256
bd174e1efd5237885ee1bde6e22ce8bb1e1a3a7d89027e320ce4abb2b296c7c6

SHA512
d8e924e03aa60077ad6142e92a1fb0fe6fe0a0f6d0660e95c153b00c779531cd8fab8fad02479540bf62ed61bf3d08a8e621f5d9c2d60ac9e09bb490b2769336

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7d45bc27d43aea33454309d4e8e55c8b

SHA1
ca020aad9772bb1c7d606fea927c775e93bf3be9

SHA256
c082cb20747055abf661233bbcb753f513bbae8a7873a58625f17f0e62ad9696

SHA512
1cc8aa57b1adc1728fdc823c6b11ae377dbd04480d96f760ab6720a6869b95e5022ad6f96d43267862f5da366ea045f0c472aca70510f0bac3758bb11d15db69

Download Submit