Analysis
-
max time kernel
145s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 04:59
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://login-onedriveshare.points-newpointssharez.online/bYUBbDyv
Resource
win10v2004-20240611-en
General
-
Target
https://login-onedriveshare.points-newpointssharez.online/bYUBbDyv
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 4420 msedge.exe 4420 msedge.exe 2060 msedge.exe 2060 msedge.exe 4876 identity_helper.exe 4876 identity_helper.exe 2352 msedge.exe 2352 msedge.exe 2352 msedge.exe 2352 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe 2060 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2060 wrote to memory of 2888 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 2888 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 1964 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 4420 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 4420 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 4244 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 4244 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 4244 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 4244 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 4244 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 4244 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 4244 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 4244 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 4244 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 4244 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 4244 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 4244 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 4244 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 4244 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 4244 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 4244 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 4244 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 4244 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 4244 2060 msedge.exe msedge.exe PID 2060 wrote to memory of 4244 2060 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://login-onedriveshare.points-newpointssharez.online/bYUBbDyv1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb927846f8,0x7ffb92784708,0x7ffb927847182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,9385711460775930261,139594094287129285,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,9385711460775930261,139594094287129285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,9385711460775930261,139594094287129285,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9385711460775930261,139594094287129285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9385711460775930261,139594094287129285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,9385711460775930261,139594094287129285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,9385711460775930261,139594094287129285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9385711460775930261,139594094287129285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9385711460775930261,139594094287129285,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9385711460775930261,139594094287129285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9385711460775930261,139594094287129285,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,9385711460775930261,139594094287129285,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1304 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5dabfafd78687947a9de64dd5b776d25f
SHA116084c74980dbad713f9d332091985808b436dea
SHA256c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201
SHA512dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c39b3aa574c0c938c80eb263bb450311
SHA1f4d11275b63f4f906be7a55ec6ca050c62c18c88
SHA25666f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c
SHA512eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
168B
MD5792f7684e809d86ba39fcd093e229f52
SHA14339f852a0cb142fb848f1888dc3cf6ccd2e08ae
SHA2564c962921571cdf7a795b5d994fefb9effb3c0e387f0d705a27a29c2bc224c634
SHA5126982490e0a3505ed8c75e160890567434de1b9b9a0bd4bb5190c1c41cf0cbef6210e9059356617ef7a3e993383825a41a55051fc9e5bdab01d9c296950f6e39d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
185B
MD5fc515bfc60adba798695e516dbf80ef1
SHA16dc4722092af19a95e4d5a7b64dca9afc2ad30ad
SHA256869b6e72ce52552fd50b7144ae06a81c389273f76f92cd08c1475514f516433d
SHA512588d583a1ed21f03be83ca339eafa4339aca22b0c3bfe0ad9fbe44bec6ae20c0e82210f07476926ae29cfb24ad7ca482e9e7282a99c67efe80dc7bd0762abdc4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD530e07e24464c4acee13085437e3f5cb3
SHA13b556661813bcfb97ddf4cffc9963e977b6c82f1
SHA256435f5b915b90748f6a4bd4ffdf3516968bc0de3acfdcf4b9350fe52b017e0571
SHA51221393d430264ac18492c9ef38b2e9c7978ff31192c5059fc400f4f5279c9fc308040b42458352af5a457a929720149e07f4af3e745f57f75c892fc14a6978516
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD51df9c6c92dc21682758de3ef85024fd6
SHA1add1358e28571d2f2d100933ea6330bc4d5c843a
SHA2560b020971600dc005bcbf607db04b06ebd02fd675635e8e928ea0d246ae1d430a
SHA51272709060b7c9c6c2ab4c82b9dd61e31c9119c78af70156edb57f8a755ff2e0a2990f97101fea6e6ff4ceb291b3a6db75fe176423418941519c0e096c5f21d5ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD51e35debae59db46c67f051ba603223cc
SHA1bd01d3c6a19a46e6fe7fac6a9209defcdf1c8d8c
SHA256ac8e9387ca1c342ac47aa9c8642e353cbf3253386b52af2689dbe519f6383b92
SHA51268316072f0ae5eb07ac1cb718a45293a34838308a6ed7aa9015208ecb6614046c325eff5cd47f07de9d0b59a67fb4201a0667d11eadfcbaeaeb40faf1771f912
-
\??\pipe\LOCAL\crashpad_2060_IHSNMCQTSCJQGHSSMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e