Analysis
-
max time kernel
289s -
max time network
289s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
26-06-2024 18:59
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://DETk.hediatat.com/EcjECo/#[email protected]
Resource
win11-20240508-en
General
-
Target
https://DETk.hediatat.com/EcjECo/#[email protected]
Malware Config
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 ipapi.co 38 ipapi.co -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 1484 msedge.exe 1484 msedge.exe 3664 msedge.exe 3664 msedge.exe 4212 msedge.exe 4212 msedge.exe 4848 identity_helper.exe 4848 identity_helper.exe 2356 msedge.exe 2356 msedge.exe 2356 msedge.exe 2356 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3664 wrote to memory of 3096 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 3096 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 444 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1484 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1484 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1224 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1224 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1224 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1224 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1224 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1224 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1224 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1224 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1224 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1224 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1224 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1224 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1224 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1224 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1224 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1224 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1224 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1224 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1224 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1224 3664 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://DETk.hediatat.com/EcjECo/#[email protected]1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffff5f23cb8,0x7ffff5f23cc8,0x7ffff5f23cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,4070051527594037908,13037027340056614873,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,4070051527594037908,13037027340056614873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,4070051527594037908,13037027340056614873,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,4070051527594037908,13037027340056614873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,4070051527594037908,13037027340056614873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,4070051527594037908,13037027340056614873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,4070051527594037908,13037027340056614873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,4070051527594037908,13037027340056614873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,4070051527594037908,13037027340056614873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,4070051527594037908,13037027340056614873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2176 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,4070051527594037908,13037027340056614873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,4070051527594037908,13037027340056614873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,4070051527594037908,13037027340056614873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,4070051527594037908,13037027340056614873,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2504 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a8e4bf11ed97b6b312e938ca216cf30e
SHA1ff6b0b475e552dc08a2c81c9eb9230821d3c8290
SHA256296db8c9361efb62e23be1935fd172cfe9fbcd89a424f34f347ec3cc5ca5afad
SHA512ce1a05df2619af419ed3058dcbd7254c7159d333356d9f1d5e2591c19e17ab0ac9b6d3e625e36246ad187256bee75b7011370220ef127c4f1171879014d0dd76
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD523da8c216a7633c78c347cc80603cd99
SHA1a378873c9d3484e0c57c1cb6c6895f34fee0ea61
SHA25603dbdb03799f9e37c38f6d9d498ad09f7f0f9901430ff69d95aa26cae87504d3
SHA512d34ae684e8462e3f2aba2260f2649dee01b4e2138b50283513c8c19c47faf039701854e1a9cbf21d7a20c28a6306f953b58ffb9144ead067f5f73650a759ff17
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
264B
MD548a7ec8fcab019d4c1d2686802f39c8d
SHA17459aff2a98e20023e34c68406354f2ea85519ae
SHA25635a5ee808b138dddd32b401151e181d3799b3d61de38b50ac72baf694eb58d9f
SHA512eca201e20897402677994379828cc14f9969066bb144a4622356313fbd5a999a3d99feeb633425274ed28a89c7cf2605615c75fc7dddd9661f6cac07150faae4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5f0667418cf5bd2a0a6a029d2ad997a4b
SHA180d45f2db242f010d1a32431503be053421c88f3
SHA25666d9b0d4cdfbc9233263f4266afd64d4172ed48bed57f986372e9cae0d310dc9
SHA5125f7f5f9689533832497f46c513076a3b86724d20d5681c3a7f1a1559bdf5b2ab095d39130ae88e01d4f2fd53f6cb4c9c5d0f699600a11ea8213be468dac48692
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5dd88c4c300af2b05100d36235a479920
SHA1dc2a592c4c3e83039774d949de0e832232e83dac
SHA256094a2d535070e9475fa3f0fc04c2c45a0f7543d1e7e6387175fd34d283c5877a
SHA51211e933794f707e2c2b4fd7570c1352494ace92932b37d5b33c1c4ec2f5a1cdae6319aaaab7629b2770fc9f61fe02dd8e3fdec57342dd5d0080ca1b7f63b9004e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5cd2f98ae23ab3b3621c268242e7fcf18
SHA1998a2dbe1f999dad19336b244849c2a5ab450356
SHA256967dcdb239b6b7c776f5bd0d7e7d84967b6dd1f94fc2f5478c977f4cd56df241
SHA5127ed061f7044bddc5b9541322a2c062f40ee9df75603b75fce74a55d62abcd37125ffcd751b4c11cf7bb8365bd67e0ac95d5b9b1aa31ef4330f9895c09e244da9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD59110b6a27bb8fd7f19376b2352da030f
SHA14c373a7bb88fcaf1cc8b1641507b8e5950cf9d87
SHA256e6b9e6fafce9c8cef8eb383bdfda43daf9567ae6645995b83016cf27b63baf57
SHA512a90b2149c1272238d10fd0df005ca0991f494729c72eb9eebbf0eef6428686e1b9d2a1e5e7934d0b50578d2ad6bf451d5bc7196f10420708eefbbc5c8a644df9
-
\??\pipe\LOCAL\crashpad_3664_NGERSOTOFPSAMWZWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e