Analysis
-
max time kernel
900s -
max time network
1165s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-06-2024 05:00
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://jjsplot
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
http://jjsplot
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
http://jjsplot
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
http://jjsplot
Resource
win11-20240508-en
General
-
Target
http://jjsplot
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 3972 msedge.exe 3972 msedge.exe 5040 msedge.exe 5040 msedge.exe 4912 identity_helper.exe 4912 identity_helper.exe 4832 msedge.exe 4832 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.exepid process 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 5040 wrote to memory of 4600 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4600 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 1264 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 3972 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 3972 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 3700 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 3700 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 3700 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 3700 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 3700 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 3700 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 3700 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 3700 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 3700 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 3700 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 3700 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 3700 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 3700 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 3700 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 3700 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 3700 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 3700 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 3700 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 3700 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 3700 5040 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://jjsplot1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff83ba23cb8,0x7ff83ba23cc8,0x7ff83ba23cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,9652864302249428570,12841196369171624017,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,9652864302249428570,12841196369171624017,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,9652864302249428570,12841196369171624017,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2600 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9652864302249428570,12841196369171624017,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9652864302249428570,12841196369171624017,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9652864302249428570,12841196369171624017,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9652864302249428570,12841196369171624017,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,9652864302249428570,12841196369171624017,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9652864302249428570,12841196369171624017,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9652864302249428570,12841196369171624017,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9652864302249428570,12841196369171624017,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,9652864302249428570,12841196369171624017,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9652864302249428570,12841196369171624017,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9652864302249428570,12841196369171624017,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9652864302249428570,12841196369171624017,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5390187670cb1e0eb022f4f7735263e82
SHA1ea1401ccf6bf54e688a0dc9e6946eae7353b26f1
SHA2563e6c56356d6509a3fd4b2403555be55e251f4a962379b29735c1203e57230947
SHA512602f64d74096d4fb7a23b23374603246d42b17cc854835e3b2f4d464997b73f289a3b40eb690e3ee707829d4ff886865e982f72155d96be6bc00166f44878062
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD58294f1821fd3419c0a42b389d19ecfc6
SHA1cd4982751377c2904a1d3c58e801fa013ea27533
SHA25692a96c9309023c8b9e1396ff41f7d9d3ff8a3687972e76b9ebd70b04e3bf223a
SHA512372d369f7ad1b0e07200d3aa6b2cfce5beafa7a97f63932d4c9b3b01a0e8b7eb39881867f87ded55a9973abea973b2d2c9b6fc4892f81cec644702b9edb1566d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5abf6653e4b28cbb5cdb2ea8c347ef74f
SHA1f1c67029eb6a5470f90eec1cad5bcf07d0f2677d
SHA2567d30d98b4fa46a6890406797dbb35769e693fad1f70a5aff6067b1b0471eb8eb
SHA512e7529f9ce75eb426486a6f0830cabb2925d830f01f51f94a604fe01c11ad2fdd78b170c170ae49d7ec52f41aba0ac4854473928ffa1573e0b3e216c244d74f76
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5e3e56a202bf3d4720ab059bd895dcbdc
SHA180f4a4ecc300218d7cff932c3941087b3316d59e
SHA256d8c592a9bc336a8ebb635952136e09baa13cb6b46a797ba950ba0b5d17861e90
SHA512690328b1a527218c1a5b9b50433962803cccc5aa59fbfc1e405602a49c780228df3fcf7cabe543e1161d11560316ad61ac627b7a338e3a5830ef5947ffc52d41
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5063d1f02a3d35dde397afc7bc8783c53
SHA157c79c5ac443a9576d304083edf0bef0fe66f223
SHA2562242de3708e1eb2268d2f5f2adb23800d96f0e9242ac3225c9fa10fa3b40833b
SHA5121e4169d81b110b52f14ee5d0687cf026ed0c5914e2acf131761ae9f4b9d119f33487c8df3c899628336159ed8b9278563c5a3ca5c9cb6de5bf215d8da31e258c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5c237f9c01f8ca1184e8ea65abffb8a07
SHA1bec4efdb8132a47753ebfbdecd786d64d65aea79
SHA256c12a6f6f482ce97b419fc278b9c1b62059c47feff9e427b18c31036a36412e88
SHA5125aa84d499130aa2ad515528b8afaaf4db672945f6c21108c7b007898780172ba7f619718c53e6426dc2b3747218bcbd23c1bfb85207e743f254921ec78186a87
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD518c645b782de5b99f57ac35d7add14ef
SHA18fb5f687f2c9216309edc8dd7ce3867d9cae0650
SHA2569de3d0be79d1ff8f132afe05ddd289648f5d5ac0cfe94bdcd3772a990bf03d42
SHA5123e0579a516ee697835fd660647b906cde84467e229c71c3ee5ee3a193d686b951579731b21bcf2d888e5c3cbc3e95197f6b41b68330bb1badebb19dcfebade4d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
\??\pipe\LOCAL\crashpad_5040_GLCAWIIZOMASSAEPMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e