Resubmissions
08-07-2024 07:13
240708-h2an5azgkg 607-07-2024 10:00
240707-l1l8ba1gqb 1007-07-2024 09:59
240707-l1e41a1gpc 106-07-2024 07:41
240706-jjdhqstcpg 406-07-2024 06:14
240706-gzq3na1blh 106-07-2024 06:14
240706-gzmegaybjq 405-07-2024 10:41
240705-mrjlhawhpp 405-07-2024 10:30
240705-mj4lpsyhlc 405-07-2024 10:17
240705-mble6awfnq 102-07-2024 14:21
240702-rpd1fswfjg 10Analysis
-
max time kernel
13s -
max time network
14s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 14:17
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com
Resource
win10v2004-20240508-en
General
-
Target
https://github.com
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msedge.exemsedge.exepid process 3648 msedge.exe 3648 msedge.exe 2524 msedge.exe 2524 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
msedge.exepid process 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
Processes:
msedge.exepid process 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
msedge.exepid process 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2524 wrote to memory of 448 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 448 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3272 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3648 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3648 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3040 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3040 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3040 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3040 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3040 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3040 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3040 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3040 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3040 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3040 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3040 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3040 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3040 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3040 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3040 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3040 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3040 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3040 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3040 2524 msedge.exe msedge.exe PID 2524 wrote to memory of 3040 2524 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f8da46f8,0x7ff8f8da4708,0x7ff8f8da47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,12377670845265603042,15239292151587447316,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,12377670845265603042,15239292151587447316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,12377670845265603042,15239292151587447316,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12377670845265603042,15239292151587447316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12377670845265603042,15239292151587447316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12377670845265603042,15239292151587447316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD556641592f6e69f5f5fb06f2319384490
SHA16a86be42e2c6d26b7830ad9f4e2627995fd91069
SHA25602d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455
SHA512c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5612a6c4247ef652299b376221c984213
SHA1d306f3b16bde39708aa862aee372345feb559750
SHA2569d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a
SHA51234a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5a4bbac3eb3538e7d945da815c9cc4a57
SHA1016cd7b29e0d66bffbf5481b2372af3d96210d20
SHA2567bd3d6f1696ac94e87abe499754c4a69dfd01300472e76cdfff943b76c368ce4
SHA512668ded8f92fdb192b9c1543d998b6d770c847170ae3f3411cb12d79bdfa0d3e240f16173240cec88499ad826b89541a98d2323e8fb445b71907f9470c0e29fd7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD545d4eeeedcf74907ce50fc0cdb368f1c
SHA15e841c331172d6c50ee7e2a9ba73c45698cd08e7
SHA256553fd55cca51a7d6b5a313766dd19c36fe246fb87ae2add8bc391cb6d5203be7
SHA5124c0a7bd867e99df146def74946ff85f2509c882f4080871b11340f3e743a42eafb54fb3d8e653e93e68615bdd5f34816d6235f48d4012799d9de3f3dd26385e4
-
\??\pipe\LOCAL\crashpad_2524_HRWLHUIXAPMFCTBWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e