Analysis
-
max time kernel
51s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 03:43
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://6mzvzkdxh.top/6r1r
Resource
win10v2004-20240611-en
General
-
Target
https://6mzvzkdxh.top/6r1r
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid process 3168 msedge.exe 3168 msedge.exe 3328 msedge.exe 3328 msedge.exe 1056 identity_helper.exe 1056 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3328 wrote to memory of 3176 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 3176 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 680 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 3168 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 3168 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 4488 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 4488 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 4488 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 4488 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 4488 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 4488 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 4488 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 4488 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 4488 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 4488 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 4488 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 4488 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 4488 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 4488 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 4488 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 4488 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 4488 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 4488 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 4488 3328 msedge.exe msedge.exe PID 3328 wrote to memory of 4488 3328 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://6mzvzkdxh.top/6r1r1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa603246f8,0x7ffa60324708,0x7ffa603247182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1808,13874815988946773553,7613164319149222303,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1808,13874815988946773553,7613164319149222303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1808,13874815988946773553,7613164319149222303,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,13874815988946773553,7613164319149222303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,13874815988946773553,7613164319149222303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,13874815988946773553,7613164319149222303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,13874815988946773553,7613164319149222303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1808,13874815988946773553,7613164319149222303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3632 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1808,13874815988946773553,7613164319149222303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3632 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,13874815988946773553,7613164319149222303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,13874815988946773553,7613164319149222303,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,13874815988946773553,7613164319149222303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,13874815988946773553,7613164319149222303,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506Filesize
328B
MD5874722c8d3607819b7bbe19e5ab0523f
SHA130e7846a26f9abcb8e739acbb9c04c1eae0bb124
SHA256fba4806f8a8ae1895922254dc338fddefca2000fcfd48c4b30a3c4bdc2cd5e1a
SHA512309c5055adc233a98eee19d2d5ad3a43514a8032b1a193908d1fa7e5707f87307f8a6483fb9fabc267ad249c06496b0183d2b2385fe18840cb6103811aca800e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5db9081c34e133c32d02f593df88f047a
SHA1a0da007c14fd0591091924edc44bee90456700c6
SHA256c9cd202ebb55fe8dd3e5563948bab458e947d7ba33bc0f38c6b37ce5d0bd7c3e
SHA51212f9809958b024571891fae646208a76f3823ae333716a5cec303e15c38281db042b7acf95bc6523b6328ac9c8644794d39a0e03d9db196f156a6ee1fb4f2744
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD53a09f853479af373691d131247040276
SHA11b6f098e04da87e9cf2d3284943ec2144f36ac04
SHA256a358de2c0eba30c70a56022c44a3775aa99ffa819cd7f42f7c45ac358b5e739f
SHA512341cf0f363621ee02525cd398ae0d462319c6a80e05fd25d9aca44234c42a3071b51991d4cf102ac9d89561a1567cbe76dfeaad786a304bec33821ca77080016
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
408B
MD5c2e07fd0fc39bb128d3717369d8117f4
SHA1e21fa62d2d8947cb4c4a78d7abc3b0d11cc6d59b
SHA256f86505555c502ab9ded23dbc4d31c869c5567bdd8a6d055cb72cb43358d89719
SHA5128e8ed5084d5a008df0dc9efed454b3532fb84f22ac62c31206430e72ff27335e5759b21594a70ab55f84cfcc8a2bd903729536e0f5c032ea8e0fadd4d87928ac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5194fbab7040448f82f7dadcb82c24f56
SHA166028db3d85f1d0c774073cc332df02bc407d8e4
SHA2562f016295684c95f87d5e2d56e32b82cf644f0911929af5dfbdb03bb124d6188c
SHA5125ed2208d895c55b11b1eb63234b2b9142e60327a15ce688da3b8f7e799b02881e755e9d498ddb345387ad8061b0c817fd9c094347a614eabfc4c1e943a4f5390
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD59d24f3303fddd655008eb12077b01576
SHA1b0071773500b9193ce76b2d8bb4af8993fe41f52
SHA256af5757d8d61b811cfe26d7e3ba6edb310c93affa363e9b065734390f27696e23
SHA512e9d605cfd0d1e94a5d1701e76191756f03cde878eb27ff87cf80a38b7b4d23c6ca995db11f4985df72e63ae39f4fc3ca610dd070828e188bb3fcf6ab0416bece
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD563bd062b6320aef8c87c853dfae99d22
SHA154b5e3b3309a8c0f411fa3413faf8b10b4d79990
SHA256848b18e1d6ca715de5d8900cdf49028c4ed550ae4c745e5cf9dbb2425f01d240
SHA5129a1d3c1c7b644ae2a2c78a052a0fc22301524168eaf162ea4b09fdcf5d0e06c5bc462dcc91b2e8856bed7021ad25c4da92acab7682d008ef7b958a891bd8ed42
-
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dicFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
\??\pipe\LOCAL\crashpad_3328_VYCHJCXBJMEIBNTZMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e