hxxps://kinrus[.]ru/vviizink-pt-public-home-login/

Resubmissions

22/08/2023, 10:33

230822-ml2vwsbg23 1

Analysis

max time kernel
159s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2023, 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://kinrus.ru/vviizink-pt-public-home-login/

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
900	msedge.exe
900	msedge.exe
3964	msedge.exe
3964	msedge.exe
1588	identity_helper.exe
1588	identity_helper.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 720	3964	msedge.exe	81
PID 3964 wrote to memory of 720	3964	msedge.exe	81
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 2088	3964	msedge.exe	84
PID 3964 wrote to memory of 900	3964	msedge.exe	83
PID 3964 wrote to memory of 900	3964	msedge.exe	83
PID 3964 wrote to memory of 1432	3964	msedge.exe	82
PID 3964 wrote to memory of 1432	3964	msedge.exe	82
PID 3964 wrote to memory of 1432	3964	msedge.exe	82
PID 3964 wrote to memory of 1432	3964	msedge.exe	82
PID 3964 wrote to memory of 1432	3964	msedge.exe	82
PID 3964 wrote to memory of 1432	3964	msedge.exe	82
PID 3964 wrote to memory of 1432	3964	msedge.exe	82
PID 3964 wrote to memory of 1432	3964	msedge.exe	82
PID 3964 wrote to memory of 1432	3964	msedge.exe	82
PID 3964 wrote to memory of 1432	3964	msedge.exe	82
PID 3964 wrote to memory of 1432	3964	msedge.exe	82
PID 3964 wrote to memory of 1432	3964	msedge.exe	82
PID 3964 wrote to memory of 1432	3964	msedge.exe	82
PID 3964 wrote to memory of 1432	3964	msedge.exe	82
PID 3964 wrote to memory of 1432	3964	msedge.exe	82
PID 3964 wrote to memory of 1432	3964	msedge.exe	82
PID 3964 wrote to memory of 1432	3964	msedge.exe	82
PID 3964 wrote to memory of 1432	3964	msedge.exe	82
PID 3964 wrote to memory of 1432	3964	msedge.exe	82
PID 3964 wrote to memory of 1432	3964	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://kinrus.ru/vviizink-pt-public-home-login/
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ffe322646f8,0x7ffe32264708,0x7ffe32264718
  2⤵
  PID:720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,18340296241990473328,724531102969521673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,18340296241990473328,724531102969521673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,18340296241990473328,724531102969521673,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,18340296241990473328,724531102969521673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,18340296241990473328,724531102969521673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,18340296241990473328,724531102969521673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,18340296241990473328,724531102969521673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,18340296241990473328,724531102969521673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,18340296241990473328,724531102969521673,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,18340296241990473328,724531102969521673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,18340296241990473328,724531102969521673,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,18340296241990473328,724531102969521673,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fc99b0086d7714fd471ed4acc862ccc0

SHA1
39a3c43c97f778d67413a023d66e8e930d0e2314

SHA256
45ef01f81605bfd96126d5520c5aa0304c7fa7d5fdb3e4d5b2dd2bf84e2afd96

SHA512
c308fa3eda9235d67a506a5f058fefb9a769ec01d7b0d4f5a2397892cc4f8155301c55c1fac23bebacdd087ab3f47f1eacc9ff88eff4115a7d67aa7b1d6581a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
24f9750abd85814e4fba7f305d6394ad

SHA1
9954efffd303cec827bfc62c77aeedc3e2fca728

SHA256
00e2d2d3993af6dd0657482f0752f17e6eae0a7ae162c9b9abcd6c613f528096

SHA512
5d581c015caa2c3043780b86e82e18aff4bb406255a055f3a6de3c1706789fd230de94a3270315ac07da439ee4aa07d63a938a5f38547f8a234cd222dc0ece54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
254B

MD5
2bbf6ce9e105b0f1fc2d498c3fd15985

SHA1
447cc92315e7ddaead7e988327f0bf45b5a3a3c1

SHA256
e5067f52f1da35b387a8781fa3f8a092c4cdf6eb18697a9ecf89401a2ae5485d

SHA512
f8127af9353b5ade2f7fe849d349d134bce608c29c1199e613ab30b047583b7ea81cba32e8f1391f07b4b2087f15d4bc1389143102389b4a94b254913805d441

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d1eb27d1141780d85e14166c43bf000a

SHA1
fe095ca964adf142e3319ca40b903d6d2eb1fc0f

SHA256
edca956f2e0f220b38f614719b3b693372e5a30bdb0efaa6d489b8cb6c1856bc

SHA512
d01d15d32009d0f806f7ab9dc16cf5c68dbc3de44e4faf02fb06c5f4a66f377347c416be796ece6b23ebea650c0f8265d30d0ba618e0e5d0fdc1a1e4a1fe4c73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e0b3678591e50100793ddc287e4d7956

SHA1
590d56031f7681f20ce179aed9a14c748fb01465

SHA256
df8ab062ed25b327843d0dce3fd48d7f0d527695752db6b82c9994e81af9bbbc

SHA512
6ca3cc7d13d0ecf86850320e774da8b221593524edc3469b864da88d58df499176a271d85254b3543c4eaf5a011c05a852d370048e487007962c9be13c72bcd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
96f00bbd6a174879c58220f95f0115f5

SHA1
d3d7f82b0bf27daf1b3903bfe050c2d05422050f

SHA256
644442e740a8c0bb20f712f6f84f5bf4a81bb29d4e9446b2832ca65618961107

SHA512
e7c5e90eb85aee7b81b9c163f618ad3789a48b256040f6f00eee7fce52c60e1ff491bf0538b9c846fb115b73163710e46a45ce056e3b41ca59d88c421502ccea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
99c7a1da41a30b6175c32fe209231ca2

SHA1
37e97daa4e71a6af95c9eb54f7f28b9bbc21c118

SHA256
2d081abcb32b03d2e76a478f514d717297b16cb0e5d18fca7c754311b1c0e3b8

SHA512
d830fa90831b939789ba91e4aa2d92bc3eb8031efa309def2cbba3be32052f51128e740dfec94eb32c4280c45ca170f9a62cb9ba2798d970a82c9e457e68a335

Download Submit