hxxp://rb[.]gy/x19cz#ZGRlbGl6emFAcGVubm9ua-s5jb20=

Analysis

max time kernel
89s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2023, 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://rb.gy/x19cz#ZGRlbGl6emFAcGVubm9ua-s5jb20=

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4504	msedge.exe
4504	msedge.exe
4936	msedge.exe
4936	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 116	4936	msedge.exe	39
PID 4936 wrote to memory of 116	4936	msedge.exe	39
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 5012	4936	msedge.exe	87
PID 4936 wrote to memory of 4504	4936	msedge.exe	86
PID 4936 wrote to memory of 4504	4936	msedge.exe	86
PID 4936 wrote to memory of 1712	4936	msedge.exe	88
PID 4936 wrote to memory of 1712	4936	msedge.exe	88
PID 4936 wrote to memory of 1712	4936	msedge.exe	88
PID 4936 wrote to memory of 1712	4936	msedge.exe	88
PID 4936 wrote to memory of 1712	4936	msedge.exe	88
PID 4936 wrote to memory of 1712	4936	msedge.exe	88
PID 4936 wrote to memory of 1712	4936	msedge.exe	88
PID 4936 wrote to memory of 1712	4936	msedge.exe	88
PID 4936 wrote to memory of 1712	4936	msedge.exe	88
PID 4936 wrote to memory of 1712	4936	msedge.exe	88
PID 4936 wrote to memory of 1712	4936	msedge.exe	88
PID 4936 wrote to memory of 1712	4936	msedge.exe	88
PID 4936 wrote to memory of 1712	4936	msedge.exe	88
PID 4936 wrote to memory of 1712	4936	msedge.exe	88
PID 4936 wrote to memory of 1712	4936	msedge.exe	88
PID 4936 wrote to memory of 1712	4936	msedge.exe	88
PID 4936 wrote to memory of 1712	4936	msedge.exe	88
PID 4936 wrote to memory of 1712	4936	msedge.exe	88
PID 4936 wrote to memory of 1712	4936	msedge.exe	88
PID 4936 wrote to memory of 1712	4936	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://rb.gy/x19cz#ZGRlbGl6emFAcGVubm9ua-s5jb20=
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe34b946f8,0x7ffe34b94708,0x7ffe34b94718
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,11590983667368177647,9457685241792208223,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,11590983667368177647,9457685241792208223,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,11590983667368177647,9457685241792208223,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11590983667368177647,9457685241792208223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11590983667368177647,9457685241792208223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11590983667368177647,9457685241792208223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11590983667368177647,9457685241792208223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11590983667368177647,9457685241792208223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11590983667368177647,9457685241792208223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11590983667368177647,9457685241792208223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:2980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
2d84be133f6296b1c1c8b143f622087c

SHA1
09005961e4d2aa49ec7db2e860c89b1566d24239

SHA256
f0c7f71ae06c9b715086004087d0b5e3f81e149143e5faad20f65e82272352be

SHA512
657dec217362e83eab785446a67b905f6136e6007c1d8be13e4d6deaa90d3ea834142ea2ec72e50c2f828cb6baa65028ffe8ac3802966226dbf52396edb27839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
bd5d4d47714cd416c1b8d35739203f96

SHA1
93f832bac3b03e77d072f2b4d3598d3a9b8ef43a

SHA256
0f950fb3386d098f12f2eafd74a0d511a9976a734db9967a5857567882a6c1f5

SHA512
8aedf71a6750888695fa815de989033f8ee7f44acc103124c659d4327e5ac89dfce832485b749809de9c49d95041647941ad000c9094f70ca1745908cdb62673

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
eebb2d71bd330556105582bb6fb224f7

SHA1
a21bf2da257e44e8931a37493dacf203fa967bed

SHA256
3780a501368e2214cc3fc683f3d22aa0488df47af9369e36d132de8b673e22fd

SHA512
5452caf9fe336456fc2c0587084048e7d6dbd789a1d4270fc8782961e879d53ee4ea51438ac42e3e73312d4d0154759a4b17f7322581dfb583577be08044535a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8e21196f8807687f0c0cf9031ed1a9b0

SHA1
c8d42f0e6cd9e39072d858b604f209b995cd53fa

SHA256
b80e23b57949d51b53da109430c40bf8f010e8ca22957663001c353bec47a765

SHA512
7609c679edc1afc8ca67bdff70022fa1b5819e61ce76f550f4ba97383967719071a56a87252c0e488443c4845ccc867fc2a7e640eeeb9ee5361c469705409bf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
b690c7643af8bf5f3a96b59e33522135

SHA1
204ca48a942ecba4d2f2ef844275c3f5905ed453

SHA256
4577c23a112c820b430e2b16d0283f4715b06f64164e1e5bf883034a7201c695

SHA512
f690f6f5cb19c2e7338feda4741c47b107e48e86db530829cff7e4a0737b813051d31625b1f3108bf8a2f496fad14767b6c255bc816a3e8a3bc43d4c2b63036d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4add19d24844d09dd86174c64d83a433

SHA1
1316cb1240ef38f0017cb26d11ecdc47fc1bfb1d

SHA256
b30ea638590badb918b190a9d8437879675a33a818e1bbfa3f07cfda7f017f19

SHA512
0f333f5487619925bd37191eeb047cdb9d7b6136b7adc03062bfe95dd20a72801e29866cf2e8e6b40e66407bb2901dffa4050b2dfd12f9df62647b976be7043e

Download Submit