hxxp://www[.]jb3img[.]top/a[.]aspx

Analysis

max time kernel
35s
max time network
43s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2023, 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.jb3img.top/a.aspx

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2852	msedge.exe
2852	msedge.exe
4040	msedge.exe
4040	msedge.exe
3100	identity_helper.exe
3100	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4040 wrote to memory of 1092	4040	msedge.exe	83
PID 4040 wrote to memory of 1092	4040	msedge.exe	83
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2984	4040	msedge.exe	85
PID 4040 wrote to memory of 2852	4040	msedge.exe	86
PID 4040 wrote to memory of 2852	4040	msedge.exe	86
PID 4040 wrote to memory of 3592	4040	msedge.exe	87
PID 4040 wrote to memory of 3592	4040	msedge.exe	87
PID 4040 wrote to memory of 3592	4040	msedge.exe	87
PID 4040 wrote to memory of 3592	4040	msedge.exe	87
PID 4040 wrote to memory of 3592	4040	msedge.exe	87
PID 4040 wrote to memory of 3592	4040	msedge.exe	87
PID 4040 wrote to memory of 3592	4040	msedge.exe	87
PID 4040 wrote to memory of 3592	4040	msedge.exe	87
PID 4040 wrote to memory of 3592	4040	msedge.exe	87
PID 4040 wrote to memory of 3592	4040	msedge.exe	87
PID 4040 wrote to memory of 3592	4040	msedge.exe	87
PID 4040 wrote to memory of 3592	4040	msedge.exe	87
PID 4040 wrote to memory of 3592	4040	msedge.exe	87
PID 4040 wrote to memory of 3592	4040	msedge.exe	87
PID 4040 wrote to memory of 3592	4040	msedge.exe	87
PID 4040 wrote to memory of 3592	4040	msedge.exe	87
PID 4040 wrote to memory of 3592	4040	msedge.exe	87
PID 4040 wrote to memory of 3592	4040	msedge.exe	87
PID 4040 wrote to memory of 3592	4040	msedge.exe	87
PID 4040 wrote to memory of 3592	4040	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.jb3img.top/a.aspx
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc2d9b46f8,0x7ffc2d9b4708,0x7ffc2d9b4718
  2⤵
  PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,10594797039809724761,6724132726889797960,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,10594797039809724761,6724132726889797960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,10594797039809724761,6724132726889797960,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10594797039809724761,6724132726889797960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10594797039809724761,6724132726889797960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10594797039809724761,6724132726889797960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10594797039809724761,6724132726889797960,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10594797039809724761,6724132726889797960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,10594797039809724761,6724132726889797960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 /prefetch:8
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,10594797039809724761,6724132726889797960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10594797039809724761,6724132726889797960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10594797039809724761,6724132726889797960,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\59b83cef-1f18-4b56-8e87-c1926118f505.tmp

Filesize
10KB

MD5
0ab6ab83b9d239bc105e2837aa3e95c2

SHA1
6e12c92ee4e1b9f8e849b30ca3c2136fb3e6016c

SHA256
d39bd55191a76aa9a6f0e0a3272a7b4ef3ce1da442b22d518d31116c960d8f59

SHA512
86a17c20edc63a852dec32965ece61f0213416b530e684445d2de167c045268874ca54d170a16ddbd8a8e11bd37f0eea4fe538b1003c9864383e257178ef927a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
208a234643c411e1b919e904ee20115e

SHA1
400b6e6860953f981bfe4716c345b797ed5b2b5b

SHA256
af80020ae43388bbd3db31c75aade369d489a30a933574dea19163e094d5f458

SHA512
2779b96325234c836cbb91820ee332ed56c15b534ec0c7770b322a5c03849ec3ee67b0ec7978e1fab563eeed1cea96f5155d7b942702555d9352ff6711a548d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
c5dfecba03efe0b7b15f2b0ebf657965

SHA1
040603b80e245a5b02a720f5aa6e9653a9413839

SHA256
65602225d47364afa8df073b2219a76cf89a1b16bf70bc29755895103fc6a0a5

SHA512
aa4c699ff9d095c7e180483b2589acc699b2548f27e491d50f0ae2efc5ae0cbe74cd2ee8a1224c0cecf5b6e9d9c8105e2c1f5b433ab4a2712d4ae0e10d881a6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
59d0228ecd4f552d73e5f31584d60c5f

SHA1
9c06bd1a1213e09f20e14cf54fca7c8c3cc16f72

SHA256
978dae4bb0599d351eefacc40d580b97a1263bd7b3f315f74759ae5d49afdae7

SHA512
4f943da73ba1ed7d4be77b73e231a4f32f637ba5d2b60b91ffb4644a0373acbe95fafe68cf80c3bd28918db91a0ade7163d02ea27fe8b93082626816643367f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
11ec152042e571afb0eee1962f25c051

SHA1
0c655350351021c09c8bae02e6a026397c4030e0

SHA256
c370f4e8bb78ebc75ea92c04062221b5311dc63dd6371a6c1b91fad7d012fa8f

SHA512
cc91d3f768aac22be66c2da942fcaea9deb0f03fae4d94fd4e382e86cc881300c0bc4f7c5e71474f44d159146aebb316a9ef67b2c7e0ab94a9fd2909c275fd9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1fb55c63a1c6e7532bdadddfa8f61512

SHA1
6090750098812122397ce6d74ce37b6950d20cce

SHA256
bac372fa4bb9813ec67f68e65757cca322bb88c9b4285e8460522f332c1170f0

SHA512
1bffc76918efca0c795b031add1ffc44104605e89499e3a7e3b6a0c32dca2175f2d591a4fa0ac19de5d0ece67b1aa5cefcdc5eb65524d4839dfd0af7ba81b2b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5a6206a3489650bf4a9c3ce44a428126

SHA1
3137a909ef8b098687ec536c57caa1bacc77224b

SHA256
0a9e623c6df237c02a585539bffb8249de48949c6d074fe0aaf43063731a3e28

SHA512
980da83c3142bf08433ec1770a2ec5f5560daf3ee680466f89beae8290e921c0db677489daad055fbc1f196388f8bc4f60e050600381f860b06d330062440a78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2ae5a4dce48356da0fe3e30377da9a2a

SHA1
86c5080b67a82b2d649d477be191e742cd79a077

SHA256
1b8014d44ea50198494631fe8d2c83dc8106676bdfc3454603570b37856bab7a

SHA512
58aa0d0ea44c8caecefa22815e7d1a349db31160803e9edcf23582254697e7fd8d607733dc7ba2743a986178fa7d2f792c6e827f020ab969adc38ada876a4bdd

Download Submit