hxxps://6d4[.]net/installer/host2[.]4/admin/js/ms[.]php

Resubmissions

10-12-2023 22:54

231210-2vh7gaefam 1

10-12-2023 22:48

231210-2q3ejsffh5 1

Analysis

max time kernel
153s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2023 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://6d4.net/installer/host2.4/admin/js/ms.php

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4476	msedge.exe
4476	msedge.exe
4308	msedge.exe
4308	msedge.exe
2340	identity_helper.exe
2340	identity_helper.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 4684	4308	msedge.exe	84
PID 4308 wrote to memory of 4684	4308	msedge.exe	84
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 496	4308	msedge.exe	87
PID 4308 wrote to memory of 4476	4308	msedge.exe	86
PID 4308 wrote to memory of 4476	4308	msedge.exe	86
PID 4308 wrote to memory of 4048	4308	msedge.exe	88
PID 4308 wrote to memory of 4048	4308	msedge.exe	88
PID 4308 wrote to memory of 4048	4308	msedge.exe	88
PID 4308 wrote to memory of 4048	4308	msedge.exe	88
PID 4308 wrote to memory of 4048	4308	msedge.exe	88
PID 4308 wrote to memory of 4048	4308	msedge.exe	88
PID 4308 wrote to memory of 4048	4308	msedge.exe	88
PID 4308 wrote to memory of 4048	4308	msedge.exe	88
PID 4308 wrote to memory of 4048	4308	msedge.exe	88
PID 4308 wrote to memory of 4048	4308	msedge.exe	88
PID 4308 wrote to memory of 4048	4308	msedge.exe	88
PID 4308 wrote to memory of 4048	4308	msedge.exe	88
PID 4308 wrote to memory of 4048	4308	msedge.exe	88
PID 4308 wrote to memory of 4048	4308	msedge.exe	88
PID 4308 wrote to memory of 4048	4308	msedge.exe	88
PID 4308 wrote to memory of 4048	4308	msedge.exe	88
PID 4308 wrote to memory of 4048	4308	msedge.exe	88
PID 4308 wrote to memory of 4048	4308	msedge.exe	88
PID 4308 wrote to memory of 4048	4308	msedge.exe	88
PID 4308 wrote to memory of 4048	4308	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://6d4.net/installer/host2.4/admin/js/ms.php
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff83aa46f8,0x7fff83aa4708,0x7fff83aa4718
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,18215716220726655600,16052278110406877403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,18215716220726655600,16052278110406877403,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,18215716220726655600,16052278110406877403,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18215716220726655600,16052278110406877403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18215716220726655600,16052278110406877403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18215716220726655600,16052278110406877403,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18215716220726655600,16052278110406877403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18215716220726655600,16052278110406877403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18215716220726655600,16052278110406877403,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,18215716220726655600,16052278110406877403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,18215716220726655600,16052278110406877403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,18215716220726655600,16052278110406877403,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
208a234643c411e1b919e904ee20115e

SHA1
400b6e6860953f981bfe4716c345b797ed5b2b5b

SHA256
af80020ae43388bbd3db31c75aade369d489a30a933574dea19163e094d5f458

SHA512
2779b96325234c836cbb91820ee332ed56c15b534ec0c7770b322a5c03849ec3ee67b0ec7978e1fab563eeed1cea96f5155d7b942702555d9352ff6711a548d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\31ab7625-331b-4088-a0b9-27a48b9f005d.tmp

Filesize
5KB

MD5
eab01daee23cd1ea114125d894772823

SHA1
308f80ecb8b2c0118a2e1cbbbec19680c924b8ef

SHA256
1b19cdd601a926007d3f0cf26e031075a95360d9081680f76f3bc97324842b97

SHA512
2370999d45732593b9e67442e7a95dd8c21487af104ba534fe48ab07696a02528d74718cb00863515dde6c5e34e85fc92150035f7dc2ad0a6cf59d532463ea3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
465B

MD5
1a419a957ce30844744a7e2bfd16475b

SHA1
ee71f3aa95466ee710a51c0e871e281aaafeaa20

SHA256
cbee33e4615289610f317179de4dfda5ef3e6cb3d68703f4d7f8e153eccb707f

SHA512
86cacc1dbd78c8e2ea0325ebc9288d5a92df76aee9fe6aa760467436c508387e91214e32b02f4472d4223d1efac388bddfa436530b3fc8abcf542542ba19d7fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
260c3e0e3862ca7d896bb3e0628eca5a

SHA1
c1eaa7931b4cf0e90381ab275a0bee6191071e4d

SHA256
e471b93e8bd3d2223f829a3b1bd1b24619792d88d1c891e1933becd15f9975e8

SHA512
7099b36e6728d816dbc30e189faf70094d032c6a65b9ef29d5189835b18fb9ac3fad6036f13507ea236935a25342596677b3b18b83dc2cc6ddf911a4323254c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5a6206a3489650bf4a9c3ce44a428126

SHA1
3137a909ef8b098687ec536c57caa1bacc77224b

SHA256
0a9e623c6df237c02a585539bffb8249de48949c6d074fe0aaf43063731a3e28

SHA512
980da83c3142bf08433ec1770a2ec5f5560daf3ee680466f89beae8290e921c0db677489daad055fbc1f196388f8bc4f60e050600381f860b06d330062440a78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d626b3ad7f44c2df20c425feac405c6e

SHA1
fe1255e73088dcd201a10f83d5841ba438880fa9

SHA256
ead86e6df6d60f701d2ada16289b024d099bb4a368aad795094eb86a5491cd65

SHA512
52468eb0be11416e3801c8a646d0f92c23569dcea09be92066f8681919a9effa5dffff683cba0dfb0e1865d06e9b6399df74a773368b64aeeba998a9c8034c6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8910505f04b8231f5554fd9323f2ecec

SHA1
c6a33a2ee4e559982cc06dc1c9d6fc04543d063a

SHA256
dd12b0654892be83c768b0257a064b5a743c31fffb60cfa42dcbc9bf519ed26f

SHA512
3a474af3066c8425eadcb55a94789b14d7257915d6bd444cbaf533b5cdb7c23569c9202cb2ee7f8ec138720625cba178b462281c587aa7319659318f92b01b79

Download Submit