hxxp://r20[.]rs6[.]net

Resubmissions

24/01/2024, 05:08

240124-fs3x7sbdbm 1

24/01/2024, 05:07

240124-fsgd7sbeh2 1

Analysis

max time kernel
25s
max time network
14s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
24/01/2024, 05:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://r20.rs6.net

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2512	msedge.exe
2512	msedge.exe
2788	msedge.exe
2788	msedge.exe
1960	identity_helper.exe
1960	identity_helper.exe
3192	msedge.exe
3192	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 3428	2788	msedge.exe	79
PID 2788 wrote to memory of 3428	2788	msedge.exe	79
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 1568	2788	msedge.exe	81
PID 2788 wrote to memory of 2512	2788	msedge.exe	82
PID 2788 wrote to memory of 2512	2788	msedge.exe	82
PID 2788 wrote to memory of 4156	2788	msedge.exe	83
PID 2788 wrote to memory of 4156	2788	msedge.exe	83
PID 2788 wrote to memory of 4156	2788	msedge.exe	83
PID 2788 wrote to memory of 4156	2788	msedge.exe	83
PID 2788 wrote to memory of 4156	2788	msedge.exe	83
PID 2788 wrote to memory of 4156	2788	msedge.exe	83
PID 2788 wrote to memory of 4156	2788	msedge.exe	83
PID 2788 wrote to memory of 4156	2788	msedge.exe	83
PID 2788 wrote to memory of 4156	2788	msedge.exe	83
PID 2788 wrote to memory of 4156	2788	msedge.exe	83
PID 2788 wrote to memory of 4156	2788	msedge.exe	83
PID 2788 wrote to memory of 4156	2788	msedge.exe	83
PID 2788 wrote to memory of 4156	2788	msedge.exe	83
PID 2788 wrote to memory of 4156	2788	msedge.exe	83
PID 2788 wrote to memory of 4156	2788	msedge.exe	83
PID 2788 wrote to memory of 4156	2788	msedge.exe	83
PID 2788 wrote to memory of 4156	2788	msedge.exe	83
PID 2788 wrote to memory of 4156	2788	msedge.exe	83
PID 2788 wrote to memory of 4156	2788	msedge.exe	83
PID 2788 wrote to memory of 4156	2788	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://r20.rs6.net
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa88753cb8,0x7ffa88753cc8,0x7ffa88753cd8
  2⤵
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,16702165646747407743,9917649951228958094,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,16702165646747407743,9917649951228958094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,16702165646747407743,9917649951228958094,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,16702165646747407743,9917649951228958094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,16702165646747407743,9917649951228958094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,16702165646747407743,9917649951228958094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,16702165646747407743,9917649951228958094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,16702165646747407743,9917649951228958094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,16702165646747407743,9917649951228958094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,16702165646747407743,9917649951228958094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,16702165646747407743,9917649951228958094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\5dbbf95f-52a6-428e-b425-f774a35cf6a3.tmp

Filesize
10KB

MD5
fe0c1189a2370aee923a70630ebb1e2a

SHA1
3b49e4ee5ef0c02da96fe97778f3d1f919224267

SHA256
36e0f38662e1a05590b18dd8a617196aa2c0dc1ad7690a6e23adf4da0e4563a1

SHA512
010b92a5c28291fd040ba20fef4fa2a0b1a770bc17d728941058fee0b25c794569cf802c7b5488768e499a4851c67c7f417de2040bef7ee7611cc1a9b89abebc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dbe72a1f5827efc08f70d06ef815d46

SHA1
6aacd61519fce53ecb92e5e61207a6c29c01f47b

SHA256
dd673404dd6deb2d2b331316370fd05e47c01b9dc489640f05b50898d536a6e3

SHA512
2e6115ca818df5f5b7985caf3ce2324e266b376f6180f84b44e9ae725e037a8456c2cd63e22b9750e2ba27f4c7460dfa429ce9910517a728b056e5f1e730e25a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
a4c9eca4686345e95e6d065509f7534e

SHA1
16f2064b3e2734a4a63e60a26b0d5e76931bd388

SHA256
1ade15680dc156a123768cf9fc62514099e0a6744239db88169b5408bad9b362

SHA512
402357cd9ef66faf35c33f2df04175b79b3e0ed65199243a9eab3fcc72e10c87892571638160ddb065101491722c96ff936eb93563b9f7644b31f40dd0858100

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2fd8c8a0742c5237711fd8e69d0ea7ad

SHA1
28b3f1d30641b1eb19af2ba08f07750c67509355

SHA256
03b1c23df3d8d1e2bc514c8240419c5d0e55305ccd19a6d6709f1d0cc82b16c1

SHA512
6b6e537132e661cf1a55506926b138763fdfc0b9088fb6c9f3bd7c73de7342a7ab77593048e7a80612db95b5d860a53e75e4cc9d4e3422251b733bb86d6abc1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
e5477be1e6c4cc9f570c69a84dd4f681

SHA1
fdcbdc83ccfef1c270b927c6815e641f6d96a132

SHA256
f06ab204d1d24ecd2d13e473bf807a8fc65ed09114a227966b4a308bd7eaa531

SHA512
24eb3338f0a7be6df183c5d5f22831bed07ce0779dcc124e805364a128a08f571160a6809556cd1de323c9d3cc64299855978967c8693b8324cd9bb22f5ffe14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit