hxxp://kon[.]com

Resubmissions

02/08/2024, 03:10

240802-dphfzsxdmg 3

02/08/2024, 03:06

240802-dlynssxcma 3

02/08/2024, 02:48

240802-dapazswflg 3

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://kon.com

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2412	msedge.exe
2412	msedge.exe
336	msedge.exe
336	msedge.exe
4800	identity_helper.exe
4800	identity_helper.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 336 wrote to memory of 1064	336	msedge.exe	83
PID 336 wrote to memory of 1064	336	msedge.exe	83
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 4508	336	msedge.exe	84
PID 336 wrote to memory of 2412	336	msedge.exe	85
PID 336 wrote to memory of 2412	336	msedge.exe	85
PID 336 wrote to memory of 2288	336	msedge.exe	86
PID 336 wrote to memory of 2288	336	msedge.exe	86
PID 336 wrote to memory of 2288	336	msedge.exe	86
PID 336 wrote to memory of 2288	336	msedge.exe	86
PID 336 wrote to memory of 2288	336	msedge.exe	86
PID 336 wrote to memory of 2288	336	msedge.exe	86
PID 336 wrote to memory of 2288	336	msedge.exe	86
PID 336 wrote to memory of 2288	336	msedge.exe	86
PID 336 wrote to memory of 2288	336	msedge.exe	86
PID 336 wrote to memory of 2288	336	msedge.exe	86
PID 336 wrote to memory of 2288	336	msedge.exe	86
PID 336 wrote to memory of 2288	336	msedge.exe	86
PID 336 wrote to memory of 2288	336	msedge.exe	86
PID 336 wrote to memory of 2288	336	msedge.exe	86
PID 336 wrote to memory of 2288	336	msedge.exe	86
PID 336 wrote to memory of 2288	336	msedge.exe	86
PID 336 wrote to memory of 2288	336	msedge.exe	86
PID 336 wrote to memory of 2288	336	msedge.exe	86
PID 336 wrote to memory of 2288	336	msedge.exe	86
PID 336 wrote to memory of 2288	336	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://kon.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f6b846f8,0x7ff8f6b84708,0x7ff8f6b84718
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,6315062306332922771,10773676921362164283,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,6315062306332922771,10773676921362164283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,6315062306332922771,10773676921362164283,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6315062306332922771,10773676921362164283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6315062306332922771,10773676921362164283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,6315062306332922771,10773676921362164283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,6315062306332922771,10773676921362164283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6315062306332922771,10773676921362164283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2296 /prefetch:1
  2⤵
  PID:64
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6315062306332922771,10773676921362164283,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6315062306332922771,10773676921362164283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6315062306332922771,10773676921362164283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6315062306332922771,10773676921362164283,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,6315062306332922771,10773676921362164283,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6140 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8edf5aee848362b3fa4c7102382947c3

SHA1
0ca71672592fef3c37dbf92a155d747c927b433f

SHA256
16594552785f10884854bf38d179c9c3d26d023a089180bfe5a3ceb03c395e6d

SHA512
a8863cfcea01c05938edd34690db467f0d429f0598528f23392ca7e7233a9b2fe2eaf7b886ac965e22e8c63ee79af84654e5b2f7e94033e5f54622f7b9584893

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
78d53c4ecb4f237a195804abc28ebb1e

SHA1
5b036abe11431d0c164cc5427aa7eaaa2d8d1580

SHA256
b1ead24150c5c17d1e8cdfaa64b4395cb1b0872c6f4bb25eb8e024ba0e39c847

SHA512
90c1e12b736dc1a644262a44141f4bd7eb5fe935249978d1ff083e39017652ab847107add5b5fbeec6318db181cd22a728938fba7c384c8023ed8e3c03e61496

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
e522126c386d67d3730b7d99bb94b5a1

SHA1
088a0cb7f342a34a211fe3db06dbd16630436583

SHA256
be454e55f3c1fd1a625dcc8a6876186bd560f61ea146b87862e4c266dfd49bda

SHA512
abab75ab89420e057e8be8b33bc96abade5f78f3fc7a8c7deb8e058b168a202276c07e195784890f303ea94c63f8f8ed3f509dc808ae0a1ed74dc3521cd206e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d4c49160a8081a1cca2306044cb32d25

SHA1
a53f57d1e57092c4962384685ca8060d00845cdf

SHA256
b50d41fe2687a61451247065cf14a7e87bbef61fabf3454eab1583326467c29d

SHA512
76ca4ece90b252029621c38299688a64e93cb1ef6fb581ba0c331d233cc0ae9947108d0078463461e6a2d499dcdb7c96d9c186c4d7f3b4d91cd4190748e615d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8fca6f88d509e2316953bf5895426da4

SHA1
be1d850eef4580ff1a21ba0d5b340f3ce475e4d2

SHA256
a7d86ac11cdd2e1962a23a43955fe69db55e5bb1047d0281c137e19e74a84299

SHA512
21a895451b31ae290f0c544b056388e05a31867152b24f42977b9d55eb891cdfcaa42fc65d04352e6033b3e11f7383537952da87a2949d473bea4e3d00553f66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e98cae8873ee6fcf16cf26c401b56542

SHA1
677330231ef8bc073e87cd0017a62884728ed92f

SHA256
92d63abf45ca2668533a1099d695caf41d68b2d2840522db2ea90dd34b981354

SHA512
94d90fdbf894969121392787d76ddc34d94a272402fc716cd6fe7979febee74b002977f8d2ab12b9c8085eef92d63202659f4f7ff6b3019f0242cd0c69557c91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
675ac04579af2852b3678de39a411a0c

SHA1
e4ce7dc852fc3d390822d4f6b0c53aafeb9ae309

SHA256
7eeca6d0890b45bac33e9da802bcd2db135cf13073d5cb1839a633effaee8be6

SHA512
3a45631aa9943b55f8a4d47936deb03b3b1037260aa29b61d8a781882c848be2c54cc813d5693b6e29f4efe3f0301128c9950c1836c9d112581bf60c2b4646fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bba8121d469c29edefb45adb8920941c

SHA1
910b83d49890c05f4c25cf45d06bbc8fcc3981af

SHA256
999b836950575a5745e7e7a8900d53d33f7e075cb98e349173ac302e2b0a2fd1

SHA512
864faf5446a5b81fca24fb3e228fb9b73b98c6e4efecdcaea6327cdb92bd2b5a3666d1ec3f51a47e27142a1ad1dd9258ecf6eba9d0df6c6844458cc006c47582

Download Submit