hxxp://6wzs0v59[.]r[.]us-east-2[.]awstrack[.]me/L0/http[:]%2F%2Fapp[.]getresponse[.]com%2Fclick[.]html%3Fx=a62b%26lc=hfG22p%26mc=J8%26s=B2hbNAI%26u=IwOI8%26z=ES8AtJp%26%23cmViZWNjYS52aWxsYWxiYUB0Y2VxLnRleGFzLmdvdg==/1/010f0191321d6041-b3504224-0e57-47c6-961c-19a9d1d90b66-000000/u_U-0ca6Oi9sW12ayRmX0qEKJ2k=171

Resubmissions

12-08-2024 13:30

240812-qrv63sxcra 3

12-08-2024 13:28

240812-qqt8dsxcmd 3

Analysis

max time kernel
84s
max time network
89s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
12-08-2024 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://6wzs0v59.r.us-east-2.awstrack.me/L0/http:%2F%2Fapp.getresponse.com%2Fclick.html%3Fx=a62b%26lc=hfG22p%26mc=J8%26s=B2hbNAI%26u=IwOI8%26z=ES8AtJp%26%23cmViZWNjYS52aWxsYWxiYUB0Y2VxLnRleGFzLmdvdg==/1/010f0191321d6041-b3504224-0e57-47c6-961c-19a9d1d90b66-000000/u_U-0ca6Oi9sW12ayRmX0qEKJ2k=171

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4360	msedge.exe
4360	msedge.exe
3224	msedge.exe
3224	msedge.exe
2936	msedge.exe
2936	msedge.exe
1176	identity_helper.exe
1176	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 3672	3224	msedge.exe	78
PID 3224 wrote to memory of 3672	3224	msedge.exe	78
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 440	3224	msedge.exe	79
PID 3224 wrote to memory of 4360	3224	msedge.exe	80
PID 3224 wrote to memory of 4360	3224	msedge.exe	80
PID 3224 wrote to memory of 3404	3224	msedge.exe	81
PID 3224 wrote to memory of 3404	3224	msedge.exe	81
PID 3224 wrote to memory of 3404	3224	msedge.exe	81
PID 3224 wrote to memory of 3404	3224	msedge.exe	81
PID 3224 wrote to memory of 3404	3224	msedge.exe	81
PID 3224 wrote to memory of 3404	3224	msedge.exe	81
PID 3224 wrote to memory of 3404	3224	msedge.exe	81
PID 3224 wrote to memory of 3404	3224	msedge.exe	81
PID 3224 wrote to memory of 3404	3224	msedge.exe	81
PID 3224 wrote to memory of 3404	3224	msedge.exe	81
PID 3224 wrote to memory of 3404	3224	msedge.exe	81
PID 3224 wrote to memory of 3404	3224	msedge.exe	81
PID 3224 wrote to memory of 3404	3224	msedge.exe	81
PID 3224 wrote to memory of 3404	3224	msedge.exe	81
PID 3224 wrote to memory of 3404	3224	msedge.exe	81
PID 3224 wrote to memory of 3404	3224	msedge.exe	81
PID 3224 wrote to memory of 3404	3224	msedge.exe	81
PID 3224 wrote to memory of 3404	3224	msedge.exe	81
PID 3224 wrote to memory of 3404	3224	msedge.exe	81
PID 3224 wrote to memory of 3404	3224	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://6wzs0v59.r.us-east-2.awstrack.me/L0/http:%2F%2Fapp.getresponse.com%2Fclick.html%3Fx=a62b%26lc=hfG22p%26mc=J8%26s=B2hbNAI%26u=IwOI8%26z=ES8AtJp%26%23cmViZWNjYS52aWxsYWxiYUB0Y2VxLnRleGFzLmdvdg==/1/010f0191321d6041-b3504224-0e57-47c6-961c-19a9d1d90b66-000000/u_U-0ca6Oi9sW12ayRmX0qEKJ2k=171
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9a2eb3cb8,0x7ff9a2eb3cc8,0x7ff9a2eb3cd8
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,4517323655567302325,9842807644885820137,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,4517323655567302325,9842807644885820137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,4517323655567302325,9842807644885820137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4517323655567302325,9842807644885820137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4517323655567302325,9842807644885820137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4517323655567302325,9842807644885820137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1668 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4517323655567302325,9842807644885820137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4517323655567302325,9842807644885820137,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,4517323655567302325,9842807644885820137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3220 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4517323655567302325,9842807644885820137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4517323655567302325,9842807644885820137,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,4517323655567302325,9842807644885820137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b4ae6009e2df12ce252d03722e8f4288

SHA1
44de96f65d69cbae416767040f887f68f8035928

SHA256
7778069a1493fdb62e6326ba673f03d9a8f46bc0eea949aabbbbc00dcdaddf9d

SHA512
bb810721e52c77793993470692bb2aab0466f13ed4576e4f4cfa6bc5fcfc59c13552299feb6dfd9642ea07b19a5513d90d0698d09ca1d15e0598133929c05fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4bf4b59c3deb1688a480f8e56aab059d

SHA1
612c83e7027b3bfb0e9d2c9efad43c5318e731bb

SHA256
867ab488aa793057395e9c10f237603cfb180689298871cdf0511132f9628c82

SHA512
2ec6c89f9653f810e9f80f532abaff2a3c0276f6d299dce1b1eadf6a59e8072ed601a4f9835db25d4d2610482a00dd5a0852d0ef828678f5c5ed33fe64dddca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
601B

MD5
7045b5089b265ccbd118f74d9920749c

SHA1
15ab6a94099a972e971c9cdcb0694e9c658de907

SHA256
b813621e52b23b349c9ced4353257ee2d665326ae4d72489a747538e6e67cf6d

SHA512
15d8baa1d28b63e388e53943c9c87c7b45ee208d5dd46bbb3838332ab217fac5eeacb751678bf53f2cb2b138648d4a8da84fb70c46def55b08b420241347b911

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c7249d8fe40080a6ace4dd4685a6cfbc

SHA1
6aa6453ac708090864b230c00aa555b6f2366183

SHA256
5f7da217d6fc5763102a2ad44b771ce3347852ed0290cdb561bacab106dd3ab7

SHA512
03557f205848cf8d1e28ec032ce6226824de5802ead8f1bae655a3494c09380b5620a1d406cb59e89587f6b2c243f4887e761da54fa50ceea75319b0933f536f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
769c93afbc7e1679fb7032990b6e5178

SHA1
d53bc42ee619bccc1182c3936fcec44850eb2fa4

SHA256
19ad3575d4ec9526d0753e88cae6556e068dced97c44274e429d69428332a72b

SHA512
632a20448e1bf0f198ba8bf0c8bdce64e3d948aab89b67bb84ce18f836b126946be538a064ddb2ad695163bd423263a269d13dd4358cd1a635517a9cfb9fcbd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6a112373baecbdf126650c6ac5683b6a

SHA1
a7c68b455e26aee48c60ebae23182c2f91bb7848

SHA256
89326b6ccd9a7901a0c28fc8d3ef0b1e4fc93c07e9d3e4806d116315b7b1e854

SHA512
01f148a2b2597583fc7c02d6e39677dd5e30b885598b75981cc95927134072f3f21a071da4f34c53d1401bfacb60c8e805b8e9e995e94fe7d4f5af9f075ce263

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ffec89a74ff64fc4f56580deb0b37908

SHA1
4d01f41dcc26b136629365cdb823bbf2231784fc

SHA256
3352fdbd21fc3f2c627fd25472de0cfbc5f8c74e08b5cb54234edc332f5ef372

SHA512
6d4ac810dd446aeb290303bb18b0e737416b1f2632eda0da776e7e41215c0ac3c47fa1f422619309da09920009cb75f0788e23b89254869212fedf78e3b88dfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8dbdbb80e31b0aaecf8f2791798feabf

SHA1
ef086b686b98c352f02a0a4e32ac619a801199d7

SHA256
a57135378625510763569ebeb361033300483ae1857bc3665ec62f0c8072dc3f

SHA512
ad47b4706f1c74640f3621877f6420e85f135b8bfac3341694c734e49080db3783765247f5e16568b5798a99cfe8c25a1cfb54d3109fc9c89ac5b585c6b5fbda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\a8a2dab7-0aea-4a79-a0e7-75039274ffd5.tmp

Filesize
11KB

MD5
758cde0198e4cdfda3848c25e131b241

SHA1
fca94e849821e61d83dc1dbd224eabe8626b6b1c

SHA256
a7bdac58f9a65aea4fcdc068e4c30a28e323ebb8517eb6e4f6ba30ec8df91325

SHA512
c046bd90e7176315832420dd5894f74511f4c76d596cedeb46a79742af5b498979954dad9d6e87dfea190f550c57ed0c5c20ba6e2f5f36028f4dc4aa618f46e6

Download Submit