hxxps://workdrive[.]zohoexternal[.]com/file/b2kzmfea096afe28342d580156857e8dcd3c6

Resubmissions

23-11-2022 10:28

221123-mhz7wseb58 4

Analysis

max time kernel
56s
max time network
58s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
23-11-2022 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://workdrive.zohoexternal.com/file/b2kzmfea096afe28342d580156857e8dcd3c6

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 7bef3f1b21bed801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\zohoexternal.com\NumberOfSub = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 10cd808a26ffd801	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{42403677-10E0-4A1C-8142-63BB92C1EC = "8320"	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 046bce6f26ffd801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 4ae2b67526ffd801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{42403677-10E0-4A1C-8142-63BB92C1EC	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 7bef3f1b21bed801	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000579ceb2abfe5efe9b16597ac28d2f3614fc89514e3317ae41c119e5d681f2f177ef0359d4489e34de99ac42291d1b1a19ce84bd49e6f19f4767740ddd58d47bdd3c545abcca9cad757594b4b80454544d497c05a8353aebade51	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\zohoexternal.com\NumberOf = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000b1c0a6c8b1607433ab3c8871aa74c691c168ce5f75b8deee6645e5858a2a1b2518d7cc477abd2d1755465919f7828b52e29629f4e5ddccd9bcb7	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.gfgfg.com\ = "971"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\workdrive.zohoexternal.co	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{42403677-10E0-4A1C-8142-63BB92C1EC = 03146f7b26ffd801	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe

NTFS ADS 1 IoCs

Processes:

browser_broker.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\SUMMON_LETTER.html.xmxojsl.partial:Zone.Identifier	browser_broker.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

572 powershell.exe
572 powershell.exe
572 powershell.exe
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

4840 MicrosoftEdgeCP.exe
4840 MicrosoftEdgeCP.exe
4840 MicrosoftEdgeCP.exe
4840 MicrosoftEdgeCP.exe
4840 MicrosoftEdgeCP.exe
4840 MicrosoftEdgeCP.exe

pid	process
572	powershell.exe
572	powershell.exe
572	powershell.exe

pid	process
4840	MicrosoftEdgeCP.exe
4840	MicrosoftEdgeCP.exe
4840	MicrosoftEdgeCP.exe
4840	MicrosoftEdgeCP.exe
4840	MicrosoftEdgeCP.exe
4840	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

powershell.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	4076	MicrosoftEdge.exe
Token: SeDebugPrivilege	4076	MicrosoftEdge.exe
Token: SeDebugPrivilege	4076	MicrosoftEdge.exe
Token: SeDebugPrivilege	4076	MicrosoftEdge.exe
Token: SeDebugPrivilege	696	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	696	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	696	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	696	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1040	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1040	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4076	MicrosoftEdge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

4076 MicrosoftEdge.exe
4840 MicrosoftEdgeCP.exe
4840 MicrosoftEdgeCP.exe

pid	process
4076	MicrosoftEdge.exe
4840	MicrosoftEdgeCP.exe
4840	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

MicrosoftEdgeCP.exe

description	pid	process	target process
PID 4840 wrote to memory of 696	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 696	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 696	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 696	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 696	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 696	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 696	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 696	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 696	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 696	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 696	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 696	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 696	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 696	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 696	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 696	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 696	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 696	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 696	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 696	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 696	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 696	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 696	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 696	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 696	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 696	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 1916	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 1916	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 1916	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 1916	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 1916	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 1916	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 1916	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 1916	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 1916	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 1916	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 1916	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 1916	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 1916	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 1916	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 1916	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 1916	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 1916	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 1916	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 1916	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4840 wrote to memory of 1916	4840	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge https://workdrive.zohoexternal.com/file/b2kzmfea096afe28342d580156857e8dcd3c6
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4076

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
PID:4936

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4840

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1916

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\SUMMON_LETTER.html

Filesize
6KB

MD5
8d11239d91fe1a9c54df5107c7064f82

SHA1
3495b1ba10a85818ddec0f6e84c1d5705d363c0b

SHA256
c5648cbb53b369fe922ba8880e091dc7a16929a9b646aa5496bd49ff858f7005

SHA512
59695ede0206782fdd608b3de0f805606d1b1fca85209f215c878554f5eb56bab75bc77497d0629f4af7a4b6691140279321fe65c735f91f50f3b5e541795527

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\SUMMON_LETTER.html.xmxojsl.partial

Filesize
6KB

MD5
8d11239d91fe1a9c54df5107c7064f82

SHA1
3495b1ba10a85818ddec0f6e84c1d5705d363c0b

SHA256
c5648cbb53b369fe922ba8880e091dc7a16929a9b646aa5496bd49ff858f7005

SHA512
59695ede0206782fdd608b3de0f805606d1b1fca85209f215c878554f5eb56bab75bc77497d0629f4af7a4b6691140279321fe65c735f91f50f3b5e541795527

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\UKX1KO0R\SUMMON_LETTER[1].html

Filesize
6KB

MD5
8d11239d91fe1a9c54df5107c7064f82

SHA1
3495b1ba10a85818ddec0f6e84c1d5705d363c0b

SHA256
c5648cbb53b369fe922ba8880e091dc7a16929a9b646aa5496bd49ff858f7005

SHA512
59695ede0206782fdd608b3de0f805606d1b1fca85209f215c878554f5eb56bab75bc77497d0629f4af7a4b6691140279321fe65c735f91f50f3b5e541795527

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
b7aa9100bcda9a953c99612641c9137d

SHA1
cc775239cef2d7cc0799c2cbfb6ca07395825251

SHA256
c087e63b59c0f2db41b8b5bc938cb54ea5bec2870f2aa31000fe640a6f3efed7

SHA512
9fb9857561bf5f75eb4c84d782142b02534a7e1a5e39a9f1fe229e2d5f7e062a5a432da9fd4f7d1f4876340db31c5a3fc02ea4daaa58107faa1c191b8bc802ce

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2219095117.pri

Filesize
207KB

MD5
e2b88765ee31470114e866d939a8f2c6

SHA1
e0a53b8511186ff308a0507b6304fb16cabd4e1f

SHA256
523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e

SHA512
462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d

Download Submit
memory/572-124-0x0000025872A50000-0x0000025872A72000-memory.dmp

Filesize
136KB

Download
memory/572-127-0x0000025873160000-0x00000258731D6000-memory.dmp

Filesize
472KB

Download
memory/696-152-0x000001C72A700000-0x000001C72A800000-memory.dmp

Filesize
1024KB

Download
memory/4076-145-0x0000018A41400000-0x0000018A41410000-memory.dmp

Filesize
64KB

Download
memory/4076-146-0x0000018A41B00000-0x0000018A41B10000-memory.dmp

Filesize
64KB

Download