hxxps://microsoftedgewelcome[.]microsoft[.]com/en-us/mb03?form=M10005&slide=tools

Analysis

max time kernel
46s
max time network
47s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2023 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://microsoftedgewelcome.microsoft.com/en-us/mb03?form=M10005&slide=tools

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133245845657709511"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1168	chrome.exe
1168	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe
Token: SeShutdownPrivilege	1168	chrome.exe
Token: SeCreatePagefilePrivilege	1168	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe
1168	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 3784	1168	chrome.exe	79
PID 1168 wrote to memory of 3784	1168	chrome.exe	79
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 800	1168	chrome.exe	82
PID 1168 wrote to memory of 4904	1168	chrome.exe	83
PID 1168 wrote to memory of 4904	1168	chrome.exe	83
PID 1168 wrote to memory of 3280	1168	chrome.exe	84
PID 1168 wrote to memory of 3280	1168	chrome.exe	84
PID 1168 wrote to memory of 3280	1168	chrome.exe	84
PID 1168 wrote to memory of 3280	1168	chrome.exe	84
PID 1168 wrote to memory of 3280	1168	chrome.exe	84
PID 1168 wrote to memory of 3280	1168	chrome.exe	84
PID 1168 wrote to memory of 3280	1168	chrome.exe	84
PID 1168 wrote to memory of 3280	1168	chrome.exe	84
PID 1168 wrote to memory of 3280	1168	chrome.exe	84
PID 1168 wrote to memory of 3280	1168	chrome.exe	84
PID 1168 wrote to memory of 3280	1168	chrome.exe	84
PID 1168 wrote to memory of 3280	1168	chrome.exe	84
PID 1168 wrote to memory of 3280	1168	chrome.exe	84
PID 1168 wrote to memory of 3280	1168	chrome.exe	84
PID 1168 wrote to memory of 3280	1168	chrome.exe	84
PID 1168 wrote to memory of 3280	1168	chrome.exe	84
PID 1168 wrote to memory of 3280	1168	chrome.exe	84
PID 1168 wrote to memory of 3280	1168	chrome.exe	84
PID 1168 wrote to memory of 3280	1168	chrome.exe	84
PID 1168 wrote to memory of 3280	1168	chrome.exe	84
PID 1168 wrote to memory of 3280	1168	chrome.exe	84
PID 1168 wrote to memory of 3280	1168	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://microsoftedgewelcome.microsoft.com/en-us/mb03?form=M10005&slide=tools
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbaca99758,0x7ffbaca99768,0x7ffbaca99778
  2⤵
  PID:3784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1828 --field-trial-handle=1844,i,17610549156132942653,15632460542835844848,131072 /prefetch:2
  2⤵
  PID:800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1844,i,17610549156132942653,15632460542835844848,131072 /prefetch:8
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1844,i,17610549156132942653,15632460542835844848,131072 /prefetch:8
  2⤵
  PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3184 --field-trial-handle=1844,i,17610549156132942653,15632460542835844848,131072 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3192 --field-trial-handle=1844,i,17610549156132942653,15632460542835844848,131072 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4496 --field-trial-handle=1844,i,17610549156132942653,15632460542835844848,131072 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5004 --field-trial-handle=1844,i,17610549156132942653,15632460542835844848,131072 /prefetch:8
  2⤵
  PID:960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 --field-trial-handle=1844,i,17610549156132942653,15632460542835844848,131072 /prefetch:8
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=1844,i,17610549156132942653,15632460542835844848,131072 /prefetch:8
  2⤵
  PID:1628

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
0c479dd62fd94819421ebedd36baa670

SHA1
702f22b4fe951372a77480f2e68478f3afacc649

SHA256
676758526c09c68a89a5f1d94e4da8df6e7b7cdcc9cf6e5102b4459d20a1d3cd

SHA512
fbf1c4e4724b1c3ddbc9b8f955c1198a9a2d70f87079b4be7a5adf0081129f909dea7b61a9caae01ee16386b058e879bb99cd153ac6d8cf1be620e41e53b07ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b2686a74053a81bc07e13606675885fd

SHA1
e9586e9c8bbc9939011c872266442c297c60dd1c

SHA256
981d44b4685c1c93530a1d110358acd5fe4e6f342a4d81ae148c0ed5debe6a63

SHA512
c998e39cfb6e914e0efb2c3e8f2869225565170d14512360544125885f679102070640d0fe73d7bbe49f818f93b02c0eba4e4677879f78dfddecb47852e39d3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2cdc07225153e271e28bbb0c05ce5354

SHA1
f4cb298f301ec2d8629d98270eb7959e2e17897a

SHA256
9db19327b136f3e4bb9eea313244e40524a6f18ed35a47706b61a6de26055b27

SHA512
b97e58139e48a5e8f1216e95710a22bf45687dfe36da9c06b7f3d285fd37331a9450f3a046eae3a715ab6b8b72c476c496b4f12c8e2027471a4653be0ca9fd16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5b48c180557f918fc6972082ebf3e8e9

SHA1
5349b933501331ab663b0e9ba0183c96538d0128

SHA256
6bb9416449287ae7cef1aad464b6cb7cef0466ad9a5b72ce7c72b4b9aea7be8f

SHA512
e728cad8c97bde04be9cda62f2b32b116e04d4c027394a906a84a121eec8c15fa311c8fbde7060432d1478ca55647702e8f495f2f4bec365bca17debd6a11f6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0c0761917ec249d6afcbc21857281be4

SHA1
351deda902e5edf1c82501958d37f746f15fd5a2

SHA256
15fd7e79e5a5892005b24be870171cf9c942cc7a44bba3c7f72e5a2004085233

SHA512
0b8a63f016c49ca28dd936985887c13a61634a944d87508e83dc2a91043927affb73235ff69052229e11491a391405ed9e06acdf732c44e7dac5245417263435

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
05407fd4e3f87cf958c2bfca7c29cd2a

SHA1
57d6a598274612401bcd5d602ff696a5dd31c6ff

SHA256
108efbe62852b6f25432ab4e5b0bbadead086f5f5378b1b538817c14a83c5b3d

SHA512
492b2cfd526845b47c85fe6098957783d8f691bc0ad6c59bef59ae32a4b61db8f3301ac177a21873c921ff5b1def4656f7c9849afbe0c5c0e36a2d40c776814e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
ea144c225a388efa543e9cfb14ab13a7

SHA1
b63784519a15d8df943fdfe04ac428b2d6d7afae

SHA256
d4d4118bb15bfeaf7ce4fc962030604693eddfcd8bb68d511ec09f8aa3a77a51

SHA512
f0ba272905f96775a17c316ee425a1c36fb230e66b486f4d3661f7c190e2c712ce94300c4ce470b5ae3bc0e50d58adb5d27bcb1adebefdfb8962c0c14240b7a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit