hxxp://edgeapi[.]slack[.]com

Analysis

max time kernel
174s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2023, 21:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://edgeapi.slack.com

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "387332969"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c884d0db6b01394f84d012a5eedc1d2d00000000020000000000106600000001000020000000234ad46615d4278de00f54ca62ace30c061367424553bad74c5ea34a69ae6fc3000000000e8000000002000020000000d9c1754c61dc9749f11773bd246fc1fcf1f3aa2691d0cb956df061b56731840820000000bdb2572562e819fba11bf7ca8b9570240abb46dac1511c971f1a4aec8f73e73840000000eb1e6052ad43cc71b7eaa591fc5cdffe3842cebda29ca92d3bb0fb4071297357799f095c77db0381cd131ce1400173fdf6615e74757cf47f0276a3ab57457f53	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 105cc9658c66d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{50E84CDA-D27F-11ED-B7D7-6E21A4042E2D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1013461898-3711306144-4198452673-1000\{03F8CCC5-D264-4AC7-8EAA-AFF15EEEC2C6}	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1916	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: 33	3700	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3700	AUDIODG.EXE
Token: 33	1988	IEXPLORE.EXE
Token: SeIncBasePriorityPrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE
Token: SeShutdownPrivilege	1988	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1988	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1916	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1916	iexplore.exe
1916	iexplore.exe
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 1988	1916	iexplore.exe	84
PID 1916 wrote to memory of 1988	1916	iexplore.exe	84
PID 1916 wrote to memory of 1988	1916	iexplore.exe	84

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://edgeapi.slack.com
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1916 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1988

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b0 0x33c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F

Filesize
7KB

MD5
dd50a5d6139e6d8b6992797ccd04818a

SHA1
7350c9c059d598c83af220ca6d30f1b13540cfa0

SHA256
b117851f48442b165516bc5b29d58ba0efac8b73ea78bfa676d43be87d9d5df3

SHA512
273265d2df03adf0284203a021f2f1f1d13d7b3e3154a7837d8112a27db591bda198f074ce9d2ca743c400a2c90b180b4f0be03fb950c8d342624a7590aab976

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F

Filesize
232B

MD5
049ee589c56a7f3fb70f0f4089a7dd0c

SHA1
af80bf6be5592260d6258fc32f0940fcdf1c1416

SHA256
4e35275271f3cdb1b4a32a40b6bdf9d53bc4979d9a9dc0ef2d6cfa476c485173

SHA512
f4c924535df71710db97ba323c67788fc447eda9427989af1d5a48031be19314e0c0472ef6a7f15716f7be18a3049153dcba09ceff80d7efbf0f61a80f83771d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9afmek3\imagestore.dat

Filesize
1KB

MD5
43dabb03a98e50484982905bb4b94e58

SHA1
75598fc9ded2753a0e2e6c3e4d4391cd0d3c6a79

SHA256
84fa66cd7099105c83a142ddf384ff589048daf169ff8802b45664f6a2164eea

SHA512
edfabf67c18c3ae821a137bfde72d6c7f431483d0e3a63be35a473b4e1639c354d5933cd804ee65b53e79d6e9fbb238f1c3acd052d8e0d80600fe5252033c1b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P80TOLA\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G1ORIWBN\favicon-32-ua[1].png

Filesize
1KB

MD5
4d93fee05ad86462c5af801dae6b8d7f

SHA1
0d1a4ad2274e00123f146e04e25d300cde546a4b

SHA256
b064e0d943b3ebf1b2106fc898ef98168bc4ac3787e296822796863c8e907082

SHA512
20c61ccb2a7b8201214ba35c09329472a13ffb29b4eb37df63a01e2027488e1ff59098e60cd01133887658b91071a71636f1c368907dfde8055347c87ebb4343

Download Submit