hxxps://iqconnect[.]lmhostediq[.]com/iqextranet/iqClickTrk[.]aspx?&cid=PA16LS&crop=0000[.]0000[.]0000[.]0000&report_id=&redirect=https%3A%2F%2Fdivineproperties[.]com[.]au%2Fnew%2Fauth%2F%3Fuserid%3Drichard[.]ratter@domo[.]org

Analysis

max time kernel
93s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2023, 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://iqconnect.lmhostediq.com/iqextranet/iqClickTrk.aspx?&cid=PA16LS&crop=0000.0000.0000.0000&report_id=&redirect=https%3A%2F%2Fdivineproperties.com.au%2Fnew%2Fauth%2F%3Fuserid%[email protected]

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4304	powershell.exe
4304	powershell.exe
4268	msedge.exe
4268	msedge.exe
3356	msedge.exe
3356	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3356	msedge.exe
3356	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4304	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 3044	3356	msedge.exe	100
PID 3356 wrote to memory of 3044	3356	msedge.exe	100
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4328	3356	msedge.exe	101
PID 3356 wrote to memory of 4268	3356	msedge.exe	102
PID 3356 wrote to memory of 4268	3356	msedge.exe	102
PID 3356 wrote to memory of 4692	3356	msedge.exe	103
PID 3356 wrote to memory of 4692	3356	msedge.exe	103
PID 3356 wrote to memory of 4692	3356	msedge.exe	103
PID 3356 wrote to memory of 4692	3356	msedge.exe	103
PID 3356 wrote to memory of 4692	3356	msedge.exe	103
PID 3356 wrote to memory of 4692	3356	msedge.exe	103
PID 3356 wrote to memory of 4692	3356	msedge.exe	103
PID 3356 wrote to memory of 4692	3356	msedge.exe	103
PID 3356 wrote to memory of 4692	3356	msedge.exe	103
PID 3356 wrote to memory of 4692	3356	msedge.exe	103
PID 3356 wrote to memory of 4692	3356	msedge.exe	103
PID 3356 wrote to memory of 4692	3356	msedge.exe	103
PID 3356 wrote to memory of 4692	3356	msedge.exe	103
PID 3356 wrote to memory of 4692	3356	msedge.exe	103
PID 3356 wrote to memory of 4692	3356	msedge.exe	103
PID 3356 wrote to memory of 4692	3356	msedge.exe	103
PID 3356 wrote to memory of 4692	3356	msedge.exe	103
PID 3356 wrote to memory of 4692	3356	msedge.exe	103
PID 3356 wrote to memory of 4692	3356	msedge.exe	103
PID 3356 wrote to memory of 4692	3356	msedge.exe	103

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge https://iqconnect.lmhostediq.com/iqextranet/iqClickTrk.aspx?&cid=PA16LS&crop=0000.0000.0000.0000&report_id=&redirect=https%3A%2F%2Fdivineproperties.com.au%2Fnew%2Fauth%2F%3Fuserid%[email protected]
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff902bb46f8,0x7ff902bb4708,0x7ff902bb4718
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,8425674548698578856,14408106818850162215,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,8425674548698578856,14408106818850162215,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,8425674548698578856,14408106818850162215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,8425674548698578856,14408106818850162215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,8425674548698578856,14408106818850162215,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,8425674548698578856,14408106818850162215,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,8425674548698578856,14408106818850162215,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:4468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8411007bafe7b1182af1ad3a1809b4f8

SHA1
4a78ee0762aadd53accae8bb211b8b18dc602070

SHA256
1f274d0d144942d00e43fb94f9c27fc91c68dce50cd374ac6be4472b08215ca3

SHA512
909e2e33b7614cb8bbd14e0dfff1b7f98f4abbf735f88292546ce3bfa665e4cb5ee4418561004e56afc5dd30d21483b05f6358dad5624c0dc3ab1ba9a3be18eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7f2e724050964e89416e5e8673302b6e

SHA1
96685d075d6b2ca408c89e4ff2e655ab10a0b807

SHA256
edf616defb7e35ee598ae066b6b572f77ca9ed6a5822d1c3e7205c93a5b6315d

SHA512
0084eefd053fe8de3846148183b15c512362f1910e2e76e1bcde86ef790eb9e9a6b115a7d9e116a57a11e8b0820ad33950e5177c8c1be4ecbe3d12ab77b45ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fg3retpe.5m5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4304-135-0x0000023BA89E0000-0x0000023BA8A02000-memory.dmp

Filesize
136KB

Download
memory/4304-143-0x0000023BA67F0000-0x0000023BA6800000-memory.dmp

Filesize
64KB

Download
memory/4304-144-0x0000023BA67F0000-0x0000023BA6800000-memory.dmp

Filesize
64KB

Download
memory/4304-145-0x0000023BA67F0000-0x0000023BA6800000-memory.dmp

Filesize
64KB

Download