b3b7988c680cffa16b1f6d3606c912c8f0db03332952b7af0c943c7f540ca6ce

Analysis

max time kernel
56s
max time network
43s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
21-07-2023 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a.html
Size

1KB
MD5

4167400a9f05626135f3c3275e0f37a4
SHA1

7a3db52797aee25bcb48956092c1685acdf62133
SHA256

b3b7988c680cffa16b1f6d3606c912c8f0db03332952b7af0c943c7f540ca6ce
SHA512

56ba2e1f6df805882007f25d5e1d8f617f814a360ee71190cdf64f16cd5a97b8862ab6c3424a835f2d917b9958eae0aef75f24d3b1fb9239e06270eb1ef6ed70

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3829149121\806280961.pri	PickerHost.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{337766A1-F33D-4523-96EE-4D97D47EC25	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	PickerHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000d821440f3a99df500a7fec3d8de957951856cf566e0cec1077f5fca56516c51fa01fec3de1bfa85d14abcdf94dd50ae72373524ef19fb0a4cd07	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	PickerHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	PickerHost.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	PickerHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = a05eed4405d5d901	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 1b6dedf6bfbbd901	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	PickerHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	PickerHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{337766A1-F33D-4523-96EE-4D97D47EC25 = "8320"	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	PickerHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	PickerHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	PickerHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	PickerHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = c02e86e4bfbbd901	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\H-4007-8200-03-A_ProductivityPlusCNC_ds_en.pdf.hrhwhqz.partial:Zone.Identifier	browser_broker.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1580	MicrosoftEdgeCP.exe
1580	MicrosoftEdgeCP.exe
1580	MicrosoftEdgeCP.exe
1580	MicrosoftEdgeCP.exe
1580	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1404	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1404	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1404	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1404	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3824	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3824	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3824	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3824	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2428	MicrosoftEdge.exe
Token: SeDebugPrivilege	2428	MicrosoftEdge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2428	MicrosoftEdge.exe
1580	MicrosoftEdgeCP.exe
1404	MicrosoftEdgeCP.exe
1580	MicrosoftEdgeCP.exe
4276	PickerHost.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 3824	1580	MicrosoftEdgeCP.exe	74
PID 1580 wrote to memory of 3824	1580	MicrosoftEdgeCP.exe	74
PID 1580 wrote to memory of 3824	1580	MicrosoftEdgeCP.exe	74
PID 1580 wrote to memory of 3824	1580	MicrosoftEdgeCP.exe	74
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75
PID 1580 wrote to memory of 1520	1580	MicrosoftEdgeCP.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "C:\Users\Admin\AppData\Local\Temp\a.html"
1⤵
PID:540

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2428

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
PID:2988

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1404

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1520

C:\Windows\System32\PickerHost.exe
C:\Windows\System32\PickerHost.exe -Embedding
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\R7LFADWO\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ARBAX19M\H-4007-8200-03-A_ProductivityPlusCNC_ds_en[1].pdf

Filesize
851KB

MD5
f34dff9bd288b4fb6cb8aa2e0587d32b

SHA1
ecd9820e932b6d87f53963f004be1019d3be2b7f

SHA256
40bf2d87a16844a2768f9eb419dba1d38118bcac292eae395fb4111bd42f9d39

SHA512
0bbe4378ef4a5cf55e1ffb87b409e717ff51bd58e8d31b155d2e85d97ebf21fd64fc8b4ae0008af63a8c50fed9284715ccc47b6880ef9e8e1f9ea72d911c2391

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\H-4007-8200-03-A_ProductivityPlusCNC_ds_en.pdf

Filesize
851KB

MD5
f34dff9bd288b4fb6cb8aa2e0587d32b

SHA1
ecd9820e932b6d87f53963f004be1019d3be2b7f

SHA256
40bf2d87a16844a2768f9eb419dba1d38118bcac292eae395fb4111bd42f9d39

SHA512
0bbe4378ef4a5cf55e1ffb87b409e717ff51bd58e8d31b155d2e85d97ebf21fd64fc8b4ae0008af63a8c50fed9284715ccc47b6880ef9e8e1f9ea72d911c2391

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\H-4007-8200-03-A_ProductivityPlusCNC_ds_en.pdf.hrhwhqz.partial

Filesize
851KB

MD5
f34dff9bd288b4fb6cb8aa2e0587d32b

SHA1
ecd9820e932b6d87f53963f004be1019d3be2b7f

SHA256
40bf2d87a16844a2768f9eb419dba1d38118bcac292eae395fb4111bd42f9d39

SHA512
0bbe4378ef4a5cf55e1ffb87b409e717ff51bd58e8d31b155d2e85d97ebf21fd64fc8b4ae0008af63a8c50fed9284715ccc47b6880ef9e8e1f9ea72d911c2391

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ARBAX19M\H-4007-8200-03-A_ProductivityPlusCNC_ds_en[1].pdf

Filesize
640KB

MD5
96dee2c73e89b33126f1038fc1ffc8df

SHA1
1697b2db867393f0d6c04403c995cb724bc00ff7

SHA256
b8a5f1003dd24786067b8541a8a71ab32c8e52a372df05769d303e77a798a2e8

SHA512
5bd2d2c125223c2e160b992fcfc13ea5655e03b526271312ec73794a0423d8a2d68bff7f7dd7dd2f50a2ec6ec2fba1d19a06ca984850771c91ff2f3a4143b143

Download Submit
memory/1520-256-0x000002B2E3120000-0x000002B2E3122000-memory.dmp

Filesize
8KB

Download
memory/1520-250-0x000002B2E33D0000-0x000002B2E33D2000-memory.dmp

Filesize
8KB

Download
memory/1520-272-0x000002B2E4700000-0x000002B2E4702000-memory.dmp

Filesize
8KB

Download
memory/1520-270-0x000002B2E46F0000-0x000002B2E46FB000-memory.dmp

Filesize
44KB

Download
memory/1520-268-0x000002B2E36B0000-0x000002B2E36B2000-memory.dmp

Filesize
8KB

Download
memory/1520-264-0x000002B2E3670000-0x000002B2E3672000-memory.dmp

Filesize
8KB

Download
memory/1520-234-0x000002B2E3810000-0x000002B2E3812000-memory.dmp

Filesize
8KB

Download
memory/1520-232-0x000002B2E36F0000-0x000002B2E36F2000-memory.dmp

Filesize
8KB

Download
memory/1520-230-0x000002B2E36E0000-0x000002B2E36E2000-memory.dmp

Filesize
8KB

Download
memory/1520-228-0x000002B2E2FF0000-0x000002B2E2FF2000-memory.dmp

Filesize
8KB

Download
memory/1520-236-0x000002B2E4310000-0x000002B2E4316000-memory.dmp

Filesize
24KB

Download
memory/1520-238-0x000002B2E43D0000-0x000002B2E43D2000-memory.dmp

Filesize
8KB

Download
memory/1520-240-0x000002B2E33E0000-0x000002B2E33E2000-memory.dmp

Filesize
8KB

Download
memory/1520-262-0x000002B2E32B0000-0x000002B2E32B2000-memory.dmp

Filesize
8KB

Download
memory/1520-252-0x000002B2E3CE0000-0x000002B2E3CE2000-memory.dmp

Filesize
8KB

Download
memory/1520-254-0x000002B2E3110000-0x000002B2E3112000-memory.dmp

Filesize
8KB

Download
memory/1520-260-0x000002B2E3140000-0x000002B2E3142000-memory.dmp

Filesize
8KB

Download
memory/1520-258-0x000002B2E3130000-0x000002B2E3132000-memory.dmp

Filesize
8KB

Download
memory/2428-117-0x000002997AB20000-0x000002997AB30000-memory.dmp

Filesize
64KB

Download
memory/2428-152-0x000002997AED0000-0x000002997AED2000-memory.dmp

Filesize
8KB

Download
memory/2428-133-0x000002997AD20000-0x000002997AD30000-memory.dmp

Filesize
64KB

Download
memory/3824-176-0x000001F711650000-0x000001F711652000-memory.dmp

Filesize
8KB

Download
memory/3824-172-0x000001F711570000-0x000001F711572000-memory.dmp

Filesize
8KB

Download
memory/3824-174-0x000001F711590000-0x000001F711592000-memory.dmp

Filesize
8KB

Download
memory/3824-196-0x000001F711900000-0x000001F711902000-memory.dmp

Filesize
8KB

Download