hxxps://new[.]express[.]adobe[.]com/webpage/4JWB1jSaQL83i

Analysis

max time kernel
146s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
31-08-2023 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://new.express.adobe.com/webpage/4JWB1jSaQL83i

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4772	msedge.exe
4772	msedge.exe
228	msedge.exe
228	msedge.exe
4964	identity_helper.exe
4964	identity_helper.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 2176	228	msedge.exe	57
PID 228 wrote to memory of 2176	228	msedge.exe	57
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4568	228	msedge.exe	85
PID 228 wrote to memory of 4772	228	msedge.exe	84
PID 228 wrote to memory of 4772	228	msedge.exe	84
PID 228 wrote to memory of 3020	228	msedge.exe	83
PID 228 wrote to memory of 3020	228	msedge.exe	83
PID 228 wrote to memory of 3020	228	msedge.exe	83
PID 228 wrote to memory of 3020	228	msedge.exe	83
PID 228 wrote to memory of 3020	228	msedge.exe	83
PID 228 wrote to memory of 3020	228	msedge.exe	83
PID 228 wrote to memory of 3020	228	msedge.exe	83
PID 228 wrote to memory of 3020	228	msedge.exe	83
PID 228 wrote to memory of 3020	228	msedge.exe	83
PID 228 wrote to memory of 3020	228	msedge.exe	83
PID 228 wrote to memory of 3020	228	msedge.exe	83
PID 228 wrote to memory of 3020	228	msedge.exe	83
PID 228 wrote to memory of 3020	228	msedge.exe	83
PID 228 wrote to memory of 3020	228	msedge.exe	83
PID 228 wrote to memory of 3020	228	msedge.exe	83
PID 228 wrote to memory of 3020	228	msedge.exe	83
PID 228 wrote to memory of 3020	228	msedge.exe	83
PID 228 wrote to memory of 3020	228	msedge.exe	83
PID 228 wrote to memory of 3020	228	msedge.exe	83
PID 228 wrote to memory of 3020	228	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://new.express.adobe.com/webpage/4JWB1jSaQL83i
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffdd4f146f8,0x7ffdd4f14708,0x7ffdd4f14718
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1784,13048941002905910319,8387228234909248045,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1784,13048941002905910319,8387228234909248045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1784,13048941002905910319,8387228234909248045,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,13048941002905910319,8387228234909248045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,13048941002905910319,8387228234909248045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1784,13048941002905910319,8387228234909248045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 /prefetch:8
  2⤵
  PID:368
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1784,13048941002905910319,8387228234909248045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,13048941002905910319,8387228234909248045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,13048941002905910319,8387228234909248045,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,13048941002905910319,8387228234909248045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,13048941002905910319,8387228234909248045,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1784,13048941002905910319,8387228234909248045,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b5f5369274e3bfbc449588bbb57bd383

SHA1
58bb46d57bd70c1c0bcbad619353cbe185f34c3b

SHA256
4190bd2ec2c0c65a2b8b97782cd3ae1d6cead80242f3595f06ebc6648c3e3464

SHA512
04a3816af6c5a335cde99d97019a3f68ade65eba70e4667c4d7dd78f78910481549f1dad23a46ccf9efa2e25c6e7a7c78c592b6ace951e1aab106ba06a10fcd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
fb575862e916b42c982365c97ede9bf9

SHA1
8a72579e0fce01a75ec0c33b498f2740c368cf4e

SHA256
71888a738d9c8694a087b4674b22dea4ce9d7146775daae22ece2023b732d14f

SHA512
1186af64e83f5dc10c54f66ebc2c5b61317b96e028d40de61c8e3832946bb8ee0c4f9898ae2d0a481fbec3307337da4074eb6e4768a03b454c56c921ddc35010

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
262B

MD5
33732d35286d381d3b5523c0b4b74d2c

SHA1
cdc358c749b00db0c8ad2602eb017f4de08876c7

SHA256
6fa77e0286b0ef536ad91a79e9e491fd96a6dbe6c3472344c4a2656ce1461edd

SHA512
ec05b763226c3ac35629c01072a524d1a15fedb370cfbf6405bd3d7fb706253c26984acda053dd3301e2d4f7adef115f19ba892e42d0bef2e3fcf3dc4b907b08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7de1224555654318bf4d27e83d44d2c7

SHA1
28508aa48670f7a8e277eac3865a3eadd6bf3861

SHA256
3e3f200f5418202c78f01b4d332878480574310582e074ba16940e58501148ff

SHA512
2a8a77ae9b5cb7fbaaf71b1f8b3ec28b5fb1b703ed6037dc7584f27e1ea4d3139a2eb8b4f7379b71ea0692e58e64bbd9cb24b9d05f7dddc8446e84e1a289947b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9fb5fd2782e1e52143a2d3d496796685

SHA1
54a28b9e0619947710cec7f4df82e519e86e7242

SHA256
b7d413208e059c3248d19c94d866a397cae14eebbd801027a5efbfeb88ff0683

SHA512
f5c684ad392e3a81e379639b549e09145cbc6b337fe2bbfa19299384bdd641d2849566eeb239d2423fc8dd761470b79fbeac902f303bc6abb485c9563ef89cb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8bc309528696e85c230dfbf1abc281e2

SHA1
6d6a7ba6ca5fb6e722b6c310da1bbbc1e5ee5fc2

SHA256
dbe4a9f409c4cf7b6e980ad19def47b73f4dd88321833305ad62a77d5f6b4c76

SHA512
507be22e9d30cd0d7baebe9f0eaf70dd46c2459c5e24759c112aba06f25c7407818d9008a1627a88b0075a258eacaa47d17742f55e52ff26080316ae9afc82fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
29213338df67d29d6454ee5d61ad3970

SHA1
8c69ca76a2e639060d5ce835a9600e6ea3764a83

SHA256
d29fc0d97fa74d382d0f557ecea4e42b7d50dbce43915bfc0c114c16e532aa51

SHA512
14db25eba8a863d390b97fce4315402ed7c249598ff6c31d5a191b0f71c274eead42ba0658403e744110de072e6ff1cac3bccee1e48875bde6b1fe39a60d2407

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f0c4d147b361b7940f69d01b644f2c71

SHA1
6d56c4653c535b767ccd6c0c6cc4975ccb57e4ef

SHA256
07a7a5ab303cd79ec786d4d5e64ee646bd3bb4fae93148d7225c58e4ca4d7844

SHA512
3656463a28b0e50ea4ff28cabe16dd95ac612a9cb12fc8bd3e378071f06cba347d47bb5214d21e43eb3b48134b20a5678ee51936a08f835a8b4d8c662134a1a3

Download Submit