hxxps://new[.]express[.]adobe[.]com/webpage/k0zDjocPd6qgF

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2023, 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://new.express.adobe.com/webpage/k0zDjocPd6qgF

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4348	msedge.exe
4348	msedge.exe
4176	msedge.exe
4176	msedge.exe
5072	identity_helper.exe
5072	identity_helper.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 1840	4176	msedge.exe	74
PID 4176 wrote to memory of 1840	4176	msedge.exe	74
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 3056	4176	msedge.exe	86
PID 4176 wrote to memory of 4348	4176	msedge.exe	87
PID 4176 wrote to memory of 4348	4176	msedge.exe	87
PID 4176 wrote to memory of 1148	4176	msedge.exe	88
PID 4176 wrote to memory of 1148	4176	msedge.exe	88
PID 4176 wrote to memory of 1148	4176	msedge.exe	88
PID 4176 wrote to memory of 1148	4176	msedge.exe	88
PID 4176 wrote to memory of 1148	4176	msedge.exe	88
PID 4176 wrote to memory of 1148	4176	msedge.exe	88
PID 4176 wrote to memory of 1148	4176	msedge.exe	88
PID 4176 wrote to memory of 1148	4176	msedge.exe	88
PID 4176 wrote to memory of 1148	4176	msedge.exe	88
PID 4176 wrote to memory of 1148	4176	msedge.exe	88
PID 4176 wrote to memory of 1148	4176	msedge.exe	88
PID 4176 wrote to memory of 1148	4176	msedge.exe	88
PID 4176 wrote to memory of 1148	4176	msedge.exe	88
PID 4176 wrote to memory of 1148	4176	msedge.exe	88
PID 4176 wrote to memory of 1148	4176	msedge.exe	88
PID 4176 wrote to memory of 1148	4176	msedge.exe	88
PID 4176 wrote to memory of 1148	4176	msedge.exe	88
PID 4176 wrote to memory of 1148	4176	msedge.exe	88
PID 4176 wrote to memory of 1148	4176	msedge.exe	88
PID 4176 wrote to memory of 1148	4176	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://new.express.adobe.com/webpage/k0zDjocPd6qgF
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe781946f8,0x7ffe78194708,0x7ffe78194718
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,11236017971698406090,12211471637539234747,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,11236017971698406090,12211471637539234747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,11236017971698406090,12211471637539234747,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11236017971698406090,12211471637539234747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11236017971698406090,12211471637539234747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,11236017971698406090,12211471637539234747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,11236017971698406090,12211471637539234747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11236017971698406090,12211471637539234747,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11236017971698406090,12211471637539234747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11236017971698406090,12211471637539234747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11236017971698406090,12211471637539234747,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,11236017971698406090,12211471637539234747,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4576 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4aab618ef3d86f2fbf808c4ac50ab083

SHA1
3f794d5499a16d7048809b46589984a065164ed0

SHA256
4971c4c535809b9ffe1b1d9b22e7d9ade38d51a4406def14c54708a87c2e4dc2

SHA512
21adbdb317cb85cbcb370003a09fa6f75fd8ba65b4453d33f6f3abd6449c9c0ce97a9480fd5c058885a264364b2c00e7979a7bd285b76b296c56f85e207babeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
4898e995ff290bcb01b423d53b441cd7

SHA1
15a47532c14c8d826260db7c045747f29bc62a13

SHA256
f8265ef2b1a17e8821f0aa5159ad6405f2eb03b99e41091132a54de3d36757fa

SHA512
8e347821c45d7738183e60acde903efa610a99bb1dd45464aeefe106d91380bb27c799f888c71b7476f3a8910d30e6e60cccb8f18a453700409d154ba8833b02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
333B

MD5
e5837cb3f4b626d28d1d82fc7199c9df

SHA1
ad444fcc3396b5d8eb567fa47f9a8a2a12164c43

SHA256
fcb1bf1bcfb891b593694fcb613005ccf5fe4c67c06738ec1d59bab2c120f4fc

SHA512
a73d4dc850c77c35f62a7e6fd795568de8a75873ac0f2e48274ce4fe545080c9df8adde439d040eff01ef80b7c56a775f057887f1f96d2d57074915337967d52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8ad042ea918864a840a5e7895eb8edc6

SHA1
6612215b0b91c3accd847266b450d4228d0d9d33

SHA256
d6a5a5917000371132947a41f5085004f4bd178f83cd917f3ece41a80007c3ee

SHA512
f8639249fd53c28bdb9694ef81161cdc8da1411c9ac639aa50118b8e8c9f6f40f53f3657b02db3fc343e2de58f7eaf7176a72984bb74d0714afa70eddb7a39c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
96e96d7f9c6861aa89275d1cbf9a8819

SHA1
96d7c67e842b3a756d24e98b10fbf3d5f9fbe2ff

SHA256
ffe3f975d6a09fe31c09413cac73b7ba65ddc1ab9cf5084574c604932655614c

SHA512
1f0dc7959d0c84d78e57decee415a33fbda165b6b8be087126c45e4d28898258abd0db7faa5f927af6b6f0ba2e7a13c4f2ae3ac6232fc9e1c204e15293a0dc21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
7caf65193db27a3b881dfb25b62ce529

SHA1
304e35e18f36b79acae60f4a426f0ab861a651b5

SHA256
eaa4cdd8c166fc998235daec7bdc3fc2a9ef1e2207be2f4eabb8fbb564ead890

SHA512
96231ea6ea8f879e0d2f48fd7bca3480ef78df283d135a1f631faf701215c4d9477b1a8eb59a24b8f08d060b71e250e04deaf49ea08758993b77199a6bc5cd69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
65a6c162197d802308a981bf89795bae

SHA1
7f2ba2d46df0de3ad32469b626569cf341c6ec3a

SHA256
dc6b273009b0858735080c32711cd70f74fdf12ea1983d1428004335e85e7fe9

SHA512
f625f7e3a6e855db64d6d1ad68d859221c5abb5796d515383a9c859b3a028facabf4a056f2313ac313130143d77f1e881587b82348e354e0f3e681a7d3928aaf

Download Submit