hxxps://new[.]express[.]adobe[.]com/webpage/HVS3X2FTDYKwJ

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2023, 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://new.express.adobe.com/webpage/HVS3X2FTDYKwJ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3876	msedge.exe
3876	msedge.exe
3604	msedge.exe
3604	msedge.exe
3400	identity_helper.exe
3400	identity_helper.exe
5520	msedge.exe
5520	msedge.exe
5520	msedge.exe
5520	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	5988	svchost.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 556	3604	msedge.exe	45
PID 3604 wrote to memory of 556	3604	msedge.exe	45
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3852	3604	msedge.exe	87
PID 3604 wrote to memory of 3876	3604	msedge.exe	85
PID 3604 wrote to memory of 3876	3604	msedge.exe	85
PID 3604 wrote to memory of 3864	3604	msedge.exe	88
PID 3604 wrote to memory of 3864	3604	msedge.exe	88
PID 3604 wrote to memory of 3864	3604	msedge.exe	88
PID 3604 wrote to memory of 3864	3604	msedge.exe	88
PID 3604 wrote to memory of 3864	3604	msedge.exe	88
PID 3604 wrote to memory of 3864	3604	msedge.exe	88
PID 3604 wrote to memory of 3864	3604	msedge.exe	88
PID 3604 wrote to memory of 3864	3604	msedge.exe	88
PID 3604 wrote to memory of 3864	3604	msedge.exe	88
PID 3604 wrote to memory of 3864	3604	msedge.exe	88
PID 3604 wrote to memory of 3864	3604	msedge.exe	88
PID 3604 wrote to memory of 3864	3604	msedge.exe	88
PID 3604 wrote to memory of 3864	3604	msedge.exe	88
PID 3604 wrote to memory of 3864	3604	msedge.exe	88
PID 3604 wrote to memory of 3864	3604	msedge.exe	88
PID 3604 wrote to memory of 3864	3604	msedge.exe	88
PID 3604 wrote to memory of 3864	3604	msedge.exe	88
PID 3604 wrote to memory of 3864	3604	msedge.exe	88
PID 3604 wrote to memory of 3864	3604	msedge.exe	88
PID 3604 wrote to memory of 3864	3604	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://new.express.adobe.com/webpage/HVS3X2FTDYKwJ
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6c4546f8,0x7ffa6c454708,0x7ffa6c454718
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,11520484941645127962,16552588285321944310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,11520484941645127962,16552588285321944310,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,11520484941645127962,16552588285321944310,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11520484941645127962,16552588285321944310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11520484941645127962,16552588285321944310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,11520484941645127962,16552588285321944310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,11520484941645127962,16552588285321944310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11520484941645127962,16552588285321944310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11520484941645127962,16552588285321944310,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11520484941645127962,16552588285321944310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11520484941645127962,16552588285321944310,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,11520484941645127962,16552588285321944310,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5724 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2168

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4352

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
a1392a1966a1889dc7b7dd0997cd3129

SHA1
abf88e32c7c04c8aa4821a4d987209db2f45fb2a

SHA256
f055709153c94eacea1e6b5a4d7dcfd986e8c7f7ff3e6c2ea297e4292ccfad48

SHA512
149f47a3550d73842bb483dc104dfe9c76c44989e492a2e1357ad2c7a7a4bd7d3ad0560b280d37afdd211013f40f4b2990e770c3cacb153f2e8370eb4bb9932a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
333B

MD5
e5837cb3f4b626d28d1d82fc7199c9df

SHA1
ad444fcc3396b5d8eb567fa47f9a8a2a12164c43

SHA256
fcb1bf1bcfb891b593694fcb613005ccf5fe4c67c06738ec1d59bab2c120f4fc

SHA512
a73d4dc850c77c35f62a7e6fd795568de8a75873ac0f2e48274ce4fe545080c9df8adde439d040eff01ef80b7c56a775f057887f1f96d2d57074915337967d52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3c3d460c2c08214727ad2ac3a0bb7e86

SHA1
0852da368a58704f258f3030749e15dfc280dfdd

SHA256
f03676bbdc0c7b11af103c7dd496f623d528b13cc9f81699c62e1ac014d9d577

SHA512
60472e8251f66abe7c2ff91fb28fe6a135c48cc5292030f3a8eeb0b1eaa601a85f256a96f1ff2443cecf7ab3ed1777ea45400bae4f56c708f19cd1e12548be90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7d32fdac6eef59923f057425415a7981

SHA1
b1ae0cabaa1960c6efdf55b97e2f6025c4e8546c

SHA256
0a705b0ba1d2a98c6b5636583b2c453e787f39d6ea4fadae4cf7e70ca7a9837e

SHA512
5c6e3e399beffc31af7b1cfd90d8aab4213c6a3883f152fefe857a94ff90b52d11fd966e69c8dd6aed426fef6c2d493df62a77833f8389087dcee795d50b5c19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
25ac77f8c7c7b76b93c8346e41b89a95

SHA1
5a8f769162bab0a75b1014fb8b94f9bb1fb7970a

SHA256
8ad26364375358eac8238a730ef826749677c62d709003d84e758f0e7478cc4b

SHA512
df64a3593882972f3b10c997b118087c97a7fa684cd722624d7f5fb41d645c605d59a89eccf7518570ff9e73b4310432c4bb5864ee58e78c0743c0c1606853a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1563c79b96a711110edb71d7e55aaf18

SHA1
1c6be65b1b90e7c1dac42fbd072a101185877a87

SHA256
bf666afa350c19fe2f56fdc33032ad2eb592b666b9d2966659e5ac386d3500dd

SHA512
02a60bfb5ecfe5afa57fbf9d2cb9b8b2978845319d57622eb6836e3dbe3e34ade5950e2cdb6fea312205ecdb76de1aa7edabdbdb54bf6b9009590b2c6fd3cd86

Download Submit
memory/5988-172-0x0000014821750000-0x0000014821760000-memory.dmp

Filesize
64KB

Download
memory/5988-188-0x0000014821850000-0x0000014821860000-memory.dmp

Filesize
64KB

Download
memory/5988-204-0x0000014829BC0000-0x0000014829BC1000-memory.dmp

Filesize
4KB

Download
memory/5988-206-0x0000014829BF0000-0x0000014829BF1000-memory.dmp

Filesize
4KB

Download
memory/5988-207-0x0000014829BF0000-0x0000014829BF1000-memory.dmp

Filesize
4KB

Download
memory/5988-208-0x0000014829D00000-0x0000014829D01000-memory.dmp

Filesize
4KB

Download