hxxp://smtplink[.]usssa[.]com/ls/click?upn=WSslNwXrfTzmOiygdbhyJ7OXps2evdDzzSsK6WJKh1-2BTa-2BsFcbbiqC5oGWkIj79WGNV-2BFmg1iVc0oCJUXt5lVPVS-2BpeoDtXsBDapH8YjcJk-3Dm69h_dWNbviQYaiYaONJNN7l5J7kUzDrVX-2BLHSvsvMSSJbGQdunKsOHFjLdZSeVksznp8s0Zn-2B1-2F7GW-2BE5dJL91E7IRQh7K8Ih5vwlu3jUiBk7yBVsiEBOr-2Fb4NLuhbRrdiXxnwVblZV8xSx6HvRbJ8eOyAGdirzZE7G8rwaExsoEW-2B4NqppMMWDy4u0qh6uaLBIsnyujnTWwuPao5usWNKKXg0QUG0e1uvGWmB7u2Mb6D-2Fo-3D

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2023, 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://smtplink.usssa.com/ls/click?upn=WSslNwXrfTzmOiygdbhyJ7OXps2evdDzzSsK6WJKh1-2BTa-2BsFcbbiqC5oGWkIj79WGNV-2BFmg1iVc0oCJUXt5lVPVS-2BpeoDtXsBDapH8YjcJk-3Dm69h_dWNbviQYaiYaONJNN7l5J7kUzDrVX-2BLHSvsvMSSJbGQdunKsOHFjLdZSeVksznp8s0Zn-2B1-2F7GW-2BE5dJL91E7IRQh7K8Ih5vwlu3jUiBk7yBVsiEBOr-2Fb4NLuhbRrdiXxnwVblZV8xSx6HvRbJ8eOyAGdirzZE7G8rwaExsoEW-2B4NqppMMWDy4u0qh6uaLBIsnyujnTWwuPao5usWNKKXg0QUG0e1uvGWmB7u2Mb6D-2Fo-3D

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4508	msedge.exe
4508	msedge.exe
3424	msedge.exe
3424	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3424 wrote to memory of 4736	3424	msedge.exe	72
PID 3424 wrote to memory of 4736	3424	msedge.exe	72
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4836	3424	msedge.exe	89
PID 3424 wrote to memory of 4508	3424	msedge.exe	88
PID 3424 wrote to memory of 4508	3424	msedge.exe	88
PID 3424 wrote to memory of 2708	3424	msedge.exe	90
PID 3424 wrote to memory of 2708	3424	msedge.exe	90
PID 3424 wrote to memory of 2708	3424	msedge.exe	90
PID 3424 wrote to memory of 2708	3424	msedge.exe	90
PID 3424 wrote to memory of 2708	3424	msedge.exe	90
PID 3424 wrote to memory of 2708	3424	msedge.exe	90
PID 3424 wrote to memory of 2708	3424	msedge.exe	90
PID 3424 wrote to memory of 2708	3424	msedge.exe	90
PID 3424 wrote to memory of 2708	3424	msedge.exe	90
PID 3424 wrote to memory of 2708	3424	msedge.exe	90
PID 3424 wrote to memory of 2708	3424	msedge.exe	90
PID 3424 wrote to memory of 2708	3424	msedge.exe	90
PID 3424 wrote to memory of 2708	3424	msedge.exe	90
PID 3424 wrote to memory of 2708	3424	msedge.exe	90
PID 3424 wrote to memory of 2708	3424	msedge.exe	90
PID 3424 wrote to memory of 2708	3424	msedge.exe	90
PID 3424 wrote to memory of 2708	3424	msedge.exe	90
PID 3424 wrote to memory of 2708	3424	msedge.exe	90
PID 3424 wrote to memory of 2708	3424	msedge.exe	90
PID 3424 wrote to memory of 2708	3424	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://smtplink.usssa.com/ls/click?upn=WSslNwXrfTzmOiygdbhyJ7OXps2evdDzzSsK6WJKh1-2BTa-2BsFcbbiqC5oGWkIj79WGNV-2BFmg1iVc0oCJUXt5lVPVS-2BpeoDtXsBDapH8YjcJk-3Dm69h_dWNbviQYaiYaONJNN7l5J7kUzDrVX-2BLHSvsvMSSJbGQdunKsOHFjLdZSeVksznp8s0Zn-2B1-2F7GW-2BE5dJL91E7IRQh7K8Ih5vwlu3jUiBk7yBVsiEBOr-2Fb4NLuhbRrdiXxnwVblZV8xSx6HvRbJ8eOyAGdirzZE7G8rwaExsoEW-2B4NqppMMWDy4u0qh6uaLBIsnyujnTWwuPao5usWNKKXg0QUG0e1uvGWmB7u2Mb6D-2Fo-3D
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaae1c46f8,0x7ffaae1c4708,0x7ffaae1c4718
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,4962356119229591708,8419815560163525037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,4962356119229591708,8419815560163525037,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2316 /prefetch:2
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,4962356119229591708,8419815560163525037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4962356119229591708,8419815560163525037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4962356119229591708,8419815560163525037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:2884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4962356119229591708,8419815560163525037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4962356119229591708,8419815560163525037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4962356119229591708,8419815560163525037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4962356119229591708,8419815560163525037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4962356119229591708,8419815560163525037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:3012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
1e0e0b681196fe5bef7a45c25bab98d1

SHA1
1b097cd5a846c11355d3a169cb28870a95208be5

SHA256
cac57c43c70916b1c2238db6b81811b66f68cbaca7c9722298b09eb4c5034aec

SHA512
85db341b2349e2006146bde34d9f77e82720162e338e0e862a123fc9ca4802485dd7202b3690d91b79cb70fdcc3b57a16a6001277649696ccad26132a2036f81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
4b188c38850dba9b96c6ddca5af51275

SHA1
33ab3b01c23d31fa038c1b5547420b400046322d

SHA256
d785982e86aff4abb1e09e2509b2afd06a37f36760804db15ba89624673a657e

SHA512
8afa6f2a58ac3019e31c6dccce9a1883ed67fff73d7f563e0e56781f3a3f4a78584f867123d17f941a5cff458f5a0e7e3a726b6846983881ac34147a7ba0e617

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1e29b4408aa8cd38bf9057d8b6356407

SHA1
13d1f0f068512c0052d69c2b4cf78f7c0b1a839c

SHA256
989c2e12af9a4a9350a13c94757f9326cc54524369c74b665789e28eb17591ee

SHA512
b317ed917c51d22482ea0a8067b089aa46fcd5ac3af15537c7c3e3689c9b1a54a53833fe688515f27aa289a3809170bf215e0dfc8bd61efd68c4d70d5613f7df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6281bcacb5aa505c85cdf75e05d17029

SHA1
4f4bcaea4eea37e9894b4d0b3e3623efbad3c4a2

SHA256
64feba7df11a54360ad4a5196d8942ce2f4b5e26f98d1c2c2abe00e09fef41e5

SHA512
0d1d748d07ad8191754033aa170144e8ac2385a69b0b52eb9347a755ee01084f313e5fd18c7b1b79053ca711b14fbb842ec9f29ddfa6514e5663731eab122eec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
b690c7643af8bf5f3a96b59e33522135

SHA1
204ca48a942ecba4d2f2ef844275c3f5905ed453

SHA256
4577c23a112c820b430e2b16d0283f4715b06f64164e1e5bf883034a7201c695

SHA512
f690f6f5cb19c2e7338feda4741c47b107e48e86db530829cff7e4a0737b813051d31625b1f3108bf8a2f496fad14767b6c255bc816a3e8a3bc43d4c2b63036d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0e451f84cad8a4e8e7c49b13256be1ff

SHA1
a6673dba7f1389d6c3fb751ad3a2ce227bde0f81

SHA256
942563f4f6f30081594822783a14032c10e49860a157b29da1abfa4e75a8e3f7

SHA512
be5117338c63b137675e73d4f0de1fc2461d0152a71fdc857d0d0846207751df5d7dd677a496993e1a49b1c035c0175c692153cf6a6e970e20994d5aa8ca63e1

Download Submit