hxxps://mail[.]securitycompliancecorp[.]com/em/lt[.]php?tid=Lh8HAwcAUlJTDh9QAVUDG1VWUg0UAFFRURtVCQUCBQdWVFVRVQUZVFFQBFZRUwgbBFEDVxQMAFMBGwAJVgJJU1dTBAFXVVQEB1BWGlJSCQVZA1EBFAkGUwEbVglRUUkFU1JWGgJQUlcDAgtWVwcHVA

Analysis

max time kernel
79s
max time network
85s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mail.securitycompliancecorp.com/em/lt.php?tid=Lh8HAwcAUlJTDh9QAVUDG1VWUg0UAFFRURtVCQUCBQdWVFVRVQUZVFFQBFZRUwgbBFEDVxQMAFMBGwAJVgJJU1dTBAFXVVQEB1BWGlJSCQVZA1EBFAkGUwEbVglRUUkFU1JWGgJQUlcDAgtWVwcHVA

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4340	msedge.exe
4340	msedge.exe
1504	msedge.exe
1504	msedge.exe
2244	identity_helper.exe
2244	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 2756	1504	msedge.exe	86
PID 1504 wrote to memory of 2756	1504	msedge.exe	86
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 2008	1504	msedge.exe	88
PID 1504 wrote to memory of 4340	1504	msedge.exe	87
PID 1504 wrote to memory of 4340	1504	msedge.exe	87
PID 1504 wrote to memory of 4720	1504	msedge.exe	89
PID 1504 wrote to memory of 4720	1504	msedge.exe	89
PID 1504 wrote to memory of 4720	1504	msedge.exe	89
PID 1504 wrote to memory of 4720	1504	msedge.exe	89
PID 1504 wrote to memory of 4720	1504	msedge.exe	89
PID 1504 wrote to memory of 4720	1504	msedge.exe	89
PID 1504 wrote to memory of 4720	1504	msedge.exe	89
PID 1504 wrote to memory of 4720	1504	msedge.exe	89
PID 1504 wrote to memory of 4720	1504	msedge.exe	89
PID 1504 wrote to memory of 4720	1504	msedge.exe	89
PID 1504 wrote to memory of 4720	1504	msedge.exe	89
PID 1504 wrote to memory of 4720	1504	msedge.exe	89
PID 1504 wrote to memory of 4720	1504	msedge.exe	89
PID 1504 wrote to memory of 4720	1504	msedge.exe	89
PID 1504 wrote to memory of 4720	1504	msedge.exe	89
PID 1504 wrote to memory of 4720	1504	msedge.exe	89
PID 1504 wrote to memory of 4720	1504	msedge.exe	89
PID 1504 wrote to memory of 4720	1504	msedge.exe	89
PID 1504 wrote to memory of 4720	1504	msedge.exe	89
PID 1504 wrote to memory of 4720	1504	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mail.securitycompliancecorp.com/em/lt.php?tid=Lh8HAwcAUlJTDh9QAVUDG1VWUg0UAFFRURtVCQUCBQdWVFVRVQUZVFFQBFZRUwgbBFEDVxQMAFMBGwAJVgJJU1dTBAFXVVQEB1BWGlJSCQVZA1EBFAkGUwEbVglRUUkFU1JWGgJQUlcDAgtWVwcHVA
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff88ba146f8,0x7ff88ba14708,0x7ff88ba14718
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,3121582066830395017,14141349815250736740,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,3121582066830395017,14141349815250736740,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,3121582066830395017,14141349815250736740,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,3121582066830395017,14141349815250736740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,3121582066830395017,14141349815250736740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,3121582066830395017,14141349815250736740,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  PID:1344
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,3121582066830395017,14141349815250736740,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,3121582066830395017,14141349815250736740,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,3121582066830395017,14141349815250736740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,3121582066830395017,14141349815250736740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,3121582066830395017,14141349815250736740,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:4284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d8f4eadb68a3e3d1bf2fa3006af5510

SHA1
d5d8239ec8a3bf5dadf52360350251d90d9e0142

SHA256
85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c

SHA512
554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\566b44c9-5769-4492-8c4b-fdbcd7b88bf0.tmp

Filesize
7KB

MD5
9454c5dfa0e9333d317877f08fabfbdf

SHA1
416f3abfa37125a5a457c229d88581bc1fb52cbc

SHA256
a151dc5efe64f382697ef8b16038e70326ced7027cfa4ecbafb9a8f52b423714

SHA512
5ca37cbdb3b7f09819a59c396198cc8f40042d697e47167ca04c46895ecee245947427dff09dabcfca9357c9f9614a45248be77d813a9419f15f225684378ef9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
8f00c4e3426e5d4ce0fba0593ac46968

SHA1
ee63d0b6ff8abf7effd70b0656194a67f59f4de6

SHA256
e8c4c96fb6aecf95b1e2e4773b238b4ba830ee0afb26f163703dfaf7c6cef213

SHA512
f9e07a15e3a6c1d8e7f8c0f7ad98eeaf67ae3ff3fa2dd365b0d90529a801a6566d4bd5dc6e66d1e00e0d185f5d647b1848ac79247e78bcbbf0104508e4c00720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2a12daef3afa833d663f3fdacc032b45

SHA1
1189463fca2b47bfe6da78ba4caeae369076166b

SHA256
9dbb688f26072813aab8460f68eb1465c560bfddae483b633ef9b9c4f5f46b59

SHA512
d09eef65303726db9c756fe541ec4930fbca5d9aef20b3d9cb14a118a75e2524074652d45275c571c5da03a40c568afd57f7cf09e3f91c9a934b6fd570e635d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
831749ef5e7276730fc0e054288e29a7

SHA1
f6becef79a1760838200c5fc5377a70308dc4873

SHA256
12051ed385b04317b0c9b0a95b39d022af5f0e9c1eab1f36dd275fe85225242e

SHA512
b3a4195387d753ddfcef8e2b6f02470594f987a6a80eeaec009364c9db25a3497fd043871722e115b533495dd143ba0715d6cf673b1cc53d7345ca85509d3ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fabbe051eff4c5bdcec4f0e95eda2ac3

SHA1
f75ecc7a7ef47fa5695e7e8a58f6c25bb9ea5ac9

SHA256
2188765225cd81ed3255b11b61da68c8236efe3b789fce14624221faecdbe8e4

SHA512
05d2503f79c3fd9202ccb882cff759642669ae8108980720dd8cb6a6fa80a4b838ad9327f14060690af3f1c29b6bcb5ab685a8f24a3e0e7b225835f93a3f9d89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d985875547ce8936a14b00d1e571365f

SHA1
040d8e5bd318357941fca03b49f66a1470824cb3

SHA256
8455a012296a7f4b10ade39e1300cda1b04fd0fc1832ffc043e66f48c6aecfbf

SHA512
ca31d3d6c44d52a1f817731da2e7ac98402cd19eeb4b48906950a2f22f961c8b1f665c3eaa62bf73cd44eb94ea377f7e2ceff9ef682a543771344dab9dbf5a38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
20fe289d58bac411e71782237d434e1d

SHA1
0f844a7744b635a04d67a464d7c2a61e7e302d54

SHA256
5a1cc16a47b8a649c3d27a047ed6304129467c32732519c3bbf014ec1b9a687e

SHA512
9137c5dd99ff6c7b1a04c57c657945aa2b4b93c18a012df85188f4375a58b43207f02b6db0cb2db429ed7849274561fc4ba3d644f31fae71398ad5004330dee4

Download Submit