hxxps://www[.]paypalobjects[.]com/digitalassets/c/system-triggered-email/n/layout/images/header-sidebar-right-bottom[.]jpg

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.paypalobjects.com/digitalassets/c/system-triggered-email/n/layout/images/header-sidebar-right-bottom.jpg

Score

5^/10

paypal phishing

Malware Config

Signatures

Detected potential entity reuse from brand paypal.
phishing paypal

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
64	msedge.exe
64	msedge.exe
3728	msedge.exe
3728	msedge.exe
1760	identity_helper.exe
1760	identity_helper.exe
2656	msedge.exe
2656	msedge.exe
2656	msedge.exe
2656	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 4968	3728	msedge.exe	85
PID 3728 wrote to memory of 4968	3728	msedge.exe	85
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 3308	3728	msedge.exe	88
PID 3728 wrote to memory of 64	3728	msedge.exe	87
PID 3728 wrote to memory of 64	3728	msedge.exe	87
PID 3728 wrote to memory of 1240	3728	msedge.exe	89
PID 3728 wrote to memory of 1240	3728	msedge.exe	89
PID 3728 wrote to memory of 1240	3728	msedge.exe	89
PID 3728 wrote to memory of 1240	3728	msedge.exe	89
PID 3728 wrote to memory of 1240	3728	msedge.exe	89
PID 3728 wrote to memory of 1240	3728	msedge.exe	89
PID 3728 wrote to memory of 1240	3728	msedge.exe	89
PID 3728 wrote to memory of 1240	3728	msedge.exe	89
PID 3728 wrote to memory of 1240	3728	msedge.exe	89
PID 3728 wrote to memory of 1240	3728	msedge.exe	89
PID 3728 wrote to memory of 1240	3728	msedge.exe	89
PID 3728 wrote to memory of 1240	3728	msedge.exe	89
PID 3728 wrote to memory of 1240	3728	msedge.exe	89
PID 3728 wrote to memory of 1240	3728	msedge.exe	89
PID 3728 wrote to memory of 1240	3728	msedge.exe	89
PID 3728 wrote to memory of 1240	3728	msedge.exe	89
PID 3728 wrote to memory of 1240	3728	msedge.exe	89
PID 3728 wrote to memory of 1240	3728	msedge.exe	89
PID 3728 wrote to memory of 1240	3728	msedge.exe	89
PID 3728 wrote to memory of 1240	3728	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypalobjects.com/digitalassets/c/system-triggered-email/n/layout/images/header-sidebar-right-bottom.jpg
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff95c1846f8,0x7ff95c184708,0x7ff95c184718
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,646949922235425846,13676641268414020711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:64
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,646949922235425846,13676641268414020711,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,646949922235425846,13676641268414020711,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:1240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,646949922235425846,13676641268414020711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,646949922235425846,13676641268414020711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,646949922235425846,13676641268414020711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,646949922235425846,13676641268414020711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,646949922235425846,13676641268414020711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:8
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,646949922235425846,13676641268414020711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,646949922235425846,13676641268414020711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,646949922235425846,13676641268414020711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,646949922235425846,13676641268414020711,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3880 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1222f8c867acd00b1fc43a44dacce158

SHA1
586ba251caf62b5012a03db9ba3a70890fc5af01

SHA256
1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a

SHA512
ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
189B

MD5
efd079652ad21c50d69ad30ccf61a40d

SHA1
000bc74057bb6ab42d2a160349e1597edb211bc2

SHA256
045646bc1a87f1ce57c87ba8a6ed5332e36f71e667ac712be1df2fef80385f8f

SHA512
35f643af8bb12bb445e3e6ce7577376dc69010ddf8d7e76752d703cb50f091bdeb9947b9718baa6e9e286d69df19a794522e446f29d58dc26dfea571045f51ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8d27d84471b3ae5a7f67dfab8bdb644b

SHA1
59054f4f9d65eeaa868b2e5abea0debd70541637

SHA256
2e088f8afb379b0da01ce51afb3b3e5f349c164bda4c98a1908803b572b3d49a

SHA512
8907577fdc6a3f4968c9854d498a7475c1cc14eacf50d0cb26138cf78ff4a3754b34c1392be7f30ccac99d4b9f7186b79fa099ce741739a9cbf428659eb1742e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
389b79b140917482489a11a7e80b35c8

SHA1
a1d4750475b6263e46d9d91e009c5cfb9ee75273

SHA256
5623baf1f272c8ebfae9789a7c49c24dba34ac4fcbc89b891d263220ace7b1f2

SHA512
570faea9fb4b225d23b02142f118e4521349b71007dd91a9076f7d49d7df30c82cec23429faf7b2fbf64d729c87725e98f933f7cb1d5c0b507541f961a5c069c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d853bd4de9b1f6666b75e7556ce87b31

SHA1
d4a9c17e2efa6fceaea50fe136fa6e68506f76cb

SHA256
c3513e48e14fff9263a28d4a37a07b9fb636b232e29c5fc646906423d33c3c7a

SHA512
e01a639a9d6e8af602b41a720224ad88007d4ce9ddc47b77da407bac9ca0f8f16d66db70dcdc1863612893fdb95063e5ac494b02b9a38fcf3fae234747933eda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
15ad31a14e9a92d2937174141e80c28d

SHA1
b09e8d44c07123754008ba2f9ff4b8d4e332d4e5

SHA256
bf983e704839ef295b4c957f1adeee146aaf58f2dbf5b1e2d4b709cec65eccde

SHA512
ec744a79ccbfca52357d4f0212e7afd26bc93efd566dd5d861bf0671069ba5cb7e84069e0ea091c73dee57e9de9bb412fb68852281ae9bd84c11a871f5362296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1cc84eeab760ee9ce4c3888c09f1d453

SHA1
1ee709099839340309c9da0a010a8db0156e1fcc

SHA256
d87a594c1766978d14d50c1ee64b918c402ed6d47f9d70184079a3526e375e67

SHA512
329693c275a826e52e07465570ced5a4f082589a71a771e7bd1b1b96627da591532cf5a6e4024997b2c01ab527499f913a245a424c72e9244522855bc8c35bf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7f4e6a102248f4c59118b848671c5a89

SHA1
8c6bf259a3095ede1d69963eff80947ad72e27d7

SHA256
569982a338fce04a240bafbb944da0092b82a2e0efebdb22188dae59a52e115e

SHA512
9e5d678c97c31cca4bfa63bfb9ba954f7bb2dbfc9da543ef637abd192712a242980bafc7542ca25c31c0bba5014d230abdd296918ad19fc3fbe75ec8212bf03a

Download Submit