hxxps://dashboard[.]mailerlite[.]com/forms/666984/103422343384139053/share

Resubmissions

30/10/2023, 03:37

231030-d6vsmsae91 1

30/10/2023, 03:24

231030-dx33nacc83 1

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2023, 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dashboard.mailerlite.com/forms/666984/103422343384139053/share

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4880	msedge.exe
4880	msedge.exe
4416	msedge.exe
4416	msedge.exe
1120	identity_helper.exe
1120	identity_helper.exe
4132	msedge.exe
4132	msedge.exe
4132	msedge.exe
4132	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 3420	4416	msedge.exe	49
PID 4416 wrote to memory of 3420	4416	msedge.exe	49
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4004	4416	msedge.exe	88
PID 4416 wrote to memory of 4880	4416	msedge.exe	87
PID 4416 wrote to memory of 4880	4416	msedge.exe	87
PID 4416 wrote to memory of 3384	4416	msedge.exe	89
PID 4416 wrote to memory of 3384	4416	msedge.exe	89
PID 4416 wrote to memory of 3384	4416	msedge.exe	89
PID 4416 wrote to memory of 3384	4416	msedge.exe	89
PID 4416 wrote to memory of 3384	4416	msedge.exe	89
PID 4416 wrote to memory of 3384	4416	msedge.exe	89
PID 4416 wrote to memory of 3384	4416	msedge.exe	89
PID 4416 wrote to memory of 3384	4416	msedge.exe	89
PID 4416 wrote to memory of 3384	4416	msedge.exe	89
PID 4416 wrote to memory of 3384	4416	msedge.exe	89
PID 4416 wrote to memory of 3384	4416	msedge.exe	89
PID 4416 wrote to memory of 3384	4416	msedge.exe	89
PID 4416 wrote to memory of 3384	4416	msedge.exe	89
PID 4416 wrote to memory of 3384	4416	msedge.exe	89
PID 4416 wrote to memory of 3384	4416	msedge.exe	89
PID 4416 wrote to memory of 3384	4416	msedge.exe	89
PID 4416 wrote to memory of 3384	4416	msedge.exe	89
PID 4416 wrote to memory of 3384	4416	msedge.exe	89
PID 4416 wrote to memory of 3384	4416	msedge.exe	89
PID 4416 wrote to memory of 3384	4416	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dashboard.mailerlite.com/forms/666984/103422343384139053/share
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ff9cf0946f8,0x7ff9cf094708,0x7ff9cf094718
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,8337933930830295586,1896161940773906778,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,8337933930830295586,1896161940773906778,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,8337933930830295586,1896161940773906778,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8337933930830295586,1896161940773906778,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8337933930830295586,1896161940773906778,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,8337933930830295586,1896161940773906778,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,8337933930830295586,1896161940773906778,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8337933930830295586,1896161940773906778,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8337933930830295586,1896161940773906778,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8337933930830295586,1896161940773906778,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8337933930830295586,1896161940773906778,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,8337933930830295586,1896161940773906778,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
483924abaaa7ce1345acd8547cfe77f4

SHA1
4190d880b95d9506385087d6c2f5434f0e9f63e8

SHA256
9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684

SHA512
e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\31985c05-310e-44e3-820f-e44f7b55cd69.tmp

Filesize
24KB

MD5
1c706d53e85fb5321a8396d197051531

SHA1
0d92aa8524fb1d47e7ee5d614e58a398c06141a4

SHA256
80c44553381f37e930f1c82a1dc2e77acd7b955ec0dc99d090d5bd6b32c3c932

SHA512
d43867392c553d4afffa45a1b87a74e819964011fb1226ee54e23a98fc63ca80e266730cec6796a2afa435b1ea28aed72c55eae1ae5d31ec778f53be3e2162fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
bf8f4e251c5621e2a895499ebd6c44bb

SHA1
ca44e506ff44687f0b3b89e9f3c458c9d0f5b7e9

SHA256
a7bf380cb6bdde7bd04815720aa3230ee68de05ce67137e8d6d7a4b1c2f9981d

SHA512
694e8298771f3fb665d89f6a2e5141295d690eee07c3b11716d5a0f2624a07ef4c9e918002f02101dca6e705938495b9779f9472db0fc6e7eb9b5ed3c2978e3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
344B

MD5
b22e36fdaa596a8a5d9f111e2f46f68f

SHA1
a44bd1edab6e4c79fc56e7004ec2994b6121421c

SHA256
c2955fb7ea24a3a95a9a20f40637b49f9e83bbc71cc3a4b5aff0129c6f0bbae9

SHA512
6cf1d829f937e522f4a01b951f43deb52856d39c761cfc9060e26b409770e011f4c5ad5e7d6b22517edb5f5303f9b9b6ff1943f58cb3418c28b0a9710f040c91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fd055556df67fd3d58feccebc9b0e4cd

SHA1
9e934aaf356287f08df25431bf5bf5d7a8dd4a4a

SHA256
7dfdd45112c349e6962ccdea032b02e402b0a19d2245388d1345e5daa305b456

SHA512
c3bc5f6ca8fa0a36926c372a231eedb88028c075293a592f091716c875dc1ea3947a30838ebaa7b5e191502dd5b7b89b68f364723483ae964aafeca17944f940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8c2f4985b9bee90d3e1b6f0f88a0d87c

SHA1
407a7e1f4fa88ceec2cd479b2cece9ececf5c9a2

SHA256
81a29bd075a57a4dd65d2e1fbb774464d694ee6275e844ea7cd45b1055d7561e

SHA512
c0d1b5f7cbe3aa66cb649568fc970aedfa3e68f8858e447b9ed7a40c70cc5bab361760cb4b15121bff6e264080786bc6e89ae007ac4f59369af0a86ef809fcfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
40fdacb80f8323c13b2f478d9201898f

SHA1
4d8f9412a280296d9687a46197487928edb65786

SHA256
5543cd43c2396b85fe78b5b80631e8e5bce60300b2107551368708a45944fc48

SHA512
389cf1fcd49e95b767bccbbc43c9bc6ed66db6dcd7ef5d77597420868e39e2e4d21257adb8f2de21137d24b04c1d78eab2e29b0d281137ce84435c10eac96a5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e83eec76c9bbc123d9410760bff694fd

SHA1
9247580cd9a690662d7abd43fffdadef9b42c60a

SHA256
196443b29b21003b8d17f640ced5e8e50a38ad91521ecda9e861866384226b5a

SHA512
7764da6d9115d037177109c1cb23059a3281e60c59ed183a0965bf6cd696cb72b3f4fdaf6db5204c429452139605f33f22115b07784cf7a53bc3fd556b814b7f

Download Submit