hxxps://indd[.]adobe[.]com/view/2aec0a1a-b314-4b56-b6d9-6c8d20ed3a31

Analysis

max time kernel
26s
max time network
26s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
15/11/2023, 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://indd.adobe.com/view/2aec0a1a-b314-4b56-b6d9-6c8d20ed3a31

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1288	msedge.exe
1288	msedge.exe
4120	msedge.exe
4120	msedge.exe
3884	identity_helper.exe
3884	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 3456	4120	msedge.exe	33
PID 4120 wrote to memory of 3456	4120	msedge.exe	33
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 4708	4120	msedge.exe	89
PID 4120 wrote to memory of 1288	4120	msedge.exe	88
PID 4120 wrote to memory of 1288	4120	msedge.exe	88
PID 4120 wrote to memory of 112	4120	msedge.exe	90
PID 4120 wrote to memory of 112	4120	msedge.exe	90
PID 4120 wrote to memory of 112	4120	msedge.exe	90
PID 4120 wrote to memory of 112	4120	msedge.exe	90
PID 4120 wrote to memory of 112	4120	msedge.exe	90
PID 4120 wrote to memory of 112	4120	msedge.exe	90
PID 4120 wrote to memory of 112	4120	msedge.exe	90
PID 4120 wrote to memory of 112	4120	msedge.exe	90
PID 4120 wrote to memory of 112	4120	msedge.exe	90
PID 4120 wrote to memory of 112	4120	msedge.exe	90
PID 4120 wrote to memory of 112	4120	msedge.exe	90
PID 4120 wrote to memory of 112	4120	msedge.exe	90
PID 4120 wrote to memory of 112	4120	msedge.exe	90
PID 4120 wrote to memory of 112	4120	msedge.exe	90
PID 4120 wrote to memory of 112	4120	msedge.exe	90
PID 4120 wrote to memory of 112	4120	msedge.exe	90
PID 4120 wrote to memory of 112	4120	msedge.exe	90
PID 4120 wrote to memory of 112	4120	msedge.exe	90
PID 4120 wrote to memory of 112	4120	msedge.exe	90
PID 4120 wrote to memory of 112	4120	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffedab46f8,0x7fffedab4708,0x7fffedab4718
1⤵
PID:3456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://indd.adobe.com/view/2aec0a1a-b314-4b56-b6d9-6c8d20ed3a31
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,10201196058901587304,14846454525517731386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,10201196058901587304,14846454525517731386,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,10201196058901587304,14846454525517731386,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10201196058901587304,14846454525517731386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10201196058901587304,14846454525517731386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,10201196058901587304,14846454525517731386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,10201196058901587304,14846454525517731386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10201196058901587304,14846454525517731386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10201196058901587304,14846454525517731386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10201196058901587304,14846454525517731386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10201196058901587304,14846454525517731386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10201196058901587304,14846454525517731386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10201196058901587304,14846454525517731386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10201196058901587304,14846454525517731386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:5236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10201196058901587304,14846454525517731386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
  2⤵
  PID:5308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10201196058901587304,14846454525517731386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:5752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
84df16093540d8d88a327b849dd35f8c

SHA1
c6207d32a8e44863142213697984de5e238ce644

SHA256
220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c

SHA512
3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8d8583bc4ffea7f1d59a369b21071638

SHA1
eafcbf09026952d94680dc4aebd53240a0e57bda

SHA256
3b11ff861c5c75c828d0905cc75092cf398f46cf6660ee2a69e64ea8bbd1d93d

SHA512
d63f513a17ff0106806c4193beebfe1acead6b85fca11e9528e0dd381db991a6250c7c8c3cff8d7b41b706825b6549449dd1e7119001ee12523f73120465b1c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c76ff73ac65b1eb2d4c75f3793a3b035

SHA1
0b0c34016a130c28615b9f744c08736e56b0ece5

SHA256
1e87879490d4db0b1bc807a518f5b2efae07e2b5a5ab5df27300644535804684

SHA512
b0f424bbc9c639996b312563d688cf3c5483ab9ca1bcb43bc80487de475236c871eca4eeaac80a594ddb61808b4498250f40db0efb59f740b395d49fa82fd803

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6affac9cc1a64a1f2c8ff735b382b169

SHA1
1db1fbb75337ff197f1cb1894e0ff2f372b5cab4

SHA256
37fa542f84b796d000901cb50299771d507ca4d13c3a066f3f82e119de377dea

SHA512
90d8f3692d1dfe4ec9e0261b1d5a134150c808f3776c643b97bda7e7be60bbf11aafc6834cde972a4313b02d9c184c21482989116b0cfb077b67c36d8370fdca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
918ecd7940dcab6b9f4b8bdd4d3772b2

SHA1
7c0c6962a6cd37d91c2ebf3ad542b3876dc466e4

SHA256
3123072fba0ea8e8f960dd213659a0c96ce2b58683593b8ea84efac772b25175

SHA512
c96044501a0a6a65140bc7710a81d29dac35fc6a6fd18fbb4fa5d584e9dc79a059e51cbe063ca496d72558e459ffa6c2913f3893f0a3c0f8002bbca1d1b98ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b79edf152310fd1d2f86df08e1dbd9c8

SHA1
a86ec4f30fe0fbbdd38f0d3de2b050bb71682927

SHA256
56e763c82128d0f70d475d9114d01f7cb92e9ac3d296784edffcffbbd7e5f3c7

SHA512
e511ed90b332d013d8364e079bdaf3d578ba29feaf8c9b6adad535d4216d56665a1546b468aacdf729b2f5cb532582985fa7d603e6f139b58628bfc41a180d3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3164c7c266eebcc5bef94f3aa2f256d2

SHA1
3ea48668a2f68dc60c72e31ccd64762396f3f21a

SHA256
3674e8cc506f9884b62b79b0021c5e7c524a5b3c5f237c4030dae73516c9078a

SHA512
87ef0e39324006d66dc1eefa578e54e3db512abd04f8337b743772619719256f0f720a937c1851d83f57e3438f03f97ff94a40d8ce7e9377882f3ea484a218b9

Download Submit