hxxps://ucb-org[.]my[.]salesforce[.]com/ncsphoto/2THLCWfFpbwpLgBPI20wLzYTSD6X4Z1o2e1pTz4Xg0a2L1GnnVMH4awoOyX4ryWNb8JIwLd8-Y0Pl6yRM7meZw%3D%3D?fromEmail=1

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2023 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ucb-org.my.salesforce.com/ncsphoto/2THLCWfFpbwpLgBPI20wLzYTSD6X4Z1o2e1pTz4Xg0a2L1GnnVMH4awoOyX4ryWNb8JIwLd8-Y0Pl6yRM7meZw%3D%3D?fromEmail=1

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4428	msedge.exe
4428	msedge.exe
4444	msedge.exe
4444	msedge.exe
3580	identity_helper.exe
3580	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 4792	4444	msedge.exe	85
PID 4444 wrote to memory of 4792	4444	msedge.exe	85
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 3996	4444	msedge.exe	87
PID 4444 wrote to memory of 4428	4444	msedge.exe	88
PID 4444 wrote to memory of 4428	4444	msedge.exe	88
PID 4444 wrote to memory of 3368	4444	msedge.exe	89
PID 4444 wrote to memory of 3368	4444	msedge.exe	89
PID 4444 wrote to memory of 3368	4444	msedge.exe	89
PID 4444 wrote to memory of 3368	4444	msedge.exe	89
PID 4444 wrote to memory of 3368	4444	msedge.exe	89
PID 4444 wrote to memory of 3368	4444	msedge.exe	89
PID 4444 wrote to memory of 3368	4444	msedge.exe	89
PID 4444 wrote to memory of 3368	4444	msedge.exe	89
PID 4444 wrote to memory of 3368	4444	msedge.exe	89
PID 4444 wrote to memory of 3368	4444	msedge.exe	89
PID 4444 wrote to memory of 3368	4444	msedge.exe	89
PID 4444 wrote to memory of 3368	4444	msedge.exe	89
PID 4444 wrote to memory of 3368	4444	msedge.exe	89
PID 4444 wrote to memory of 3368	4444	msedge.exe	89
PID 4444 wrote to memory of 3368	4444	msedge.exe	89
PID 4444 wrote to memory of 3368	4444	msedge.exe	89
PID 4444 wrote to memory of 3368	4444	msedge.exe	89
PID 4444 wrote to memory of 3368	4444	msedge.exe	89
PID 4444 wrote to memory of 3368	4444	msedge.exe	89
PID 4444 wrote to memory of 3368	4444	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ucb-org.my.salesforce.com/ncsphoto/2THLCWfFpbwpLgBPI20wLzYTSD6X4Z1o2e1pTz4Xg0a2L1GnnVMH4awoOyX4ryWNb8JIwLd8-Y0Pl6yRM7meZw%3D%3D?fromEmail=1
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff923ab46f8,0x7ff923ab4708,0x7ff923ab4718
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,10396930620876219189,3756807508713691490,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,10396930620876219189,3756807508713691490,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,10396930620876219189,3756807508713691490,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,10396930620876219189,3756807508713691490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,10396930620876219189,3756807508713691490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,10396930620876219189,3756807508713691490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,10396930620876219189,3756807508713691490,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:560
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,10396930620876219189,3756807508713691490,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,10396930620876219189,3756807508713691490,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,10396930620876219189,3756807508713691490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,10396930620876219189,3756807508713691490,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:4636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
51d384661ac93ea0a251a536ecd6e6ae

SHA1
fccb967755dfa1ac038ab080a43b101724b5f609

SHA256
4f2051f5980525f3573dbc1377165ee38f8ba7519723349ca77e19c678e05ac4

SHA512
8802421f521b7b4681bdc88026f15588a1b1fee5d7a60392487d49b2b8d3cad8345b22a42a83bff30b146fcbe8791a17046596048088b44c7e3a5a509f52b20c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dce66647a062c467362a73f10490ecf9

SHA1
202b8812ff56784b570409f0e3ae47cb64e0666f

SHA256
73b54983c2a84846712ad5c8df1f4f954336161913756004a10eeca2a0bcd4a9

SHA512
bcef308a5e68de1675a29efa6baa05e308301431a9715fafc565612c70c2c7c90378c693dcb66ad5eb852c425841c43cc07cdd9f38606b221e6cf8ee22342ea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0abc59bc39e885e7f2a3e8f3fdc6f152

SHA1
9e12205879f7ef3209defe85543a692f634b83d4

SHA256
e8fac0fd974061d7be04bb7359c598d95c424c85f9b9d4126d103c9edc8d8e72

SHA512
763a37a436529b5b366c6944ba07bde873c4d0d77dbafd2a1f039bd7fbfb608887c6583808d15c3159bf3ee0265c7b48b0d3f9c1632517eec4d4a5d6246eac7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3a748249c8b0e04e77ad0d6723e564ff

SHA1
5c4cc0e5453c13ffc91f259ccb36acfb3d3fa729

SHA256
f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed

SHA512
53254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
776a9ee66d98d957506a49090182f8b0

SHA1
531667c7a41bf430bba82d6e88c10c60fd2cc360

SHA256
a85570bb47a38ff9d88dd96c94d8b6688c1bf76c0472986d5d9adb93e1bfedd2

SHA512
bf6202fb0ca859a10bac1216db709d1907c9f4afa0d5435c7ad00d87d31e79364e0118035ac0911219ae6219690f6a7aedbe3b246ab26e1d9712c4b2f2a01681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
386465c12c7316bf695d219468ed74ce

SHA1
cc8598f3405ead50120dd73efc0d57c644a5b7f4

SHA256
4ebc7a5fedb92ce13cb31a32de238839d51b0f6819e4423db54ea54f50db4742

SHA512
ca5ee41ac18957f463f1b8e2b8e41e7913634f5b981fc5cfcfcd19761c07dccd5fdd3c5945ead48960365ac81fe848681fb9211e526bd0324b585f621580a235

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
41267e04581ffd7dbd4617db40450a96

SHA1
4af1f12aa7dbcf269c5a9208cdc3c6f6fd16c9f3

SHA256
822194904f89f23a7af4c92bfe555a248cd2b2a855aac2c08ecd2b2329c7da1d

SHA512
1a6dd3dfdad94247663b06d34c6d5bc3dc5b375effe02db9d740b2fed2fcbb14365484478d293a578b1cfa5ef16db34a26d91d168b7cacaf05fe12cb4e219cdc

Download Submit