hxxp://youremailonline[.]com

Resubmissions

04/01/2024, 19:12

240104-xw1qpahccp 10

Analysis

max time kernel
116s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://youremailonline.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2716	msedge.exe
2716	msedge.exe
1540	msedge.exe
1540	msedge.exe
2892	identity_helper.exe
2892	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 4480	1540	msedge.exe	16
PID 1540 wrote to memory of 4480	1540	msedge.exe	16
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2912	1540	msedge.exe	91
PID 1540 wrote to memory of 2716	1540	msedge.exe	90
PID 1540 wrote to memory of 2716	1540	msedge.exe	90
PID 1540 wrote to memory of 5088	1540	msedge.exe	92
PID 1540 wrote to memory of 5088	1540	msedge.exe	92
PID 1540 wrote to memory of 5088	1540	msedge.exe	92
PID 1540 wrote to memory of 5088	1540	msedge.exe	92
PID 1540 wrote to memory of 5088	1540	msedge.exe	92
PID 1540 wrote to memory of 5088	1540	msedge.exe	92
PID 1540 wrote to memory of 5088	1540	msedge.exe	92
PID 1540 wrote to memory of 5088	1540	msedge.exe	92
PID 1540 wrote to memory of 5088	1540	msedge.exe	92
PID 1540 wrote to memory of 5088	1540	msedge.exe	92
PID 1540 wrote to memory of 5088	1540	msedge.exe	92
PID 1540 wrote to memory of 5088	1540	msedge.exe	92
PID 1540 wrote to memory of 5088	1540	msedge.exe	92
PID 1540 wrote to memory of 5088	1540	msedge.exe	92
PID 1540 wrote to memory of 5088	1540	msedge.exe	92
PID 1540 wrote to memory of 5088	1540	msedge.exe	92
PID 1540 wrote to memory of 5088	1540	msedge.exe	92
PID 1540 wrote to memory of 5088	1540	msedge.exe	92
PID 1540 wrote to memory of 5088	1540	msedge.exe	92
PID 1540 wrote to memory of 5088	1540	msedge.exe	92

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa5e946f8,0x7ffaa5e94708,0x7ffaa5e94718
1⤵
PID:4480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://youremailonline.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,9330268289753004611,14289950164729929370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9330268289753004611,14289950164729929370,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,9330268289753004611,14289950164729929370,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9330268289753004611,14289950164729929370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9330268289753004611,14289950164729929370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,9330268289753004611,14289950164729929370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,9330268289753004611,14289950164729929370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9330268289753004611,14289950164729929370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9330268289753004611,14289950164729929370,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9330268289753004611,14289950164729929370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9330268289753004611,14289950164729929370,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9330268289753004611,14289950164729929370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4420 /prefetch:1
  2⤵
  PID:3020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7a5862a0ca86c0a4e8e0b30261858e1f

SHA1
ee490d28e155806d255e0f17be72509be750bf97

SHA256
92b4c004a9ec97ccf7a19955926982bac099f3b438cd46063bb9bf5ac7814a4b

SHA512
0089df12ed908b4925ba838e07128987afe1c9235097b62855122a03ca6d34d7c75fe4c30e68581c946b77252e7edf1dd66481e20c0a9cccd37e0a4fe4f0a6fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
214a5047eeeb550991d80764462c9386

SHA1
6a9985c17481473b3ae0ce67e8c7489c4faf97a2

SHA256
24e4ee0980e7f5a3a810fd3d26ff2dadae671c748f987ac164320d9012ab1f88

SHA512
609ebc71ffecfa20610d0061305fd5acbeedd71b8e2403e83688ed560ede739baa16aa5901425aca109c527bef759d6060f52132e47aa8d586b7effbbd6af0b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3f48669cc1b7393691ebc3cf8adf646d

SHA1
6b9c329f85ccbd806246d3b17e99b1ee19bed9e8

SHA256
31ab1f4199f52e511350324507f7797e4ecda225108960ba15ccaf734455b6d9

SHA512
8b838366d4135bf57f16b279fe8b15ad60c7e8cf1bcb4476bdbe06d82a5c7565f41086e744855d476a981eda134b70fdb3ec56de663bd94c70a07abdfb022692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b86d9adfb219285d232e5638919d818b

SHA1
dc4df056b7cbc9c66fada52787cbabc98894416b

SHA256
bcdfbd78a328853677b766534515bc16a94b322386042e65aaa8a0f84127124b

SHA512
d25fd19ed05d5d83009a0c9e7dcca0612f571034b5035b1795d653f4cfa88e89273b4d48f8067a3df76b5bb125002ed06e983a073c05823a23324bbc71f073ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
789dbcc57204aeee4824023e92538765

SHA1
86183d2806b057e68f6a02dfb8ef74e1d8c24b33

SHA256
34ee9547f53653dfb455aaf75106ac00bbfd2eb56064d3bdec2edf48002f0c98

SHA512
03cbfaab456d7cfe8506d913933c9f86ecfc2c0f922a054253832c88021bad15fd5ba7304c244414c8bb9b86411de1ccf1b308eea3ae5c22d8d60f140aa64f4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
14629b550ef8f60d70d5d79b064604a8

SHA1
4f64d43895eff510bd353f5119601af58cc44753

SHA256
20467418a089542b9d08d4aed7ec8afc0055bfaa58caab0a89a0413126d14349

SHA512
25bad50df23d85c597aba6bee1d254db3490f367b413d1e376d60d07795c00fa4aa375f672e553575ef96ecfbc6caac9f982fd92720a43e443030ad3e17a3258

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
52826cef6409f67b78148b75e442b5ea

SHA1
a675db110aae767f5910511751cc3992cddcc393

SHA256
98fc43994599573e7181c849e5865f23b4f05f85c1115dff53c58764d80373fb

SHA512
f18df18cab6b5ecd71b79c81a2a1fdac42cc9960f62f06ac25f4d6487792705f2766ee3a10239eaac940d090186e6bc820e4eb7a5ee138f6e5c1c64f951b960c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
089a06c34b57d7f7217076b907e67d50

SHA1
1ad2504daf769b19dd7a3734fbd1db59f3751610

SHA256
febbce0d022c29cee811a1ce1535f763c94635b4e6501edf3c0b0182331ddc71

SHA512
877121e4b9deaa1d0656077ed6c0edbe7b614069ba1b20006be461b735e50b715045dc8e4d35317c45f77acb29da864246a714c7812b828730dd1bf7b7cba999

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
78c2511299bbb14f715386d82630c810

SHA1
dd420212152932a898cf7b22483223e84e81044e

SHA256
b303e58a43a5efc6315bffa84d8c14959c2747eb5d1c8d727377d52fc10218a6

SHA512
356da997203075161f172aff18b4c2a1fa2896a89df9487d2cfda44e55374b58f06700ed926bd295e41cb62db5d31f769dd6f13dd18b394085570fe4251b76fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
917ff8bea4de7d7391e9dcb18ce1444a

SHA1
cb14aca0839b848a754b10a058bf52c30343729d

SHA256
2dbdd01ea03861d4d380bcb3fe2d9f534ebb29f8b173dc7c93b97969adbd665a

SHA512
0e5ac99bce8738e0468b24be7c8701e80ce882133366fdccbdccde7633be56d9ec5264668a79986861d97b0584211aba977c7df99bdf5a0a2c60920619ebb883

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit