hxxps://indd[.]adobe[.]com/view/d7a4daa7-ca0d-4e56-bfd7-de9563471f5a

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2024 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://indd.adobe.com/view/d7a4daa7-ca0d-4e56-bfd7-de9563471f5a

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2800	msedge.exe
2800	msedge.exe
1132	msedge.exe
1132	msedge.exe
1680	identity_helper.exe
1680	identity_helper.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 1412	1132	msedge.exe	88
PID 1132 wrote to memory of 1412	1132	msedge.exe	88
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 4036	1132	msedge.exe	91
PID 1132 wrote to memory of 2800	1132	msedge.exe	92
PID 1132 wrote to memory of 2800	1132	msedge.exe	92
PID 1132 wrote to memory of 1056	1132	msedge.exe	93
PID 1132 wrote to memory of 1056	1132	msedge.exe	93
PID 1132 wrote to memory of 1056	1132	msedge.exe	93
PID 1132 wrote to memory of 1056	1132	msedge.exe	93
PID 1132 wrote to memory of 1056	1132	msedge.exe	93
PID 1132 wrote to memory of 1056	1132	msedge.exe	93
PID 1132 wrote to memory of 1056	1132	msedge.exe	93
PID 1132 wrote to memory of 1056	1132	msedge.exe	93
PID 1132 wrote to memory of 1056	1132	msedge.exe	93
PID 1132 wrote to memory of 1056	1132	msedge.exe	93
PID 1132 wrote to memory of 1056	1132	msedge.exe	93
PID 1132 wrote to memory of 1056	1132	msedge.exe	93
PID 1132 wrote to memory of 1056	1132	msedge.exe	93
PID 1132 wrote to memory of 1056	1132	msedge.exe	93
PID 1132 wrote to memory of 1056	1132	msedge.exe	93
PID 1132 wrote to memory of 1056	1132	msedge.exe	93
PID 1132 wrote to memory of 1056	1132	msedge.exe	93
PID 1132 wrote to memory of 1056	1132	msedge.exe	93
PID 1132 wrote to memory of 1056	1132	msedge.exe	93
PID 1132 wrote to memory of 1056	1132	msedge.exe	93

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://indd.adobe.com/view/d7a4daa7-ca0d-4e56-bfd7-de9563471f5a
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbf77546f8,0x7ffbf7754708,0x7ffbf7754718
  2⤵
  PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,8364229683907370979,16514550745522144784,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,8364229683907370979,16514550745522144784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,8364229683907370979,16514550745522144784,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8364229683907370979,16514550745522144784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8364229683907370979,16514550745522144784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8364229683907370979,16514550745522144784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8364229683907370979,16514550745522144784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,8364229683907370979,16514550745522144784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:8
  2⤵
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,8364229683907370979,16514550745522144784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8364229683907370979,16514550745522144784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8364229683907370979,16514550745522144784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,8364229683907370979,16514550745522144784,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4572 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
efc9c7501d0a6db520763baad1e05ce8

SHA1
60b5e190124b54ff7234bb2e36071d9c8db8545f

SHA256
7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a

SHA512
bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
a07aee188cfcfab9d2ab11b4f34bbcd0

SHA1
6b435a4cc77dac7e9e0a641be8c6e7b49ee4f8b4

SHA256
a42a4c4221a30f36da689e61fca7605106c2f49091aadf5865f9efa397cc5782

SHA512
69c7465d732ef33062d9128648451a23a8d3fd991254b223ac386198546b35b53987f08501250ff29a9aece75d3cfc83a554bc3689601401428f1e5eb6c1075d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
569B

MD5
8e287de29ec974d001f1d16179430b08

SHA1
55848f992f367d16de1ae1a9256dcc0ad51ee587

SHA256
c6b55700bdc12e0393ad0bb3a3b3d044a2ee4ae7529f41fcf45dc137e7f5f994

SHA512
94f7143173fe14a0f1f4324432df74b774f1648c0c2e5eacc092ec0d036258944a576d751609472f49f0f6d1c30787c5fa28f72535c5a7ea4c3dd9c8d64406bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3e68b8a9a18c9df3fee4fb7665b3f477

SHA1
32e612fc7c05943a5e8722aa9cf7fe67b535f834

SHA256
c896b2892afa86e044620156815ec63262168ce71a39d6addd6056361643a36e

SHA512
941c8a39f8a37a710b5a0f1cf895c854f33960fecf7d8fa9b2cb57af907f593fd7f11a2cf876301a02eba616c74fb2df0dd5077e5176769253205afdc4bc7818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4f0ba6de3af8ac2f8350d42dbefa8fd4

SHA1
e011a99e4a985860d07cc75b172f078c92234d30

SHA256
2780a7070a96fe1ec1caf15c495a98bf60230291cfb93d6b8c0734e5b4e846cc

SHA512
f99587116cde24eded4252952d1a7b5eb4ebf50245559c130ccacf4a337afff440fcf536d3ea283bc9d3822af5cc7b6e8f5df1b2dcb9ef82b8c6fa423e626447

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
121510c1483c9de9fdb590c20526ec0a

SHA1
96443a812fe4d3c522cfdbc9c95155e11939f4e2

SHA256
cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c

SHA512
b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ff4a2bf9b9f640b8d333a9500efda029

SHA1
96009215d3653f03ff8fea4f4b1da7d20d1af561

SHA256
4c37e930d58db2adf90e56e1f312bdda1e4c5ea0c3baa487551ca72ea938c960

SHA512
a55141340b9a3a729d9f00ee887b51143bda7bf0a9797531d3909e5fd102e7407128a36532cbb720f1abadf84d484c1bb035de32365286c19f46c3b87a88b05a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0799bb98d095431e84c945a66d739053

SHA1
5262ea093243f58229eb6e0b768a6d7e99d68a84

SHA256
67e9d8e3df871313058b111465c75b3aaab14e296a325e3bbf86664f5f568539

SHA512
c53abfabbc71cc1f676404cbf473c81dd9ddcdd591e63b902a427a2d06dbdf1fb6e5f232d66bf3a0143323db435d95a065d2489450a5bfe90010204016f876da

Download Submit