hxxps://mailchi[.]mp/0ce3ffc6f37b/waarom-een-schoon-huis-je-super-gelukkig-maakt-17618140?e=50f46fb277

Analysis

max time kernel
146s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
24-01-2024 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mailchi.mp/0ce3ffc6f37b/waarom-een-schoon-huis-je-super-gelukkig-maakt-17618140?e=50f46fb277

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3344	msedge.exe
3344	msedge.exe
2140	msedge.exe
2140	msedge.exe
2552	msedge.exe
2552	msedge.exe
3560	identity_helper.exe
3560	identity_helper.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 3296	2140	msedge.exe	79
PID 2140 wrote to memory of 3296	2140	msedge.exe	79
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3388	2140	msedge.exe	82
PID 2140 wrote to memory of 3344	2140	msedge.exe	81
PID 2140 wrote to memory of 3344	2140	msedge.exe	81
PID 2140 wrote to memory of 5552	2140	msedge.exe	83
PID 2140 wrote to memory of 5552	2140	msedge.exe	83
PID 2140 wrote to memory of 5552	2140	msedge.exe	83
PID 2140 wrote to memory of 5552	2140	msedge.exe	83
PID 2140 wrote to memory of 5552	2140	msedge.exe	83
PID 2140 wrote to memory of 5552	2140	msedge.exe	83
PID 2140 wrote to memory of 5552	2140	msedge.exe	83
PID 2140 wrote to memory of 5552	2140	msedge.exe	83
PID 2140 wrote to memory of 5552	2140	msedge.exe	83
PID 2140 wrote to memory of 5552	2140	msedge.exe	83
PID 2140 wrote to memory of 5552	2140	msedge.exe	83
PID 2140 wrote to memory of 5552	2140	msedge.exe	83
PID 2140 wrote to memory of 5552	2140	msedge.exe	83
PID 2140 wrote to memory of 5552	2140	msedge.exe	83
PID 2140 wrote to memory of 5552	2140	msedge.exe	83
PID 2140 wrote to memory of 5552	2140	msedge.exe	83
PID 2140 wrote to memory of 5552	2140	msedge.exe	83
PID 2140 wrote to memory of 5552	2140	msedge.exe	83
PID 2140 wrote to memory of 5552	2140	msedge.exe	83
PID 2140 wrote to memory of 5552	2140	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mailchi.mp/0ce3ffc6f37b/waarom-een-schoon-huis-je-super-gelukkig-maakt-17618140?e=50f46fb277
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffd872f3cb8,0x7ffd872f3cc8,0x7ffd872f3cd8
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1712,10775773746389402045,12576607315831708029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1712,10775773746389402045,12576607315831708029,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1868 /prefetch:2
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1712,10775773746389402045,12576607315831708029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,10775773746389402045,12576607315831708029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,10775773746389402045,12576607315831708029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:5892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,10775773746389402045,12576607315831708029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,10775773746389402045,12576607315831708029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:6068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,10775773746389402045,12576607315831708029,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:5380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,10775773746389402045,12576607315831708029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:5844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,10775773746389402045,12576607315831708029,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1712,10775773746389402045,12576607315831708029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4444 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1712,10775773746389402045,12576607315831708029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1712,10775773746389402045,12576607315831708029,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5616 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fba38883c4ea1c000dbd9c38d017e733

SHA1
85e0906708a55073287ddfa21f757162b21c3573

SHA256
9e233584c57cb57ff648be1beaa1fff2112600fd78a0be082476c9ec5cfc5972

SHA512
a832dbfc9ed009c686cbe003fe04a67898c37f6cd3e0c19ff8a6d4af7649a8c7e36eeb2e2e4c4206752da80fbde7c26c7241a472d4098b1edc5ab4057d54f1a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
181B

MD5
e060375dd1cb8897aa3b4073a5827e58

SHA1
8f31665f61b52b57a00d95ed246480e7d8849029

SHA256
f4efa4912824a5a2355ed2bb701ccf006e4744c0995a2720369d0c3cf830e0a4

SHA512
51e55788a817a708f8db79e38dd46408f3c4da29b977f6667643fe0c91884b16a33ea253688a999886669fad010765ffb93c7ad1e237b7d6348eaf94a8933766

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
69240fe89e41ce029120858a983889cc

SHA1
241c8067f0368838ac3fa16e15d235e599e42fa6

SHA256
ba70a03ca2a87222949b20c7a52257bc424a8b3ec06c6caf4dcf98fe926dbbc5

SHA512
1287c9c47c464503ed24c627fd6e84e6c5611d60e75a67d8a5e1e00030bedb6c97c0c106bfb9e34f0faed7c488c113698c9b000cf54fb5039780bf66c289cf1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a63d9f6a3dff20698f84fb33860d1762

SHA1
533390804d62f48e6510ff7e33171c43fc4dc82f

SHA256
c790c036f058ac89fcac4e4907065eef9196f706ccc0249a3a61cdbbb08e3298

SHA512
0da4d190fb969d514e1af7816bbc367dc374205306b7fc03be900d30b782f678072a19bd58c5c9c4d641b600eefb8ed60be6d1e3665eead27c23432a4aee5112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
de8827d93011d8af360f82cc1f8ce73e

SHA1
87774343c086d15d6da295268cbca6fed80b621f

SHA256
511050e65ef86e0692adf41262e7be695993b28b629ba66f3e174e27d78ba6c5

SHA512
fa0527111401d82e4e05a16d1908ff9e149d396ff088d970855755ca5a8589476b19a96746c445284b803f3589f1544a02b4d67e31bb56c596a3b79f49d7948f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
40d71463736cefcf835498d73695b620

SHA1
c031c730eb82b7924b90ded0e52a680929b574f7

SHA256
7d797b25337ed8f074e581c27e396b5f90bb407c01ca804f24800d261df021bc

SHA512
36fff96dd5cd466c36f3631bdda918f82e037de8802e0fb8cb79374eb0c6fc901b86d6352aecb5d54dc0322d6ace6609cdfebcba7f93ad0af991e02b63d47bbc

Download Submit