hxxps://urlshortener-emea[.]teams[.]microsoft[.]com/8DC1DF6E659D7FA-2-14

Analysis

max time kernel
19s
max time network
22s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2024 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://urlshortener-emea.teams.microsoft.com/8DC1DF6E659D7FA-2-14

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
212	msedge.exe
212	msedge.exe
4956	msedge.exe
4956	msedge.exe
4388	identity_helper.exe
4388	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 3808	4956	msedge.exe	74
PID 4956 wrote to memory of 3808	4956	msedge.exe	74
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 1244	4956	msedge.exe	87
PID 4956 wrote to memory of 212	4956	msedge.exe	89
PID 4956 wrote to memory of 212	4956	msedge.exe	89
PID 4956 wrote to memory of 1336	4956	msedge.exe	88
PID 4956 wrote to memory of 1336	4956	msedge.exe	88
PID 4956 wrote to memory of 1336	4956	msedge.exe	88
PID 4956 wrote to memory of 1336	4956	msedge.exe	88
PID 4956 wrote to memory of 1336	4956	msedge.exe	88
PID 4956 wrote to memory of 1336	4956	msedge.exe	88
PID 4956 wrote to memory of 1336	4956	msedge.exe	88
PID 4956 wrote to memory of 1336	4956	msedge.exe	88
PID 4956 wrote to memory of 1336	4956	msedge.exe	88
PID 4956 wrote to memory of 1336	4956	msedge.exe	88
PID 4956 wrote to memory of 1336	4956	msedge.exe	88
PID 4956 wrote to memory of 1336	4956	msedge.exe	88
PID 4956 wrote to memory of 1336	4956	msedge.exe	88
PID 4956 wrote to memory of 1336	4956	msedge.exe	88
PID 4956 wrote to memory of 1336	4956	msedge.exe	88
PID 4956 wrote to memory of 1336	4956	msedge.exe	88
PID 4956 wrote to memory of 1336	4956	msedge.exe	88
PID 4956 wrote to memory of 1336	4956	msedge.exe	88
PID 4956 wrote to memory of 1336	4956	msedge.exe	88
PID 4956 wrote to memory of 1336	4956	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://urlshortener-emea.teams.microsoft.com/8DC1DF6E659D7FA-2-14
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80a4846f8,0x7ff80a484708,0x7ff80a484718
  2⤵
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,2417170661262700066,1723124118563322063,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,2417170661262700066,1723124118563322063,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,2417170661262700066,1723124118563322063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2417170661262700066,1723124118563322063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2417170661262700066,1723124118563322063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2417170661262700066,1723124118563322063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,2417170661262700066,1723124118563322063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,2417170661262700066,1723124118563322063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2417170661262700066,1723124118563322063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2417170661262700066,1723124118563322063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2417170661262700066,1723124118563322063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2417170661262700066,1723124118563322063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:60
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2417170661262700066,1723124118563322063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:2396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e71d66ce903fcba6050e4b99b624fa7

SHA1
139d274762405b422eab698da8cc85f405922de5

SHA256
53b34e24e3fbb6a7f473192fc4dec2ae668974494f5636f0359b6ca27d7c65e3

SHA512
17e2f1400000dd6c54c8dc067b31bcb0a3111e44a9d2c5c779f484a51ada92d88f5b6e6847270faae8ff881117b7ceaaf8dfe9df427cbb8d9449ceacd0480388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
1e445bf40f1acbc1bfdd288d39a1ce59

SHA1
de3a88640c99c6f802305a9c9a8be759dc1ecd03

SHA256
dfcf1d1656ce8dc26576719d45410c9d00a088003c9bdcddc88ac788eb073041

SHA512
190932c2fed84d6b33c3270b6bb771ad3326be4544c17d6f4cd0307df42a9b81ce6c5dd151d7e3f958588b6ef913e5866fd0bc4bfca31695c1dba4eea2132723

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
617B

MD5
dd0840b3294717525806517dfdf4e25b

SHA1
15a0eb5cb4b5fc901d034b08771a3d3cbe602cdd

SHA256
3c96cb1778eee0970270bf28e21f77362558c9ad73093e90c522afd06630238d

SHA512
14123497857ec2ed057f7a3467967ff9e392e1c95e439bb44c077fcd15b31ade37bdb6304277266aac94951e71a61a4f11cda1cffa326ac76e44ce7a9aa8485b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
83049aa90aa72bd30ba3efd8299c678a

SHA1
1a79a8c5ebddb5bb2dde1c914bb4726d3b497fb9

SHA256
10e440233811440ea386132b3a12ba6b36825ae4170da9a2b57d30b36d81042b

SHA512
e308a3a9de5c4dbef62a0c058c3a6edb8b965e49b11e7dced7d61526e9122ae09a9c46af10d62e053903ea037adefa03e331e6e0a3ff4b614670c1066682f4eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f69143b6b84abf94036840871819c0d1

SHA1
351f232f12a5de122e802aca5a8c8953e8e59122

SHA256
911b101ac70dadc30d0e5d99a66272d472574e05e2215dcdba73d2dba8494e07

SHA512
fec7876a8583775fda56e4f26cb35967d5e86ec6fa4fc663e64ecd3558771d8ab61464cd84844347b7ca29d72a7b97657c7c37258fd1712ea32924ab0a2b6b92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
720b5e93a13518df878b23081cbe1a22

SHA1
5dc52d056c7146860845a95b22529c3493a3ee3b

SHA256
3964c674c37382c160dcfe849c9f423d4d62369856680eba2d16b7190e81758d

SHA512
8811e59eb8b93408ee11d83a194121c6742de3221bb80cce8476d195e9d48cd81339c72f028ba55c7f7e75b964c40829e15f6d5c268af6492127e0e0f4a6d26e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1b1b142e24215f033793d1311e24f6e6

SHA1
74e23cffbf03f3f0c430e6f4481e740c55a48587

SHA256
3dca3ec65d1f4109c6b66a1a47b2477afaf8d15306a523f297283da0eccbe8b1

SHA512
a569385710e3a0dc0d6366476c457927a847a2b2298c839e423c485f7dcce2468a58d20133f6dc81913056fb579957e67f63cf1e20b910d61816210447cd1f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
c6a33b2acc95506f4e29bb6e5606e081

SHA1
a40cb0189b73e357a0f023ca813096f6091203c5

SHA256
05f6045ea230980626d47c25df7118170f37642c3b8ff8f7d608569f75900e73

SHA512
cd3fcf0fcbd611f957dc1bcd39a5b075f5dce8c01de25d63ffe7ebc8d977326a411952950eacd1fbb0963212c70e52e5811f26fafcd189cfe79b237f1c587adf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5790b7.TMP

Filesize
704B

MD5
897d323cd78f595f4782c04adf393dd5

SHA1
5a08d1d8714c3c97884af669c65af27b8d7792fb

SHA256
f8854d11af4242bbf46fbb836ec86fd78688d0b4d9e093f7ee5b1d1e2747e713

SHA512
893582c6ad5ed4ca01543b807e682d74498a1b0b8602f39055e764ac1a3a79444832ea4811389d32d959dd524c8ddfb455de0aaddc8037ebc1fe84c4c5f2bd85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5e06a089448e632ebe7a8e9dd1a3428d

SHA1
761d09996c65724813c467d3277cf535d73b37ac

SHA256
7db0abe1f83d0f7825c513c5ebbfe6ad23aee753943b1bdad05eee2b7819bdaf

SHA512
a4c016c446ec3e6d124a35030318b2fcf74cea442d60c10af1dbcb990ed8b455fe82dd4305261eb76fb8a63cf8eaf59e2db4b2d85f5ce1c188ceb626055fd7c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1081ca1fb87920e210405aba5a7b7db6

SHA1
c7e9aa8a025f11a6a454ded54c086de163cf20e2

SHA256
c1e30ff2c27d16c61fa650ed8bc3ca3ad3cb1569dbfd8421ef5fd3d8f9641970

SHA512
dd754e884acb9f2b6ebd1abf7980780283a0741fa8e6ff3a4497604f997fd3f3d7de1a6f1c414ec306d8996be7e9f61b4a71156d7b000d3132f3c573340db841

Download Submit