hxxps://click[.]mail[.]energystar[.]gov/?qs=ef14a7308abf534b7c107ed78d9158aad88e7fa289e55acea51c035e38e741d3f868951b26b31566d231582d15f8fc4233a420b4fab2b5af2aea9fc697098b4a

Analysis

max time kernel
136s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://click.mail.energystar.gov/?qs=ef14a7308abf534b7c107ed78d9158aad88e7fa289e55acea51c035e38e741d3f868951b26b31566d231582d15f8fc4233a420b4fab2b5af2aea9fc697098b4a

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3460	msedge.exe
3460	msedge.exe
2980	msedge.exe
2980	msedge.exe
4324	identity_helper.exe
4324	identity_helper.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 4072	2980	msedge.exe	84
PID 2980 wrote to memory of 4072	2980	msedge.exe	84
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 4088	2980	msedge.exe	85
PID 2980 wrote to memory of 3460	2980	msedge.exe	86
PID 2980 wrote to memory of 3460	2980	msedge.exe	86
PID 2980 wrote to memory of 2204	2980	msedge.exe	87
PID 2980 wrote to memory of 2204	2980	msedge.exe	87
PID 2980 wrote to memory of 2204	2980	msedge.exe	87
PID 2980 wrote to memory of 2204	2980	msedge.exe	87
PID 2980 wrote to memory of 2204	2980	msedge.exe	87
PID 2980 wrote to memory of 2204	2980	msedge.exe	87
PID 2980 wrote to memory of 2204	2980	msedge.exe	87
PID 2980 wrote to memory of 2204	2980	msedge.exe	87
PID 2980 wrote to memory of 2204	2980	msedge.exe	87
PID 2980 wrote to memory of 2204	2980	msedge.exe	87
PID 2980 wrote to memory of 2204	2980	msedge.exe	87
PID 2980 wrote to memory of 2204	2980	msedge.exe	87
PID 2980 wrote to memory of 2204	2980	msedge.exe	87
PID 2980 wrote to memory of 2204	2980	msedge.exe	87
PID 2980 wrote to memory of 2204	2980	msedge.exe	87
PID 2980 wrote to memory of 2204	2980	msedge.exe	87
PID 2980 wrote to memory of 2204	2980	msedge.exe	87
PID 2980 wrote to memory of 2204	2980	msedge.exe	87
PID 2980 wrote to memory of 2204	2980	msedge.exe	87
PID 2980 wrote to memory of 2204	2980	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://click.mail.energystar.gov/?qs=ef14a7308abf534b7c107ed78d9158aad88e7fa289e55acea51c035e38e741d3f868951b26b31566d231582d15f8fc4233a420b4fab2b5af2aea9fc697098b4a
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeb9c046f8,0x7ffeb9c04708,0x7ffeb9c04718
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,4842987249625001229,3710833179137185772,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,4842987249625001229,3710833179137185772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2652 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,4842987249625001229,3710833179137185772,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4842987249625001229,3710833179137185772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4842987249625001229,3710833179137185772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:1
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4842987249625001229,3710833179137185772,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4842987249625001229,3710833179137185772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,4842987249625001229,3710833179137185772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3772 /prefetch:8
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,4842987249625001229,3710833179137185772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3772 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4842987249625001229,3710833179137185772,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4842987249625001229,3710833179137185772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,4842987249625001229,3710833179137185772,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4312 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4842987249625001229,3710833179137185772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:4280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fa070c9c9ab8d902ee4f3342d217275f

SHA1
ac69818312a7eba53586295c5b04eefeb5c73903

SHA256
245b396ed1accfae337f770d3757c932bc30a8fc8dd133b5cefe82242760c2c7

SHA512
df92ca6d405d603ef5f07dbf9516d9e11e1fdc13610bb59e6d4712e55dd661f756c8515fc2c359c1db6b8b126e7f5a15886e643d93c012ef34a11041e02cc0dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
648B

MD5
095d5990a2bc918b6e34147fa8c03241

SHA1
ad4744c21b15e685448584ce1d7d1c03e215de40

SHA256
f7c134461dd400d10f6da57ef9aedff30d2f7e39552b67a77d3ee00c4d31603a

SHA512
917a5c572085308961cdb7479726f9f26c2e99761c803618db8dce38989251d299387b1faea485ec11b39b85ea6ebf29a2d5d572992ea2af1893d6763f28a65a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
5dff4baa8b2d8de450da9f580f817b5b

SHA1
363b4ece0b73f454ba756ab298c01357289feb20

SHA256
5fc2cc90090e4c81e679b77d43a1f7577dd65aed42b281465a71bc92059e11d9

SHA512
ca108534f3282f0a0670e3764ba96129bf45d50cf158ecefafc5f4df781234cdfa1ff111579373ec6619a7373d42fcdf734aef676cbfc1c5e1ef0eb98485a91c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f88c0365ec60cc50cc0337293cc9d0b9

SHA1
21755a07bf500b946e643e2c90bb357250ff6fff

SHA256
f1fa8b817b815f5cf963f3d246a172d8b2fa95ad5a019be2a44cebc8ffd8c0cd

SHA512
8b0648091778e9eefe8c755a2e57cb7b6fe9c7175c0352f7cb6749f3550adf49e97bc21a1daac64974f853a0e3a47dfca65495829d00bbe4df39bd82ee4abafb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
46390b0a920cd8f410cef1b4a94e9f5c

SHA1
1daf65ff101e46830fba28b97db248a642cc36fc

SHA256
3b473374461895449bb520e36dfe7f2c8c02e813dfa27debb006cc3e36762c21

SHA512
1433aeaee0ff29de93f20a6b5b8f744ae79c1911b104547bf017cf6bd7496686ff3d2f9a04862e50f731c421bc62c95d18d409194433edec43328ea22609ab8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
917dedf44ae3675e549e7b7ffc2c8ccd

SHA1
b7604eb16f0366e698943afbcf0c070d197271c0

SHA256
9692162e8a88be0977395cc0704fe882b9a39b78bdfc9d579a8c961e15347a37

SHA512
9628f7857eb88f8dceac00ffdcba2ed822fb9ebdada95e54224a0afc50bccd3e3d20c5abadbd20f61eba51dbf71c5c745b29309122d88b5cc6752a1dfc3be053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
47ed65ef3a12fe17294d77613c3c68a0

SHA1
cad4475963db4b2f8946f50a0b17ed68a79ef420

SHA256
7254616aa881fb850d4014bb6e8cfd40f63bfea07da606cc92b3de6084c46bbe

SHA512
38d739234ae25ceda180166b61dcb9f34c29f3d74c5ea5f7bc331d72eb9a3bcd149760a5badf7c0afa711bb82374a5816c82278903a7b3abb8e442c920fe8215

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b9302877bbd435779491e9068ee05e3f

SHA1
4536144b3524c33dabcbaf510a14ebf73d168831

SHA256
46984b7ed93a250d67013e875abf4f67801ce54cd014e8fbeeaad21802fe94f7

SHA512
eb76bcf3cba4220b57c8e9b79edc1636775b92d35bed006d6213fbad0bbbc6a61bc9af815465b31e3d2b1125d757678746e623e0cdbb0289535d882ca9322c63

Download Submit