hxxps://learning[.]fmtcsafety[.]com/devotious/servlet/ekp/login?target=%2Fdevotious%2Fservlet%2Fekp%2FpageLayout

Analysis

max time kernel
51s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 16:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://learning.fmtcsafety.com/devotious/servlet/ekp/login?target=%2Fdevotious%2Fservlet%2Fekp%2FpageLayout

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
388	msedge.exe
388	msedge.exe
2952	msedge.exe
2952	msedge.exe
944	identity_helper.exe
944	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2012	2952	msedge.exe	37
PID 2952 wrote to memory of 2012	2952	msedge.exe	37
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 3352	2952	msedge.exe	85
PID 2952 wrote to memory of 388	2952	msedge.exe	84
PID 2952 wrote to memory of 388	2952	msedge.exe	84
PID 2952 wrote to memory of 3368	2952	msedge.exe	86
PID 2952 wrote to memory of 3368	2952	msedge.exe	86
PID 2952 wrote to memory of 3368	2952	msedge.exe	86
PID 2952 wrote to memory of 3368	2952	msedge.exe	86
PID 2952 wrote to memory of 3368	2952	msedge.exe	86
PID 2952 wrote to memory of 3368	2952	msedge.exe	86
PID 2952 wrote to memory of 3368	2952	msedge.exe	86
PID 2952 wrote to memory of 3368	2952	msedge.exe	86
PID 2952 wrote to memory of 3368	2952	msedge.exe	86
PID 2952 wrote to memory of 3368	2952	msedge.exe	86
PID 2952 wrote to memory of 3368	2952	msedge.exe	86
PID 2952 wrote to memory of 3368	2952	msedge.exe	86
PID 2952 wrote to memory of 3368	2952	msedge.exe	86
PID 2952 wrote to memory of 3368	2952	msedge.exe	86
PID 2952 wrote to memory of 3368	2952	msedge.exe	86
PID 2952 wrote to memory of 3368	2952	msedge.exe	86
PID 2952 wrote to memory of 3368	2952	msedge.exe	86
PID 2952 wrote to memory of 3368	2952	msedge.exe	86
PID 2952 wrote to memory of 3368	2952	msedge.exe	86
PID 2952 wrote to memory of 3368	2952	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://learning.fmtcsafety.com/devotious/servlet/ekp/login?target=%2Fdevotious%2Fservlet%2Fekp%2FpageLayout
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed42546f8,0x7ffed4254708,0x7ffed4254718
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,16785562673845837875,9541287437515865706,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,16785562673845837875,9541287437515865706,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,16785562673845837875,9541287437515865706,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16785562673845837875,9541287437515865706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16785562673845837875,9541287437515865706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,16785562673845837875,9541287437515865706,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,16785562673845837875,9541287437515865706,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16785562673845837875,9541287437515865706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16785562673845837875,9541287437515865706,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16785562673845837875,9541287437515865706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16785562673845837875,9541287437515865706,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:4256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
58670ac03d80eb4bd1cec7ac5672d2e8

SHA1
276295d2f9e58fb0b8ef03bd9567227fb94e03f7

SHA256
76e1645d9c4f363b34e554822cfe0d53ff1fce5e994acdf1edeff13ae8df30f8

SHA512
99fe23263de36ec0c8b6b3b0205df264250392cc9c0dd8fa28cf954ff39f9541f722f96a84fbc0b4e42cfd042f064525a6be4b220c0180109f8b1d51bbdef8ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3782686f747f4a85739b170a3898b645

SHA1
81ae1c4fd3d1fddb50b3773e66439367788c219c

SHA256
67ee813be3c6598a8ea02cd5bb5453fc0aa114606e3fc7ad216f205fe46dfc13

SHA512
54eb860107637a611150ff18ac57856257bf650f70dce822de234aee644423080b570632208d38e45e2f0d2bf60ca2684d3c3480f9637ea4ad81f2bcfb9f24d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1d25f2d6-dcb5-44b2-890c-30d6fdd7bc75.tmp

Filesize
6KB

MD5
adb8aeed1204bdc5ba59bf41f0c9241b

SHA1
b3d9c3ab6b1687a202d56a2a3469b2b489add8ba

SHA256
041571a4fdb80b8ea46b499d488270682430600ed1324b3baee89593594e3182

SHA512
b3483d88806e54deedc1d298d722e78ef09ae235d96473f6d4ffd6528801e56b884625286fb6833fa3544b563217537c12c57783856e67b03ee67b4465d22fe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
d28d08d8ffb185f38aedf7c92e5a79c8

SHA1
6fd09822b425cfe071d8cc4121e5f73b1ee14708

SHA256
c9d8157b53132ff4ea5ed34b2aa5fd9ea2e5cc7f65ce695ca2c49db98b4a03ed

SHA512
c3f0755052463eaeecbff6f8fe43e5647bec943936d3b44e48e1679c381770c386a4972578fb8e7c1a0cab413388b8b390c6ae4b9cddb0a772b1c81a00cd9acf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
615ef8ae57391265b0fd07e3a7396a2d

SHA1
eb3430eb1d634ae6bc9ccc75c11824d982a4f8ba

SHA256
038f7721f54b87a4e40459d0f04816260a509bb4e05e4a859c759f396979d535

SHA512
f3e1183e9df097e4eecdb52aada5c459fb2b96348ea18ec837356e66e08f012563abbe79e468f8f82d70e3da86a26c66b8099ff02583d3fddab2256d36d181bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0cecb7d9ec77a53e581341d570d2c4ac

SHA1
f3d58a1403f0ca25b8f59195aeeebf7aae987cf5

SHA256
faca64ce7bc7dc380496b8b7cb16974963856e8215da27d25799e648ca37cab7

SHA512
c3752e65d7be5da8073e43c348d5665475274a07b2657962ced8b1618a9dbb7f108990e6a52d877d86c31250fdbb5505bd202dab4388364f1b75591878dd6212

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
372B

MD5
4e6fb13201fbed6889cceec5f6d654a8

SHA1
51888344dcf7ad1fc135bdb3475887c885855b91

SHA256
9ea92821ece9624c4afbda70b4620ddef31116de6b94c6790fdaeda73a1a9ce4

SHA512
18e73f95b444d253813c768e0166e6975258c48e3874975616f6c908ac9e1fe12ae1071fb663a33e36e08c3ed3a42e32298f2580615ab2c93f3f2606198caef2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b508.TMP

Filesize
372B

MD5
e60e1afbc91f87e57489818c8e661267

SHA1
59fe5e3d38960818916bf0f58355a37f619b4d2d

SHA256
7f1d775c5464cd5c443b5166fc8d7c78930c9cfde0e4c9afcebc8d0111e8ca1f

SHA512
74ff72e3e6b1fc4332d01987e4e4c9f751965c79a5aa5948c818fc8fc6d97e267fc94af8d2a35c8239b65794d1236f2889cb7b7bb2ad7641fc9760175ddd1567

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
43724052cedc34ce8fe8d5516ba2317a

SHA1
0a8a0ce3569c64a10909ba8bfe4be7906b987d9a

SHA256
035caf0b57840dbf03e6046e4c263fa0f15054eb8e130582567e73d200b83527

SHA512
d16916b78f969c9935b96c75a6476e1347bcbddcf47722d4ff01880bbd7a48ab2bae6c537fb81fb8797b189000320c57d2c2756a96cb54dd589eec12cc3bc7c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit