hxxp://purposemail[.]net/pm1/campaigns/rb5900btjt167/track-url/np482d2owh34e/354aab66bb62690277d4d47c7fd527bb3eaf090b

Analysis

max time kernel
103s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-03-2024 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://purposemail.net/pm1/campaigns/rb5900btjt167/track-url/np482d2owh34e/354aab66bb62690277d4d47c7fd527bb3eaf090b

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
732	msedge.exe
732	msedge.exe
4152	msedge.exe
4152	msedge.exe
2080	identity_helper.exe
2080	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 2972	4152	msedge.exe	87
PID 4152 wrote to memory of 2972	4152	msedge.exe	87
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 4984	4152	msedge.exe	88
PID 4152 wrote to memory of 732	4152	msedge.exe	89
PID 4152 wrote to memory of 732	4152	msedge.exe	89
PID 4152 wrote to memory of 3224	4152	msedge.exe	90
PID 4152 wrote to memory of 3224	4152	msedge.exe	90
PID 4152 wrote to memory of 3224	4152	msedge.exe	90
PID 4152 wrote to memory of 3224	4152	msedge.exe	90
PID 4152 wrote to memory of 3224	4152	msedge.exe	90
PID 4152 wrote to memory of 3224	4152	msedge.exe	90
PID 4152 wrote to memory of 3224	4152	msedge.exe	90
PID 4152 wrote to memory of 3224	4152	msedge.exe	90
PID 4152 wrote to memory of 3224	4152	msedge.exe	90
PID 4152 wrote to memory of 3224	4152	msedge.exe	90
PID 4152 wrote to memory of 3224	4152	msedge.exe	90
PID 4152 wrote to memory of 3224	4152	msedge.exe	90
PID 4152 wrote to memory of 3224	4152	msedge.exe	90
PID 4152 wrote to memory of 3224	4152	msedge.exe	90
PID 4152 wrote to memory of 3224	4152	msedge.exe	90
PID 4152 wrote to memory of 3224	4152	msedge.exe	90
PID 4152 wrote to memory of 3224	4152	msedge.exe	90
PID 4152 wrote to memory of 3224	4152	msedge.exe	90
PID 4152 wrote to memory of 3224	4152	msedge.exe	90
PID 4152 wrote to memory of 3224	4152	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://purposemail.net/pm1/campaigns/rb5900btjt167/track-url/np482d2owh34e/354aab66bb62690277d4d47c7fd527bb3eaf090b
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffc3b9246f8,0x7ffc3b924708,0x7ffc3b924718
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,9923845542681683842,15574112366589751787,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,9923845542681683842,15574112366589751787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,9923845542681683842,15574112366589751787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9923845542681683842,15574112366589751787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2128 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9923845542681683842,15574112366589751787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9923845542681683842,15574112366589751787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9923845542681683842,15574112366589751787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,9923845542681683842,15574112366589751787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,9923845542681683842,15574112366589751787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9923845542681683842,15574112366589751787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9923845542681683842,15574112366589751787,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9923845542681683842,15574112366589751787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9923845542681683842,15574112366589751787,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:3884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cbec32729772aa6c576e97df4fef48f5

SHA1
6ec173d5313f27ba1e46ad66c7bbe7c0a9767dba

SHA256
d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e

SHA512
425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
279e783b0129b64a8529800a88fbf1ee

SHA1
204c62ec8cef8467e5729cad52adae293178744f

SHA256
3619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932

SHA512
32730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
457474a21df04eba755d282c6542d484

SHA1
1c643dc2333238f32759cb4b4389b01730d6dd70

SHA256
3d1a661f704434a499c15f857fdbee63a4ff59f25914cc1c19fb1f337c740f69

SHA512
9f16fd884f50e8b5d5fbacbd801a1cd64f9430ac639aee80047b11cc986ae4b9dfce4cd4c733a90209c37f69fd04367b247f83f50a9cee58b25a2ed84d7f5ba4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
c0557f5d45aa016f3ab6e89642cbcddb

SHA1
9aad9983f8eb08a0a63de80442372c4a57548c72

SHA256
f8cef43da4e1186d9dda87f66d839b869bdef3542af31ff958a0d63cb9bdb8d6

SHA512
f23d2a511ccec86d4888442bee485c8d5e7436c57873f6d0a5cd104aa38e40e0a09ccdfcfb23aca5124c7dbdcdbcaaff77b36357670677b6e0c7860bd9a95de3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
e224c5b042c8ff72574949a6aecf3490

SHA1
931b640fd97c9905b00088713350d62f1e081730

SHA256
39a71f5508d25680d9100d300c1b790115dea3fa3ee17ea69c924b4bc5deeecd

SHA512
ff17c74b559a3dd345d30369801a0129ba47df2da0c317f6ef7dfc1c81c32a0eb550ee9e2530f83d2e542c5bf262d2bcaff2efb632b22b82cddf2087c7a66420

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ee55800948d71f588612a389a1edba63

SHA1
be3394ecf26595121019dac89dc3bd897d9f6217

SHA256
604765a48128a495f899721211f753430ddff813108f25ac9560a35a24c08b75

SHA512
b7e962e84a78d6a2016e7789ce156b35ca6841c40679308d6e9ffaeea679aa0d03121e504258d790512d17432def8c3c4828f1a248afe76b353f5a0d9e788e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1cbbfdc4b50a97149bb282f89c71ecf8

SHA1
669235334eaae909568074e95d67ca3a8d1f2164

SHA256
c4928ba311479bd17e7843e0b253d5fda24757193ead1a569818f8efca9574bc

SHA512
993b52ad315e327e0370c78a71c6862d4cd513773aa4ee62dfc19809d1bd520198d0943f97052caaf38bb10802014c41495f32876ee39ca409a187199b1855b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
02b2d4f69b5f02439ec4059172dcb6e3

SHA1
86c60722a65dc6e17ee471bef4464b7d37e8ee77

SHA256
8a5586238bfea459f880586aabc72bda3273990bed9b8a4634ae8f6549986430

SHA512
79860100a65cffd5906b74b50d357b9e08c867d316d9e7205cdcf296fe885f9a7c3bb2e3a4947744ac55841cc70aeb341a69811ffffc0050f5ffea2b9e0c133c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
85917238006af09e8684c1acc3087f77

SHA1
6fac4bc16b4a26b90b37ab10009c1e2e93eba321

SHA256
37719978795da0b970385f3baf24dfd60bf875c45b9c9c05998a6731f2cb29d7

SHA512
ba05566e566385172629ea7c96e823bfa3221882a0f515b38770b850011853cedd5dbbb53592ed4ec55facbf87c425b920120966b371dc577a8dbe807cae1217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
43ccf8e2c3a6f8688601aa5242c4a5eb

SHA1
d7822744a075957afd35adf61f887d737572c6dc

SHA256
55e0eff04f82b1046b6d9cbf70a73846cf19c9a0ae8e8927210bb66d7d85b314

SHA512
259e09dfe3dc7c636f933d1bac61c230a470a1258359bcd38a6ec33be87c6bcadbcb5bdcf2a42515dc3d6cf04c0520a532a5a70aa4930ebce5120ac0e15b60ba

Download Submit