hxxps://t[.]yesware[.]com/tt/30e658b717b16cf6fb44d092466a8a43b50b6a78/24ce2ac9d1816ee7c06a20c85553492b/0e230038b341338bda259beefd648a30/ecornell[.]cornell[.]edu/portal/us-fed/

Analysis

max time kernel
140s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://t.yesware.com/tt/30e658b717b16cf6fb44d092466a8a43b50b6a78/24ce2ac9d1816ee7c06a20c85553492b/0e230038b341338bda259beefd648a30/ecornell.cornell.edu/portal/us-fed/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4772	msedge.exe
4772	msedge.exe
4964	msedge.exe
4964	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 1524	4964	msedge.exe	89
PID 4964 wrote to memory of 1524	4964	msedge.exe	89
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4008	4964	msedge.exe	90
PID 4964 wrote to memory of 4772	4964	msedge.exe	91
PID 4964 wrote to memory of 4772	4964	msedge.exe	91
PID 4964 wrote to memory of 3664	4964	msedge.exe	92
PID 4964 wrote to memory of 3664	4964	msedge.exe	92
PID 4964 wrote to memory of 3664	4964	msedge.exe	92
PID 4964 wrote to memory of 3664	4964	msedge.exe	92
PID 4964 wrote to memory of 3664	4964	msedge.exe	92
PID 4964 wrote to memory of 3664	4964	msedge.exe	92
PID 4964 wrote to memory of 3664	4964	msedge.exe	92
PID 4964 wrote to memory of 3664	4964	msedge.exe	92
PID 4964 wrote to memory of 3664	4964	msedge.exe	92
PID 4964 wrote to memory of 3664	4964	msedge.exe	92
PID 4964 wrote to memory of 3664	4964	msedge.exe	92
PID 4964 wrote to memory of 3664	4964	msedge.exe	92
PID 4964 wrote to memory of 3664	4964	msedge.exe	92
PID 4964 wrote to memory of 3664	4964	msedge.exe	92
PID 4964 wrote to memory of 3664	4964	msedge.exe	92
PID 4964 wrote to memory of 3664	4964	msedge.exe	92
PID 4964 wrote to memory of 3664	4964	msedge.exe	92
PID 4964 wrote to memory of 3664	4964	msedge.exe	92
PID 4964 wrote to memory of 3664	4964	msedge.exe	92
PID 4964 wrote to memory of 3664	4964	msedge.exe	92

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.yesware.com/tt/30e658b717b16cf6fb44d092466a8a43b50b6a78/24ce2ac9d1816ee7c06a20c85553492b/0e230038b341338bda259beefd648a30/ecornell.cornell.edu/portal/us-fed/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa5cf146f8,0x7ffa5cf14708,0x7ffa5cf14718
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,9374550031001513521,2235823017262027560,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,9374550031001513521,2235823017262027560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,9374550031001513521,2235823017262027560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9374550031001513521,2235823017262027560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9374550031001513521,2235823017262027560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9374550031001513521,2235823017262027560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9374550031001513521,2235823017262027560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9374550031001513521,2235823017262027560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:3596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7740a919423ddc469647f8fdd981324d

SHA1
c1bc3f834507e4940a0b7594e34c4b83bbea7cda

SHA256
bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221

SHA512
7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f44d6f922f830d04d7463189045a5a3

SHA1
2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c

SHA256
0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a

SHA512
7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
196KB

MD5
813c1b41e435242e7365a4bcd7adcf23

SHA1
2d25e1564eaf93455640413b95646b3f88f9075b

SHA256
70cb2151ee4ef83195855d29819491a23c5eafee2e72b7ffd9041b35363d1542

SHA512
268c4fa1797700a205e37e716c1472592ad6242344645c703ab1ab8d4d68452c3ccce7cdc4d56a0b42d4061bdc793f1c79dffc397f038133387b94b2a1f4051e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
9939cbc5927a1f96618fb58cf22e7033

SHA1
e5ae81a57021c685cf01bb0be7e77e26996a1cd0

SHA256
7fd1e5c21441eb66e71c37ddfb1fbeb7956d857257cf594e0b4c3d3798a584d5

SHA512
6b40d0826440154801c03a90829d48b148885ac6ae152fbcf301860691fc98171c4f5cef96b278060ea3de156e068d383a52600008d17d3e36de37116051f614

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
34d03f7bda259eb9db2eedc47ebd2212

SHA1
933f22cecb3b377f411c86e686d17b70d5d649c3

SHA256
009eb704839bc5dd5ce3f5fa6c3e9cbaa0245ac19ac4f0ac343f7ef1842613a9

SHA512
2a21a01205ac53de333d58bcb03f6aacf9a5dc20c491e6c79b0603083b3506a280e7688dd652e871c4036eea9e3c3dae5d097eafbc31175262979f93c0a30589

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
038af599b272829d234bbb85d7def4fe

SHA1
377432d305365faf7797ddd0cfd0262b2f9df4ad

SHA256
afba1f1067551c1c2db6479daaa48e3e4370ae3ab536a0450d780d631e0e8ade

SHA512
e0ca7256d01b591f11c1715f0028d02d224f195085c6ef76da9a84aba02e9fa95b50a68377e900ceec0705502ad0bf38a333329106d2281106b762bf291a17fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
c20e55af5aad5cd7736b1e96d952e27a

SHA1
285c96c6d89a1b192a5e63444e223d08e7a8bd75

SHA256
577d79e477e00dfcf3e18f5e31206f9f624f3a5b55b5c849aa823fc847a2d289

SHA512
504da1f6d698909d4da77b7c652befc8441d9090a30c29c6f82fcf8be87f7338153d91ac3aefdc0f9780e4e53de6bbe795f1402fb6d2c16a260404611eff2235

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3e2559f6fd7cfed97189a9cc29624a22

SHA1
990505ab344e70c0dada74fe7a9ff6924a59a71f

SHA256
20cac941571c125542fafd92df1fb0e80f77e9846e67627677b67248ba22d3ca

SHA512
b6c955bea5ae519e5006b6dafafc393f1d7c027863a13469a967c8c1f8c4b6cecd872ea94b08ec9bf28feda4cf2c6b4d56f6e7e82c0e481593542aa099bb6bb7

Download Submit