Analysis

  • max time kernel
    145s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/04/2024, 07:44

General

  • Target

    https://attachments.office.net/owa/[email protected]/service.svc/s/GetFileAttachment?id=AAkALgAAAAAAHYQDEapmEc2byACqAC%2fEWg0AXQVMY1WOa0e9%2f%2bLMPnXkggAD6QP9jwAAARIAEADtIrsLJYHcTK7u8CqMoNB%2f&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IkU1RDJGMEY4REE5M0I2NzA5QzQzQTlFOEE2MTQzQzAzRDYyRjlBODAiLCJ0eXAiOiJKV1QiLCJ4NXQiOiI1ZEx3LU5xVHRuQ2NRNm5vcGhROEE5WXZtb0EifQ.eyJvcmlnaW4iOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbTo0NDQiLCJ1YyI6IjYwMjQ2ZGZlZTkwMTRlYTdiNTJiNzI1MjkwYjA0N2Y3IiwidmVyIjoiRXhjaGFuZ2UuQ2FsbGJhY2suVjEiLCJhcHBjdHhzZW5kZXIiOiJPd2FEb3dubG9hZEA3NDMzYmVmMy0zYjFjLTQwOWYtYTZmMS0wNDlkMTI2YjIxZGUiLCJpc3NyaW5nIjoiU0lQIiwiYXBwY3R4Ijoie1wibXNleGNocHJvdFwiOlwib3dhXCIsXCJwdWlkXCI6XCIxMDAzMjAwMDk1MkIyMTkyXCIsXCJzY29wZVwiOlwiT3dhRG93bmxvYWRcIixcIm9pZFwiOlwiMDI5NTJlNWYtMTQ0Mi00YTFiLThmNmUtZmVjNDgxOWY4ODAzXCIsXCJwcmltYXJ5c2lkXCI6XCJTLTEtNS0yMS00MDA2NzM0MDc5LTM2MDc3NjE5Ni05MjYxODQ5NC0xNzk0MDE2MFwifSIsIm5iZiI6MTcxMjA0MzcxNiwiZXhwIjoxNzEyMDQ0MzE2LCJpc3MiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDBANzQzM2JlZjMtM2IxYy00MDlmLWE2ZjEtMDQ5ZDEyNmIyMWRlIiwiYXVkIjoiMDAwMDAwMDItMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwL2F0dGFjaG1lbnRzLm9mZmljZS5uZXRANzQzM2JlZjMtM2IxYy00MDlmLWE2ZjEtMDQ5ZDEyNmIyMWRlIiwiaGFwcCI6Im93YSJ9.A_RodI0iBMMi_767IqcaU6hqxUCZjqqjc3AeItvIk05_C8qgBT40dllujFY32H_rFp82xg-JMcXb6QGoOkYVQTvh8KLMA7nNHv8vOrR7doSxnLXNz-KhOIlwGYjtRUJwUTYl1sLjavF4isdI6dmC1_Ng-nwr2A5haqnypjh9zh_KLcGuIMl64fc0mAr5DuiEkicR-N-5F1wrnuso2fjDCWKuD21pUspQNBXSyRylTwRiuwafu4mnwz_KH39bO3mVxwSjTBo_v0ikvo-EoiThvq-fKhOsSL8VBh9wTQYWBlkMM3peXPYaMDJ4wOYlszTIsC7y9dpjLMSq617M8pfcUg&amp

Score
1/10

Malware Config

Signatures

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://attachments.office.net/owa/[email protected]/service.svc/s/GetFileAttachment?id=AAkALgAAAAAAHYQDEapmEc2byACqAC%2fEWg0AXQVMY1WOa0e9%2f%2bLMPnXkggAD6QP9jwAAARIAEADtIrsLJYHcTK7u8CqMoNB%2f&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IkU1RDJGMEY4REE5M0I2NzA5QzQzQTlFOEE2MTQzQzAzRDYyRjlBODAiLCJ0eXAiOiJKV1QiLCJ4NXQiOiI1ZEx3LU5xVHRuQ2NRNm5vcGhROEE5WXZtb0EifQ.eyJvcmlnaW4iOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbTo0NDQiLCJ1YyI6IjYwMjQ2ZGZlZTkwMTRlYTdiNTJiNzI1MjkwYjA0N2Y3IiwidmVyIjoiRXhjaGFuZ2UuQ2FsbGJhY2suVjEiLCJhcHBjdHhzZW5kZXIiOiJPd2FEb3dubG9hZEA3NDMzYmVmMy0zYjFjLTQwOWYtYTZmMS0wNDlkMTI2YjIxZGUiLCJpc3NyaW5nIjoiU0lQIiwiYXBwY3R4Ijoie1wibXNleGNocHJvdFwiOlwib3dhXCIsXCJwdWlkXCI6XCIxMDAzMjAwMDk1MkIyMTkyXCIsXCJzY29wZVwiOlwiT3dhRG93bmxvYWRcIixcIm9pZFwiOlwiMDI5NTJlNWYtMTQ0Mi00YTFiLThmNmUtZmVjNDgxOWY4ODAzXCIsXCJwcmltYXJ5c2lkXCI6XCJTLTEtNS0yMS00MDA2NzM0MDc5LTM2MDc3NjE5Ni05MjYxODQ5NC0xNzk0MDE2MFwifSIsIm5iZiI6MTcxMjA0MzcxNiwiZXhwIjoxNzEyMDQ0MzE2LCJpc3MiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDBANzQzM2JlZjMtM2IxYy00MDlmLWE2ZjEtMDQ5ZDEyNmIyMWRlIiwiYXVkIjoiMDAwMDAwMDItMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwL2F0dGFjaG1lbnRzLm9mZmljZS5uZXRANzQzM2JlZjMtM2IxYy00MDlmLWE2ZjEtMDQ5ZDEyNmIyMWRlIiwiaGFwcCI6Im93YSJ9.A_RodI0iBMMi_767IqcaU6hqxUCZjqqjc3AeItvIk05_C8qgBT40dllujFY32H_rFp82xg-JMcXb6QGoOkYVQTvh8KLMA7nNHv8vOrR7doSxnLXNz-KhOIlwGYjtRUJwUTYl1sLjavF4isdI6dmC1_Ng-nwr2A5haqnypjh9zh_KLcGuIMl64fc0mAr5DuiEkicR-N-5F1wrnuso2fjDCWKuD21pUspQNBXSyRylTwRiuwafu4mnwz_KH39bO3mVxwSjTBo_v0ikvo-EoiThvq-fKhOsSL8VBh9wTQYWBlkMM3peXPYaMDJ4wOYlszTIsC7y9dpjLMSq617M8pfcUg&amp
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4536
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb45046f8,0x7ffdb4504708,0x7ffdb4504718
      2⤵
        PID:2044
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,1285705633406814737,13451620449851611585,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
        2⤵
          PID:864
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,1285705633406814737,13451620449851611585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4320
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,1285705633406814737,13451620449851611585,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
          2⤵
            PID:4684
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1285705633406814737,13451620449851611585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
            2⤵
              PID:4016
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1285705633406814737,13451620449851611585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
              2⤵
                PID:1488
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1285705633406814737,13451620449851611585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:1
                2⤵
                  PID:4888
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1285705633406814737,13451620449851611585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
                  2⤵
                    PID:4324
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,1285705633406814737,13451620449851611585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:8
                    2⤵
                      PID:1076
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,1285705633406814737,13451620449851611585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3040
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1285705633406814737,13451620449851611585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
                      2⤵
                        PID:3264
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1285705633406814737,13451620449851611585,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
                        2⤵
                          PID:2288
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1285705633406814737,13451620449851611585,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
                          2⤵
                            PID:4600
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,1285705633406814737,13451620449851611585,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5196 /prefetch:2
                            2⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:1388
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:2184
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:1048

                            Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                    Filesize

                                    152B

                                    MD5

                                    f35bb0615bb9816f562b83304e456294

                                    SHA1

                                    1049e2bd3e1bbb4cea572467d7c4a96648659cb4

                                    SHA256

                                    05e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71

                                    SHA512

                                    db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                    Filesize

                                    152B

                                    MD5

                                    1eb86108cb8f5a956fdf48efbd5d06fe

                                    SHA1

                                    7b2b299f753798e4891df2d9cbf30f94b39ef924

                                    SHA256

                                    1b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40

                                    SHA512

                                    e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                    Filesize

                                    595B

                                    MD5

                                    bac9528be728d6970119ec9f68b07df0

                                    SHA1

                                    89999d06b33313e6a8dff7c5e2259af7afee9fe2

                                    SHA256

                                    88b2df4eb8db50a66e707fa37b4ce8c40a41aee3aeee9965936ca0fdfaa1568c

                                    SHA512

                                    7cc592bc112bdbb23aa304cdf0888051ce3a14456d3b934cdf898961c2df1241ec4a6c084b055d16cecd48bd3622b6e32c2af4b34958fcf28cf0be5f85364696

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    6KB

                                    MD5

                                    1ccc503a83c2b94145068ccd31b5370d

                                    SHA1

                                    ef591c88e909bc0f49955b1aa01019397388435e

                                    SHA256

                                    8563a72ba76b39328b87887d3b168ba5a604abb82faf6515a7f1ae66c5c15c40

                                    SHA512

                                    0437a05ed462583ebb50aca877d9e03bc2241b82cb676dd44c2ebd347db7c1c1da4920b24b145fdfeaac7902230631020454848ef4b4a0dcc6a95a7b11dc81a9

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    6KB

                                    MD5

                                    4eb7859cd3b711be7b9b45bc33d6f974

                                    SHA1

                                    46c73afcf774df8a3c8c546ab3d9000087e63189

                                    SHA256

                                    f1832a723c0d4ccb2d06e4af523bc1391f74d9922d6e0bc36b52de7d0f000836

                                    SHA512

                                    7cbbc0821ef2d16e4f6a349b0483971331f0421563803c4eff632ce704e59853adc3f2cd9536bf8ab9bbb84dbd8c2245c794c19a5a2b698a94a2228ee93809e4

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                    Filesize

                                    16B

                                    MD5

                                    6752a1d65b201c13b62ea44016eb221f

                                    SHA1

                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                    SHA256

                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                    SHA512

                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                    Filesize

                                    11KB

                                    MD5

                                    6b515ce3aa56b9d5b28e94784febf13b

                                    SHA1

                                    9b50cef78fa44752de74d67dfe05581b1af5bcfa

                                    SHA256

                                    02f4f3d0dd06f97ca51ae63effdda9bc40ba4b0fb9e31ead8f2f6adc16066414

                                    SHA512

                                    929e991f26f9f2501fed19df5cdfcdb09b2c78da347e38fd5515d220ece7bb2f42ca25983def3e51f8886285f56c31d725ec6903f3fdf485f3cec3970a45c340