hxxps://www[.]documentcloud[.]org/documents/2229124-cl2013-929-pdf

Analysis

max time kernel
145s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.documentcloud.org/documents/2229124-cl2013-929-pdf

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4164	msedge.exe
4164	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
1864	identity_helper.exe
1864	identity_helper.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 844	620	msedge.exe	87
PID 620 wrote to memory of 844	620	msedge.exe	87
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 1472	620	msedge.exe	88
PID 620 wrote to memory of 4164	620	msedge.exe	89
PID 620 wrote to memory of 4164	620	msedge.exe	89
PID 620 wrote to memory of 2368	620	msedge.exe	90
PID 620 wrote to memory of 2368	620	msedge.exe	90
PID 620 wrote to memory of 2368	620	msedge.exe	90
PID 620 wrote to memory of 2368	620	msedge.exe	90
PID 620 wrote to memory of 2368	620	msedge.exe	90
PID 620 wrote to memory of 2368	620	msedge.exe	90
PID 620 wrote to memory of 2368	620	msedge.exe	90
PID 620 wrote to memory of 2368	620	msedge.exe	90
PID 620 wrote to memory of 2368	620	msedge.exe	90
PID 620 wrote to memory of 2368	620	msedge.exe	90
PID 620 wrote to memory of 2368	620	msedge.exe	90
PID 620 wrote to memory of 2368	620	msedge.exe	90
PID 620 wrote to memory of 2368	620	msedge.exe	90
PID 620 wrote to memory of 2368	620	msedge.exe	90
PID 620 wrote to memory of 2368	620	msedge.exe	90
PID 620 wrote to memory of 2368	620	msedge.exe	90
PID 620 wrote to memory of 2368	620	msedge.exe	90
PID 620 wrote to memory of 2368	620	msedge.exe	90
PID 620 wrote to memory of 2368	620	msedge.exe	90
PID 620 wrote to memory of 2368	620	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.documentcloud.org/documents/2229124-cl2013-929-pdf
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc147b46f8,0x7ffc147b4708,0x7ffc147b4718
  2⤵
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,13780829607948135047,3773278677138866785,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,13780829607948135047,3773278677138866785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,13780829607948135047,3773278677138866785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8
  2⤵
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13780829607948135047,3773278677138866785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13780829607948135047,3773278677138866785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,13780829607948135047,3773278677138866785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,13780829607948135047,3773278677138866785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13780829607948135047,3773278677138866785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13780829607948135047,3773278677138866785,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:60
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13780829607948135047,3773278677138866785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13780829607948135047,3773278677138866785,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:1332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,13780829607948135047,3773278677138866785,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2796 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5e2f0fe48e7ee1aad1c24db5c01c354a

SHA1
5bfeb862e107dd290d87385dc9369bd7a1006b36

SHA256
f13b3ebe8d71bd0086d5bb82364c35f59a95d32b39753af251e8639360e291a9

SHA512
140d026437fd5e8a874cd00b03950c8f010e1a0732a0a1cc5bdde477e7f8315ccb95790bb4c15b8dbaab9468ad532eb885b6c429300a64e39412d976d079324e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7e0880992c640aca08737893588a0010

SHA1
6ceec5cb125a52751de8aeda4bab7112f68ae0fe

SHA256
8649a39877c190ec740a5422284ec5f9ff509b30b2d7896635476873dd8824e2

SHA512
52bd0a38ca7f43b26731966035045b1cbd8b60b2d81bdf9aad791cf444da8af8b722ebf3cb364a6e660bebdf23084eb0e30bc23562575b704801669817549f8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
3c05981b33acb0e603e93f1219625bbe

SHA1
42d80ee0e103907500feb84fc9c624e3eb117da6

SHA256
e6955cc70670ff63dd8785b4a641cdb7cbc9744696ad56ba83791c77490adda6

SHA512
30a46fdfad7bdf84e117954d562a8e7365c0ca0e9f7f17196f673dc1a0d02ef147e6fd166990c5322c7ded844859470ac57502bd80b3b2d49425c64afc1cfa5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
467B

MD5
7c794d4ddad3bff8d24cbc9328b5f0cc

SHA1
0a4111b90f3fbaa3f41795b8836cc01f6073b692

SHA256
92f0008991a9b454089fdb09629d8241d6091b722b4a6964a07fd081df2ea413

SHA512
72064943ed42b0b5e3820eee5992b502c374bd71f445d5ff6396d086949f87e7136ac9656d54b6b31e95e9e14d1425c4f6be683d18844ceae90ee458df3a9fec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
832b1ddeb65949b6e7c7cb95cd9c9dd4

SHA1
a0bfe55575c44fbb807111621c82595f88cf58a2

SHA256
ec28a53548eed78ffe05d4450a47244674696ecf50b4ac5793ab03e8a94a7f3b

SHA512
1c01cf8904fa55872b2436ae96c5ef725fd1d8ba236892fc2a73f855094548e5249a13acfa3817e63a61fbcd32d5cea792f9b9012ca5cb749c71ad154cc672e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d61e905fdc58ab38399c2b054d43f0af

SHA1
f929f1c96862befa0502e0fc47265243c31b0190

SHA256
bc3935e9bb87bb41622fe866d84d75137eb2ec3fa193658bf19caaada262ef5b

SHA512
3bd3b66c0d5f9c612bf63bb7e67ad2a69e95a460b00bc20065818c9eefcec5bfdbe38c706ec184ae3d902d8c70cc0eec771c64113fab20d92bec67b7dddd63b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c21b3738bf94a702dcbe9b4372ca6a98

SHA1
18a042a6cbc5ec5856941bc54ff9f4f6827762da

SHA256
95fa2abe15f4ae5265d76cd0d1694aa94b745b25b475c34969dd540be0920b95

SHA512
f7716a013f0adf298ee6ec99d21f0676fb2ec4699afc316a5283b1f71abbb80628e5e054ab070762b275b12a34e29445ff5aee8e59bbb892559d2955538e9822

Download Submit