hxxps://www[.]cfra[.]org/news-release/center-rural-affairs-selected-62-million-solar-all-award

Analysis

max time kernel
145s
max time network
147s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
22/04/2024, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.cfra.org/news-release/center-rural-affairs-selected-62-million-solar-all-award

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4264	msedge.exe
4264	msedge.exe
4784	msedge.exe
4784	msedge.exe
1664	identity_helper.exe
1664	identity_helper.exe
1772	msedge.exe
1772	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 4652	4784	msedge.exe	80
PID 4784 wrote to memory of 4652	4784	msedge.exe	80
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 2848	4784	msedge.exe	81
PID 4784 wrote to memory of 4264	4784	msedge.exe	82
PID 4784 wrote to memory of 4264	4784	msedge.exe	82
PID 4784 wrote to memory of 816	4784	msedge.exe	83
PID 4784 wrote to memory of 816	4784	msedge.exe	83
PID 4784 wrote to memory of 816	4784	msedge.exe	83
PID 4784 wrote to memory of 816	4784	msedge.exe	83
PID 4784 wrote to memory of 816	4784	msedge.exe	83
PID 4784 wrote to memory of 816	4784	msedge.exe	83
PID 4784 wrote to memory of 816	4784	msedge.exe	83
PID 4784 wrote to memory of 816	4784	msedge.exe	83
PID 4784 wrote to memory of 816	4784	msedge.exe	83
PID 4784 wrote to memory of 816	4784	msedge.exe	83
PID 4784 wrote to memory of 816	4784	msedge.exe	83
PID 4784 wrote to memory of 816	4784	msedge.exe	83
PID 4784 wrote to memory of 816	4784	msedge.exe	83
PID 4784 wrote to memory of 816	4784	msedge.exe	83
PID 4784 wrote to memory of 816	4784	msedge.exe	83
PID 4784 wrote to memory of 816	4784	msedge.exe	83
PID 4784 wrote to memory of 816	4784	msedge.exe	83
PID 4784 wrote to memory of 816	4784	msedge.exe	83
PID 4784 wrote to memory of 816	4784	msedge.exe	83
PID 4784 wrote to memory of 816	4784	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cfra.org/news-release/center-rural-affairs-selected-62-million-solar-all-award
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb85753cb8,0x7ffb85753cc8,0x7ffb85753cd8
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,7479042109806329389,8565037747277201573,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,7479042109806329389,8565037747277201573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,7479042109806329389,8565037747277201573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
  2⤵
  PID:816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7479042109806329389,8565037747277201573,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7479042109806329389,8565037747277201573,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,7479042109806329389,8565037747277201573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,7479042109806329389,8565037747277201573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7479042109806329389,8565037747277201573,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2432 /prefetch:1
  2⤵
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7479042109806329389,8565037747277201573,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7479042109806329389,8565037747277201573,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7479042109806329389,8565037747277201573,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,7479042109806329389,8565037747277201573,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5092 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
f9ee39f51cd4b73017c74f6a333c421e

SHA1
d612e521052c6b75a56d892f0364edcc136988b8

SHA256
753f73657629712eab93185da55ef03f37a3a46f85483de053f85c3a858af0cb

SHA512
ec6f2d60c86934c4d5cb15598bf6c09d19270eb9356eea5c1965c1ba6b80e7cbf4767fa07a783c34ae76b7227e6184ab295aa9b7428d75c8307978f12661b5b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6e15af8f29dec1e606c7774ef749eaf2

SHA1
15fbec608e4aa6ddd0e7fd8ea64c2e8197345e97

SHA256
de9124e3fddde204df6a6df22b8b87a51823ba227d3e304a6a6aced9da00c74c

SHA512
1c9c9acd158273749e666271a5cdb2a6aebf6e2b43b835ebcc49d5b48490cbbf4deddef08c232417cee33d4809dec9ddac2478765c1f3d7ed8ea7441f5fd1d15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e5a2dac1f49835cf442fde4b7f74b88

SHA1
7b2cf4e2820f304adf533d43e6d75b3008941f72

SHA256
30bd1e1bafb4502c91c1fb568372c0fb046d32a4b732e6b88ce59ea23663e4ce

SHA512
933ac835894ce6cb8aac0261153823c96b6abec955173653dd56e534d644efd03aec71acb4f8cb0b9af871962296ec06cd03e570a0ac53098b8cd55657543786

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
cdcf0b685275d6b1f75d1ef511a88bab

SHA1
4ef04a82833c66b6207f0ce7a99346002b3e878e

SHA256
69ad061b0d666b6364eac55be651dbc1fec2df8cdf96799ff7718a9409b839cf

SHA512
10f56c04ff871ded3f5391d6c4ded6db379704c3d8c7172e4f74d3b72f4ce9576fff858243df8859b809c77e6b3b5c4f5b5408ed5866b6bc82073a973d63f1fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
61dfb54d597e0748e407e2a8792d9218

SHA1
cc732819ab2893063e21c6e0dd7178641675084e

SHA256
6433b169ac108b926e51c2c25f11504908b16323edd4ef520bc9939a43e9075d

SHA512
5345b28b7e80bb21ba9354414a9d1aa38e3fbd229919982160470d96e4d8f724d1f40273df86447f0066c550534b7568867fa8c457d1f229d603f5a7f28caa42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2618d8277020348554d5684665998a7e

SHA1
50b4b0f1d2d15ddc76a7136d925b8610e013776f

SHA256
3168e1a13a36ab2dfbc847f48743962e17742606cc291c097231c583a6b3ebc3

SHA512
1a33845139ea11d0b231fd82b5fea8fb42b4afd9ecfdadbbc48dcb315fb2299d425a1057c038a44cef294fdb31483a31cd4dbf071c4e31e35252cece4ba94a66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
69eabd7dc6ed8af2377a412453270138

SHA1
a836948179891ff5a3f369f6a80ecabd859df086

SHA256
ec662a440b0548331933b1191c6c0103896fdd4ae1bbec5d760dcdf20ea9d4df

SHA512
59569b1088ec9b088505e82ddf33509d3b927205a3cd8e57748d4c257b31f55df01d56d8aeb7b9e3db3197b5cac6d726a61b412954f668102ec306bf1bcdcf19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
74a529045a3f4dd14a50f9715f530156

SHA1
b7c9b08b7029bf0871b55e1d4e76e4134a2e377b

SHA256
0f6cfd3ac41c1f88a139abfdad5aed7bcb827a5b889fdce4d7170e9f7f140161

SHA512
98fa535b371ac22da92d3a569e06f9edd84771366d5a25f0ce3cf394350818be517b0c8e4d91807993ba139e1a325b6e81b1d449349e9c52f58be82bd1fb7525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
970dc753838535c04038fe57595a1ffc

SHA1
b05bb735ef3599f3bfcf6bd9770b70dfdad6eef2

SHA256
1d4dbca33282aca7cdb4fe33843fe234a759639c7a567a6fc59dcbedfe835b08

SHA512
eda4dc37178ba2437107d6727a809e59caf74fea6aa41e7aa549ca609fa59ed9cdce2e3a6d7478d41bc11f2bb95473bac934dbcab9ddb450064a4013d41442f7

Download Submit