hxxps://acrobat[.]adobe[.]com/id/urn[:]aaid[:]sc[:]AP[:]44f5bcba-feb1-4bc8-b7c2-96cdaa656237

Analysis

max time kernel
30s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://acrobat.adobe.com/id/urn:aaid:sc:AP:44f5bcba-feb1-4bc8-b7c2-96cdaa656237

Score

10^/10

adobe phishing

Malware Config

Signatures

Detected adobe phishing page
phishing adobe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exe

pid process

4640 msedge.exe
4640 msedge.exe
3432 msedge.exe
3432 msedge.exe
2148 identity_helper.exe
2148 identity_helper.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

3432 msedge.exe
3432 msedge.exe
3432 msedge.exe
3432 msedge.exe
3432 msedge.exe
3432 msedge.exe
3432 msedge.exe
3432 msedge.exe

pid	process
4640	msedge.exe
4640	msedge.exe
3432	msedge.exe
3432	msedge.exe
2148	identity_helper.exe
2148	identity_helper.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3432 wrote to memory of 3664	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3664	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 3464	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 4640	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 4640	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 5076	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 5076	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 5076	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 5076	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 5076	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 5076	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 5076	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 5076	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 5076	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 5076	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 5076	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 5076	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 5076	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 5076	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 5076	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 5076	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 5076	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 5076	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 5076	3432	msedge.exe	msedge.exe
PID 3432 wrote to memory of 5076	3432	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://acrobat.adobe.com/id/urn:aaid:sc:AP:44f5bcba-feb1-4bc8-b7c2-96cdaa656237
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff981f946f8,0x7ff981f94708,0x7ff981f94718
2⤵
PID:3664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,14851583512013967629,16270611490243551692,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
2⤵
PID:3464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,14851583512013967629,16270611490243551692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2616 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,14851583512013967629,16270611490243551692,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
2⤵
PID:5076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14851583512013967629,16270611490243551692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
2⤵
PID:4556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14851583512013967629,16270611490243551692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
2⤵
PID:3568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14851583512013967629,16270611490243551692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
2⤵
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,14851583512013967629,16270611490243551692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
2⤵
PID:2584

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,14851583512013967629,16270611490243551692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14851583512013967629,16270611490243551692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
2⤵
PID:3048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14851583512013967629,16270611490243551692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
2⤵
PID:5448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14851583512013967629,16270611490243551692,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
2⤵
PID:5456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14851583512013967629,16270611490243551692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
2⤵
PID:5692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14851583512013967629,16270611490243551692,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
2⤵
PID:5700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3428

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e36b219dcae7d32ec82cec3245512f80

SHA1
6b2bd46e4f6628d66f7ec4b5c399b8c9115a9466

SHA256
16bc6f47bbfbd4e54c3163dafe784486b72d0b78e6ea3593122edb338448a27b

SHA512
fc539c461d87141a180cf71bb6a636c75517e5e7226e76b71fd64e834dcacc88fcaaa92a9a00999bc0afc4fb93b7304b068000f14653c05ff03dd7baef3f225c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
559ff144c30d6a7102ec298fb7c261c4

SHA1
badecb08f9a6c849ce5b30c348156b45ac9120b9

SHA256
5444032cb994b90287c0262f2fba16f38e339073fd89aa3ab2592dfebc3e6f10

SHA512
3a45661fc29e312aa643a12447bffdab83128fe5124077a870090081af6aaa4cf0bd021889ab1df5cd40f44adb055b1394b31313515c2929f714824c89fd0f04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
864B

MD5
53fb58d4e5605d179cd1552c37d27b7b

SHA1
73d23b0343d7a76c96f7541777676a8fc541bc22

SHA256
280753517f94964c5808b3df6d14f1bc39733dd29074a18fb9a2e4f970a9b5c5

SHA512
5d105ed24ade3ebde98223b90c99d42c7abc1cd501478ddec165ecba8a7de1750510bab02705f266cdf8a3e3df5f7df82ecd03740b80a21d4f2872171d9a7d45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
d4067f713a54df8a2ffdb154920eedfb

SHA1
22e6227e975ed9e1210ec8e5ba847124efb9e246

SHA256
a18f552068d8bab72be6e36e37fab698c05a3b0a446a4b13d8183db01c35fc79

SHA512
1181765df9f936bf5dfb027c494da75bda9fc1c8116338a6debed324bacdefd8c021d24fa5853c94582c227e95eb1d0e6074d32ddc9e21ee7761b0f94c6f0a2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
5e2ad83dcf8a5434eacde54b7cd7510d

SHA1
74f15b67f488f55e1c58012808c22d35221bbb2e

SHA256
52bc0cd0622ea9bc6b40a0adc304ee47a6f246ce03eff51ac40bb1280f24a1c0

SHA512
14aea7c4977cddf09dfe69b403673bb1db9aabef47dd75b85cd13e845c38f554157adee7459a627ccc3394d81fb10571b02d88e6ae5bd0e9c2b23aa69bd3a3b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
4a99efbc33c83dc2901bd8044ce6787c

SHA1
7b6eaee459486d0dc743daea67f7c701481a80b0

SHA256
fbeab04fd92178e4c7aa686b395a03671d20eb88f524177f2cfc81fdca13c493

SHA512
de88367ed818929cb83feaaf5977caf9dbdb3afe3514fbb5a0286e0bb5cc2395b1809792540d24d495debf8478bd6306a484d799864ddf8c34107577d1017e3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
1b900e7f0418583de5beb3f87bc5819e

SHA1
8afec941f710be4f8f442e3673fa60d5035366f8

SHA256
eb0945b1e5b0727427ffaf1771b460e71d6a7ad7b39a80d80b2698822a19b65f

SHA512
22b83d1bbc8d8f8e1b3a997ce2fcb26236dee96fd0081d67e992704ba2ed5a2585ddbc1ae25fd321d93d7a991e68f285b7f098ec37edafc8beb16df26e18fed0

Download Submit
\??\pipe\LOCAL\crashpad_3432_OTLPEHFIGSWIZXDU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit