hxxps://mrodevicemgr[.]officeapps[.]live[.]com/mrodevicemgrsvc/api/v2/C2RReleaseData

Resubmissions

27-04-2024 21:41

240427-1j3w3ahb46 1

27-04-2024 21:40

240427-1jhwwshd8x 1

Analysis

max time kernel
38s
max time network
39s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
27-04-2024 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3460	msedge.exe
3460	msedge.exe
2996	msedge.exe
2996	msedge.exe
3948	identity_helper.exe
3948	identity_helper.exe
3508	msedge.exe
3508	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 3152	2996	msedge.exe	80
PID 2996 wrote to memory of 3152	2996	msedge.exe	80
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 4700	2996	msedge.exe	81
PID 2996 wrote to memory of 3460	2996	msedge.exe	82
PID 2996 wrote to memory of 3460	2996	msedge.exe	82
PID 2996 wrote to memory of 4816	2996	msedge.exe	83
PID 2996 wrote to memory of 4816	2996	msedge.exe	83
PID 2996 wrote to memory of 4816	2996	msedge.exe	83
PID 2996 wrote to memory of 4816	2996	msedge.exe	83
PID 2996 wrote to memory of 4816	2996	msedge.exe	83
PID 2996 wrote to memory of 4816	2996	msedge.exe	83
PID 2996 wrote to memory of 4816	2996	msedge.exe	83
PID 2996 wrote to memory of 4816	2996	msedge.exe	83
PID 2996 wrote to memory of 4816	2996	msedge.exe	83
PID 2996 wrote to memory of 4816	2996	msedge.exe	83
PID 2996 wrote to memory of 4816	2996	msedge.exe	83
PID 2996 wrote to memory of 4816	2996	msedge.exe	83
PID 2996 wrote to memory of 4816	2996	msedge.exe	83
PID 2996 wrote to memory of 4816	2996	msedge.exe	83
PID 2996 wrote to memory of 4816	2996	msedge.exe	83
PID 2996 wrote to memory of 4816	2996	msedge.exe	83
PID 2996 wrote to memory of 4816	2996	msedge.exe	83
PID 2996 wrote to memory of 4816	2996	msedge.exe	83
PID 2996 wrote to memory of 4816	2996	msedge.exe	83
PID 2996 wrote to memory of 4816	2996	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9b2873cb8,0x7ff9b2873cc8,0x7ff9b2873cd8
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,1383657377451920818,5272734508763695082,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,1383657377451920818,5272734508763695082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,1383657377451920818,5272734508763695082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1383657377451920818,5272734508763695082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1383657377451920818,5272734508763695082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1383657377451920818,5272734508763695082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,1383657377451920818,5272734508763695082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1383657377451920818,5272734508763695082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,1383657377451920818,5272734508763695082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1383657377451920818,5272734508763695082,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4460 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1383657377451920818,5272734508763695082,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1383657377451920818,5272734508763695082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1383657377451920818,5272734508763695082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1383657377451920818,5272734508763695082,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:2580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\7f8234dd-eae8-4e18-8ced-4a550954ab09.tmp

Filesize
8KB

MD5
1390e8bf4f81d5930310d4220ae8af64

SHA1
7de17f2d7ae8908cab7385c778f6673e94cd5436

SHA256
6827dae170bd8bea11c95dc6d9888d5e07783165cf4fb1291879c988954c4dca

SHA512
67c94cf8e4b6e3926f01360e40588657b7cb44caba56d0fc599b09b826ae9e54b79b43f6435542adde0a818494c5450aa06df9efa0e45329784f6706de82e973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6e498afe43878690d3c18fab2dd375a5

SHA1
b53f3ccbfe03a300e6b76a7c453bacb8ca9e13bd

SHA256
beb39e9a246495e9dd2971224d23c511b565a72a6f02315c9f9bf1dcfae7df78

SHA512
3bf8a2dd797e7f41377267ad26bde717b5b3839b835fe7b196e748fec775ffd39346dba154bb5d8bda4e6568133daaa7fefa3a0d2a05e035c7210bb3c60041a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8b53ef336be1e3589ad68ef93bbe3a7

SHA1
dec5c310225cab7d871fe036a6ed0e7fc323cf56

SHA256
fe5c2fb328310d7621d8f5af5af142c9ce10c80f127c4ab63171738ad34749e1

SHA512
a9081a5a909d9608adfc2177d304950b700b654e397cf648ed90ecac8ac44b860b2cf55a6d65e4dfa84ef79811543abf7cb7f6368fd3914e138dfdd7a9c09537

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
19b54599c7d4f72b5b8f3490b9091cc7

SHA1
7e88f7183efbc1d6e5730adc04729fe521b34667

SHA256
ea9953379b047729b3b08b70def54eee820fc0a95a6a7377b72b2979d8d807ee

SHA512
0238baeee7353d477f1261433b42251bc4006dbc9039ccddba222e4f1fdba483d368e284103ce53b7f9e2b41da4802ae4ee59df26df3995c1c52635702239e99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aec8eb1870ee63cbbac17165b086992f

SHA1
4c94bd27dc402676d2f6e3459913a1e7db72322a

SHA256
21316cff061efe26007fb98b4e5438861021eca3f71f7ebe4db39c62b2cba7c2

SHA512
b6df34600e0977a034c7a37dc8c0b7960efc74170ed2167de56d9859c20fa824a15ab44877a4379d0e7756edb102b2b23bcade296df233bdd798470bf6741fcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
a95bb27e82a770d678d2da32ef2b2fd9

SHA1
584d4756c9d0bef8d08793c195a9696c0723b5a6

SHA256
475b18dd7b9f8f3eb7dc0a6aa843c7b291446dc17e74a94956232dd5010d6984

SHA512
9bd7cebfd446e408e8d20ab16ba227f67509cb63ddbab81591a567248a2cd834b13e798e8b200bf2b943b1978340fcc80d1c36a433169c993c03291c71602d91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
86f682ff1e993a75fb5f14b445a63cee

SHA1
07c33463bc74510eb9f321f2b3b22564b3698d74

SHA256
5c77b9cf9cc0fd428abbe2deed90d6504e25c7c7f4a08a6333406af0841a2e91

SHA512
650f19d1cff4fbdb5c0781654661bf8cd136e2ea7a4f56f8a774dfaf0e56fa4b56eeb05b917aeead7c9097e2a2a0a66a20aa7af7261c98009be4bfcff7333912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
366162175f85eb977187857470f532b9

SHA1
51fc29b10cb74ba934e837ce0104919ca0ebb97b

SHA256
67352e720713cd2c5e759179a8f6c18348702de9610542f47d517c88e453972b

SHA512
354ca0947b815c69659c33deeb55235a9bc3c6adf749a81a3b8793050068c44541a836747e73e781d0c1f73fe0a68b3aa9466cd79a38ed92de25ea1600f7f832

Download Submit