hxxps://oloylydw[.]forms[.]app/brou

Analysis

max time kernel
45s
max time network
48s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
09/05/2024, 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://oloylydw.forms.app/brou

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2388	msedge.exe
2388	msedge.exe
1388	msedge.exe
1388	msedge.exe
5040	identity_helper.exe
5040	identity_helper.exe
5064	msedge.exe
5064	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 3476	1388	msedge.exe	79
PID 1388 wrote to memory of 3476	1388	msedge.exe	79
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 1304	1388	msedge.exe	81
PID 1388 wrote to memory of 2388	1388	msedge.exe	82
PID 1388 wrote to memory of 2388	1388	msedge.exe	82
PID 1388 wrote to memory of 1428	1388	msedge.exe	83
PID 1388 wrote to memory of 1428	1388	msedge.exe	83
PID 1388 wrote to memory of 1428	1388	msedge.exe	83
PID 1388 wrote to memory of 1428	1388	msedge.exe	83
PID 1388 wrote to memory of 1428	1388	msedge.exe	83
PID 1388 wrote to memory of 1428	1388	msedge.exe	83
PID 1388 wrote to memory of 1428	1388	msedge.exe	83
PID 1388 wrote to memory of 1428	1388	msedge.exe	83
PID 1388 wrote to memory of 1428	1388	msedge.exe	83
PID 1388 wrote to memory of 1428	1388	msedge.exe	83
PID 1388 wrote to memory of 1428	1388	msedge.exe	83
PID 1388 wrote to memory of 1428	1388	msedge.exe	83
PID 1388 wrote to memory of 1428	1388	msedge.exe	83
PID 1388 wrote to memory of 1428	1388	msedge.exe	83
PID 1388 wrote to memory of 1428	1388	msedge.exe	83
PID 1388 wrote to memory of 1428	1388	msedge.exe	83
PID 1388 wrote to memory of 1428	1388	msedge.exe	83
PID 1388 wrote to memory of 1428	1388	msedge.exe	83
PID 1388 wrote to memory of 1428	1388	msedge.exe	83
PID 1388 wrote to memory of 1428	1388	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://oloylydw.forms.app/brou
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd7d3a3cb8,0x7ffd7d3a3cc8,0x7ffd7d3a3cd8
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,1641948811987440427,10191229665773190114,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,1641948811987440427,10191229665773190114,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,1641948811987440427,10191229665773190114,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1641948811987440427,10191229665773190114,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1641948811987440427,10191229665773190114,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1641948811987440427,10191229665773190114,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,1641948811987440427,10191229665773190114,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,1641948811987440427,10191229665773190114,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1641948811987440427,10191229665773190114,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1641948811987440427,10191229665773190114,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1641948811987440427,10191229665773190114,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1641948811987440427,10191229665773190114,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:2708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8e1dd984856ef51f4512d3bf2c7aef54

SHA1
81cb28f2153ec7ae0cbf79c04c1a445efedd125f

SHA256
34afac298a256d796d20598df006222ed6900a0dafe0f8507ed3b29bfd2027d7

SHA512
d1f8dfc7fdc5d0f185de88a420f2e5b364e77904cab99d2ace154407c4936c510f3c49e27eed4e74dd2fbd850ad129eb585a64127105661d5f8066448e9f201d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ffa07b9a59daf025c30d00d26391d66f

SHA1
382cb374cf0dda03fa67bd55288eeb588b9353da

SHA256
7052a8294dd24294974bb11e6f53b7bf36feeb62ce8b5be0c93fbee6bc034afb

SHA512
25a29d2a3ba4af0709455a9905a619c9d9375eb4042e959562af8faa087c91afafdb2476599280bbb70960af67d5bd477330f17f7345a7df729aaee997627b3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
199KB

MD5
585ac11a4e8628c13c32de68f89f98d6

SHA1
bcea01f9deb8d6711088cb5c344ebd57997839db

SHA256
d692f27c385520c3b4078c35d78cdf154c424d09421dece6de73708659c7e2a6

SHA512
76d2ed3f41df567fe4d04060d9871684244764fc59b81cd574a521bb013a6d61955a6aedf390a1701e3bfc24f82d92fd062ca9e461086f762a3087c142211c19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
5f425dea095a2e1a4b277aac209e857d

SHA1
eaf5e52cea535134adea9b6fb247844366bb335f

SHA256
33c8728e00d35a17ba04bf34b8ca29f87b8a8b7f97bb32b5b31fc208797ab77b

SHA512
fbf694d01e419bf40c7a536dedf1eb249a710730c001ef1f45232a224c5fbaff54b0968ed1007d32a7bf9e396b6a384f4b8836239b6c05dd739137c0c0f1363e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
04f79d8909b1e44c958cc62ca2bc1b0f

SHA1
fb828172bb5202950f20527719472484f96a0545

SHA256
d6f5a8829d99175582b479570119960f9fd310a16de7f2e6277d7189a51017cc

SHA512
4c7aae2eed335078c28c63850088a0158b91a6663fac29e41f1c494716f9065e1493571e2e4129ce0f58e161d4371362e647c8073dcddff0f3af38569c9c5873

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fa7d59ccfb8b333aca683834df16e662

SHA1
6e7b7d51c78c04aae13b999f608f0be241286a86

SHA256
3e7fd10d0d3328c36b5d3a60eb23e422b87c268f044aa15a8ea3be52e2efbf83

SHA512
bd9c76b3d164796656cacda84dee645f83f1a13b16af50c497d737fa4950ab45839550aada4a2ec14517a708f5790ba8d31209735adf86047daf3ed222c6a348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0686e0246fe8bf6baa3ea950fa89f0a9

SHA1
3fe7cc7e36875977354353cef8d2f091c153930c

SHA256
8f9678f9a52e5200d1e40881176e61309243ee9f35f6babc316ddc25d229a593

SHA512
f92fd46ce1f53e3966d53a4ac071155049156debb7ed815b583a2faa63eb5ae244d4021018c22a130b853279aa9ca21e1dc09edfe5d1a1420e5f356aed4066a5

Download Submit