hxxps://static1[.]squarespace[.]com/static/6633cccaf78c9a63c1918215/t/66351b3c9eab1d1c75c53172/1714756412683/%23INV_01001409[.]pdf

Analysis

max time kernel
145s
max time network
140s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
15/05/2024, 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://static1.squarespace.com/static/6633cccaf78c9a63c1918215/t/66351b3c9eab1d1c75c53172/1714756412683/%23INV_01001409.pdf

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3228	msedge.exe
3228	msedge.exe
4936	msedge.exe
4936	msedge.exe
1664	msedge.exe
1664	msedge.exe
3712	identity_helper.exe
3712	identity_helper.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 2256	4936	msedge.exe	78
PID 4936 wrote to memory of 2256	4936	msedge.exe	78
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 2800	4936	msedge.exe	79
PID 4936 wrote to memory of 3228	4936	msedge.exe	80
PID 4936 wrote to memory of 3228	4936	msedge.exe	80
PID 4936 wrote to memory of 3212	4936	msedge.exe	81
PID 4936 wrote to memory of 3212	4936	msedge.exe	81
PID 4936 wrote to memory of 3212	4936	msedge.exe	81
PID 4936 wrote to memory of 3212	4936	msedge.exe	81
PID 4936 wrote to memory of 3212	4936	msedge.exe	81
PID 4936 wrote to memory of 3212	4936	msedge.exe	81
PID 4936 wrote to memory of 3212	4936	msedge.exe	81
PID 4936 wrote to memory of 3212	4936	msedge.exe	81
PID 4936 wrote to memory of 3212	4936	msedge.exe	81
PID 4936 wrote to memory of 3212	4936	msedge.exe	81
PID 4936 wrote to memory of 3212	4936	msedge.exe	81
PID 4936 wrote to memory of 3212	4936	msedge.exe	81
PID 4936 wrote to memory of 3212	4936	msedge.exe	81
PID 4936 wrote to memory of 3212	4936	msedge.exe	81
PID 4936 wrote to memory of 3212	4936	msedge.exe	81
PID 4936 wrote to memory of 3212	4936	msedge.exe	81
PID 4936 wrote to memory of 3212	4936	msedge.exe	81
PID 4936 wrote to memory of 3212	4936	msedge.exe	81
PID 4936 wrote to memory of 3212	4936	msedge.exe	81
PID 4936 wrote to memory of 3212	4936	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://static1.squarespace.com/static/6633cccaf78c9a63c1918215/t/66351b3c9eab1d1c75c53172/1714756412683/%23INV_01001409.pdf
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc63383cb8,0x7ffc63383cc8,0x7ffc63383cd8
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,6173801254084171665,1300222646605450937,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,6173801254084171665,1300222646605450937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,6173801254084171665,1300222646605450937,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6173801254084171665,1300222646605450937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6173801254084171665,1300222646605450937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6173801254084171665,1300222646605450937,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=1936,6173801254084171665,1300222646605450937,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5264 /prefetch:6
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,6173801254084171665,1300222646605450937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,6173801254084171665,1300222646605450937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6173801254084171665,1300222646605450937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6173801254084171665,1300222646605450937,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6173801254084171665,1300222646605450937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6173801254084171665,1300222646605450937,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,6173801254084171665,1300222646605450937,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1020 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0d84d1490aa9f725b68407eab8f0030e

SHA1
83964574467b7422e160af34ef024d1821d6d1c3

SHA256
40c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e

SHA512
f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0c705388d79c00418e5c1751159353e3

SHA1
aaeafebce5483626ef82813d286511c1f353f861

SHA256
697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d

SHA512
c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
191B

MD5
62d7a0975e94c68bab29417d1238760d

SHA1
06002fa7ce21737c1caeb43f59a968a264bc4694

SHA256
595ac4e25bbf2427237cda7b7edc979731d979716017445650dbfafb318746f5

SHA512
c910ad255ea5888fbed3b29f5ee14166da8772df07fa976b155d6d793e9a8307e84da0de4c9f275d5578e312774b4d6e1e4ccf6ac809b244cb6c38dc96cf2f66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7873064c502a9235b78ddd3b16526d55

SHA1
e75d5303a5e7df5e19de0aa945a2a2d61a28da57

SHA256
45d1e7a29da44a16360331066aa0c1fd9a6d1489ac6211e0125cbd8376eafb01

SHA512
ec6ce91143a7cb28986c04285a41887bbbf78473220103fc11ea7369a6d5bae1f6b49350886652e7c46e08cca28d85b8d8856128b58b7fcddc79b19ffd4a51b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fb8b419b48d8b29cd40c24c5010ce6fa

SHA1
b82eb769b5178a1ed0d5a87049bcd90ba34dd35b

SHA256
ed72e2032b6ca6c02ade0e917c4cf031557286b0861924babf8e3dc8a8f0b92f

SHA512
bc7ea5d15c5fd11ad4d3827aa38c4501af22a369d82dec710dd954926f89133ea906588d1e8e6e2059c95671f89a358afda7f7709fc5b29863375cdf600bbd24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7b26634ef9dc61a992d91378ee6ecc32

SHA1
d9b841133c6304e2b23de670a0e1ccabea785b7c

SHA256
0b9b4a67774f843c94461de3f91110818f93178aecc10b40639d31c1b1b0f802

SHA512
ba62c0afadbc3af81355cbb9ce0d205eb4c6d4eb8a0d99eb6e195ce04a8576e2ab0b8c32ff0369391f8572e6b2d0b17b35b62d5c4183c281d191bd74bf75557d

Download Submit