hxxps://inst[.]remote-ukchoice[.]com/unsub/1/0fce8fe5-e6d9-469e-8112-f50012159c62

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://inst.remote-ukchoice.com/unsub/1/0fce8fe5-e6d9-469e-8112-f50012159c62

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610279685074288"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{709B8781-E173-43BE-AEB2-13909B7099A8}	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3716	msedge.exe
3716	msedge.exe
2488	msedge.exe
2488	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3716 wrote to memory of 2864	3716	msedge.exe	114
PID 3716 wrote to memory of 2864	3716	msedge.exe	114
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 2044	3716	msedge.exe	115
PID 3716 wrote to memory of 552	3716	msedge.exe	116
PID 3716 wrote to memory of 552	3716	msedge.exe	116
PID 3716 wrote to memory of 2212	3716	msedge.exe	118
PID 3716 wrote to memory of 2212	3716	msedge.exe	118
PID 3716 wrote to memory of 2212	3716	msedge.exe	118
PID 3716 wrote to memory of 2212	3716	msedge.exe	118
PID 3716 wrote to memory of 2212	3716	msedge.exe	118
PID 3716 wrote to memory of 2212	3716	msedge.exe	118
PID 3716 wrote to memory of 2212	3716	msedge.exe	118
PID 3716 wrote to memory of 2212	3716	msedge.exe	118
PID 3716 wrote to memory of 2212	3716	msedge.exe	118

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://inst.remote-ukchoice.com/unsub/1/0fce8fe5-e6d9-469e-8112-f50012159c62
1⤵
PID:4816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3840,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=3876 /prefetch:1
1⤵
PID:3272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=3884,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=4800 /prefetch:1
1⤵
PID:1832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5276,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=5304 /prefetch:1
1⤵
PID:1752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5436,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=3820 /prefetch:8
1⤵
PID:404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5444,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=5580 /prefetch:8
1⤵
PID:4016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5996,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=6008 /prefetch:8
1⤵
PID:4284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5976,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=6012 /prefetch:1
1⤵
PID:1420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4668,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=6376 /prefetch:8
1⤵
PID:1936

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d4 0x408
1⤵
PID:1324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ffaf331ceb8,0x7ffaf331cec4,0x7ffaf331ced0
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2320,i,15337516886411974120,18260700255191910695,262144 --variations-seed-version --mojo-platform-channel-handle=2312 /prefetch:2
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1940,i,15337516886411974120,18260700255191910695,262144 --variations-seed-version --mojo-platform-channel-handle=3312 /prefetch:3
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2372,i,15337516886411974120,18260700255191910695,262144 --variations-seed-version --mojo-platform-channel-handle=3544 /prefetch:8
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4504,i,15337516886411974120,18260700255191910695,262144 --variations-seed-version --mojo-platform-channel-handle=4528 /prefetch:8
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4504,i,15337516886411974120,18260700255191910695,262144 --variations-seed-version --mojo-platform-channel-handle=4528 /prefetch:8
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=560,i,15337516886411974120,18260700255191910695,262144 --variations-seed-version --mojo-platform-channel-handle=4572 /prefetch:8
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4036,i,15337516886411974120,18260700255191910695,262144 --variations-seed-version --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4736,i,15337516886411974120,18260700255191910695,262144 --variations-seed-version --mojo-platform-channel-handle=4576 /prefetch:8
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4672,i,15337516886411974120,18260700255191910695,262144 --variations-seed-version --mojo-platform-channel-handle=4688 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2488

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3b4143c21b67b90be450bf8e7cb0efe6

SHA1
11f6facfc731ccd298a897ae26fa68f0036b5e70

SHA256
2a6b353332edf36c10ab9a3a2dbd66b1223ec360851ca6ed2e1e198a0a7cd71b

SHA512
3325b931f27fa02d55e023f81308a6e1037976c346104aa982e4a180db8943b2e5d82badc8cffe563c746ed5696cf8a6029bad6d4a17f322dca3152f2542a0f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
3ea7b1bc87edf32e5965798479dd78a5

SHA1
0a7eee81c37c176194e16a9fa3d50e7734c977d8

SHA256
f52402864b6e3747b5a0121c186caa0395731fd5ed1824af896cbd681eda007b

SHA512
ac8cae97289bc5f09de439e510aec49ab376b327b9bb1628e32ac4a96fa08cece06d43c434db673adba2a97ba04bf4e8fe0cb737441458d294084c3e0ad11063

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
30KB

MD5
6cdbf3d4b8cddcbeea5a4e6ae533fcdd

SHA1
75bfa72f8a68c2111231fecf4c45e5b6f162fe22

SHA256
cea5b2759efa8dfd93f3091361bfe995e3eb1158aefde4bea21cbda23f12748b

SHA512
0a51309e74d24a6f8637d2e738762283001bff8650e71300eb275153cc203f7db27d6728c4d1c4b2056a097e88b47b5b6cf9e822c569a6bbb014af03255eb401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
70KB

MD5
2978fbb51603a020965b7576f2613f08

SHA1
69d1598fb8ad8a3883959244925160f618752a3b

SHA256
7ccbe1b495577bd77839e54cf62e23d04e8ea8c845b8f01fec73368e8e51deee

SHA512
d4fea534c7e92094c023808f05105b2eb562d6496b902edadfb232c9bf12f7dbb3ab688e261699c3493e9e1d4d26f5e74230e305da45cda610055c257317655e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
70KB

MD5
862b06ccada5422bff493fce5e2c770c

SHA1
958348ab84715dafc8291d946e496d91a1b8e094

SHA256
54dab653cfcbe961dbe7c54530f8bed5e264261f3febe131ca1482f3383f9372

SHA512
436f94542e5011c72c8ba35f3121dc8fcbd7a648d51fbcfecd2d1dea903012fdadcd7b0e9c437538652f798f5ddff63fcf1b1c7d86093d94aae030243f6c0899

Download Submit