hxxps://www[.]cognitoforms[.]com/SevenResourcing1/sevennursingapplicationformexperience

Analysis

max time kernel
93s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.cognitoforms.com/SevenResourcing1/sevennursingapplicationformexperience

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3788	msedge.exe
3788	msedge.exe
3968	msedge.exe
3968	msedge.exe
2716	identity_helper.exe
2716	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 4036	3968	msedge.exe	82
PID 3968 wrote to memory of 4036	3968	msedge.exe	82
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 2472	3968	msedge.exe	85
PID 3968 wrote to memory of 3788	3968	msedge.exe	86
PID 3968 wrote to memory of 3788	3968	msedge.exe	86
PID 3968 wrote to memory of 1496	3968	msedge.exe	87
PID 3968 wrote to memory of 1496	3968	msedge.exe	87
PID 3968 wrote to memory of 1496	3968	msedge.exe	87
PID 3968 wrote to memory of 1496	3968	msedge.exe	87
PID 3968 wrote to memory of 1496	3968	msedge.exe	87
PID 3968 wrote to memory of 1496	3968	msedge.exe	87
PID 3968 wrote to memory of 1496	3968	msedge.exe	87
PID 3968 wrote to memory of 1496	3968	msedge.exe	87
PID 3968 wrote to memory of 1496	3968	msedge.exe	87
PID 3968 wrote to memory of 1496	3968	msedge.exe	87
PID 3968 wrote to memory of 1496	3968	msedge.exe	87
PID 3968 wrote to memory of 1496	3968	msedge.exe	87
PID 3968 wrote to memory of 1496	3968	msedge.exe	87
PID 3968 wrote to memory of 1496	3968	msedge.exe	87
PID 3968 wrote to memory of 1496	3968	msedge.exe	87
PID 3968 wrote to memory of 1496	3968	msedge.exe	87
PID 3968 wrote to memory of 1496	3968	msedge.exe	87
PID 3968 wrote to memory of 1496	3968	msedge.exe	87
PID 3968 wrote to memory of 1496	3968	msedge.exe	87
PID 3968 wrote to memory of 1496	3968	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cognitoforms.com/SevenResourcing1/sevennursingapplicationformexperience
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdba7a46f8,0x7ffdba7a4708,0x7ffdba7a4718
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,13703042720145483251,14364526371299421003,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,13703042720145483251,14364526371299421003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,13703042720145483251,14364526371299421003,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,13703042720145483251,14364526371299421003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,13703042720145483251,14364526371299421003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,13703042720145483251,14364526371299421003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,13703042720145483251,14364526371299421003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,13703042720145483251,14364526371299421003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,13703042720145483251,14364526371299421003,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,13703042720145483251,14364526371299421003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,13703042720145483251,14364526371299421003,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:1664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
984B

MD5
3bdd12d0e166bf45aaf4b0283a95f7f8

SHA1
502e455aa642e2afeee07cce081d7372860af951

SHA256
4b5ae666da551979cf7c244a47cbd02fd12819a299ea27effea7ff7cc851eeea

SHA512
e2aa05ac8ad95281c3c118f755d1067fb60a41f24b192f9b8899993d056b6758930cf54fc247b970c07d8d57fefc4158e5a10cd85b1a0b008b2dade33146fd24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
269B

MD5
c3150853a14df3745be4e7771afafaa8

SHA1
0b40a6d23c9af2a716ddca08bf3bd7666c31221b

SHA256
688528c2145afe3a386c2223a488d1c97f81e4a82765f562098ca4beaf3eb4aa

SHA512
5f3700dc90b24b08077e3bf17666c07d176b608f477afa7d1b228d389fd153936a3e281a3ec9f4c01a86542d40403828636a48f6d336df6c212fcf0d884a618f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fae971f99ec54637673e4192db3ced2d

SHA1
99a0860ac7b282ef82bad52896e0589c05adb129

SHA256
7b2f605878032c0c4500a8bb453fd4c268e5f4d47e23ec6cde9f3da9c9a82f8d

SHA512
96625ae091060aa5ac788bcbaf4a8252e848afeed2ef3974d17c039aed47727f64e8a934750c97f4c65a3af46b7ddd09911c4954227dce1061fd2d3dc4fcfe92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
15dcd3207257b8222b390948c985fdce

SHA1
9ca64819d89408338b102d0eccd7c91145036f92

SHA256
e6f7dc1557ce664ba5c4dfab4a49fd2da03113c61cb34be7cded9f7f408a9f5a

SHA512
3b8100be819c25b1a543f5dbf76224617c062259d4ff42ab96dade396d294589444debfa77c9babc92238b7c8f2de8ce36bac59a18a9fe1a486ac6ccc6cd900a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
9afa6298888fe6d71a8355c3c6d37de3

SHA1
2d2549d1afc17f31cfc1a6daa7969391aede96b8

SHA256
3ffd2c7b75ce8b6bd3542508ad8f9e171bd1db436298d4070de6106164334b21

SHA512
024fa19c9da2ca16d559def0d5bef999ba5133604fdc5e1e1889ce2bdc96e434bca7f07df1fe4c7e6f28d82596703b69fc5d10945b42349956a5e4a3359ae118

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
88bd874f9bde979f195186c12e16df9c

SHA1
d19940fe99abede6c28915fd926492dc7ac881c8

SHA256
bb4ddaa205956bf2acb4837ba3591781305cda65d453478d5fc6006f56ef898b

SHA512
56ab09f71a6b91a13431b6dbde094d01e2a6889ae611abff4500f21fb1231d58c79681f4d2972785a1b385a7ea5d92f638210520b107512239718a2a215c983e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579942.TMP

Filesize
203B

MD5
66a9f3f383408dcad33ee944efec3860

SHA1
3149e13c30d5231c9138112c8b2a610520b89173

SHA256
bb11b2d591d35e6a90db2501778b7080c18bba0ddb8372007d1aafd72ff58b4b

SHA512
6f3ee4141413344596cb603f859e8780faf82325b1c5b438e81ebce25b35f22d75d64a34f01c3bedf2b22b127f11660deef53a531343efe0032e10f5931d2892

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bce5ae23-97c5-4041-b974-37ad1a3e6148.tmp

Filesize
6KB

MD5
49fd15bff1b81fc08e6982d69a714d68

SHA1
691816e106d8f6fcf36da3cc1e55e0c4c20e3d96

SHA256
fefe59275c7cd989c55b1cc32d3d789ecad8f46bcb2f7547314e5cc76dc56217

SHA512
c0979ab827c5aaaa531e7bd0fcf866e34df3011f82772d3bed52882ba5e8a56ab6ec572e9deee07d7e972db3f17367354523295e05543da7b38aca22efff9a38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e2ea7dee969424e57b4f021904638bb5

SHA1
a0f86e0ceb9f63ddfe2a96af2d874fb30ab2b966

SHA256
0e06f18e1904853541566af80bf3f60e114f3fee6c52bd5f97dd8b03fa68675e

SHA512
d526e0671b4c8f0438da5893fb4802b7718e97be0c6f393954c9d304f961c3163ef9c050cb241cb3987f2f9157a66ad135bee606ce36765c21df66fc2ab90ad3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
19aa9ca689de8af1f5db925db72e24b7

SHA1
3359da012a35fbd44e0543c9c085c4766fd639c7

SHA256
3ecf8630a7ed97a87bbbc47326c0d224ddf9063de866576b424a18bd38d21c95

SHA512
dbb8641a89bd9adcdc523bd6d5a0f4506908edb06e3bfa2ff825b8ad0aca9b3b1c04913855292939c6442d5e8c00a19c72f60adb4968f1a010c88ef239d51cf0

Download Submit