hxxps://bt[.]com/business/myaccount/?s_cid=btb_email_N3CDBreach&kcino=4518276228

General

Target

https://bt.com/business/myaccount/?s_cid=btb_email_N3CDBreach&kcino=4518276228

Score

10^/10

ee phishing

Malware Config

Signatures

Detected ee phishing page
phishing ee

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msedge.exemsedge.exe

pid process

3292 msedge.exe
3292 msedge.exe
4076 msedge.exe
4076 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

4076 msedge.exe
4076 msedge.exe
4076 msedge.exe

pid	process
3292	msedge.exe
3292	msedge.exe
4076	msedge.exe
4076	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	process
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4076 wrote to memory of 4048	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4048	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4052	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 3292	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 3292	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 1100	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 1100	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 1100	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 1100	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 1100	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 1100	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 1100	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 1100	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 1100	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 1100	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 1100	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 1100	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 1100	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 1100	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 1100	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 1100	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 1100	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 1100	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 1100	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 1100	4076	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bt.com/business/myaccount/?s_cid=btb_email_N3CDBreach&kcino=4518276228
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffccea246f8,0x7ffccea24708,0x7ffccea24718
2⤵
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,995997976297941048,7999628827774430557,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:2
2⤵
PID:4052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,995997976297941048,7999628827774430557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,995997976297941048,7999628827774430557,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
2⤵
PID:1100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,995997976297941048,7999628827774430557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
2⤵
PID:4328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,995997976297941048,7999628827774430557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
2⤵
PID:1880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,995997976297941048,7999628827774430557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
2⤵
PID:4184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3332

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c5abc082d9d9307e797b7e89a2f755f4

SHA1
54c442690a8727f1d3453b6452198d3ec4ec13df

SHA256
a055d69c6aba59e97e632d118b7960a5fdfbe35cfdfaa0de14f194fc6f874716

SHA512
ad765cddbf89472988de5356db5e0ee254ca3475491c6034fba1897c373702ab7cfa4bd21662ab862eebb48a757c3eb86b1f8ed58629751f71863822a59cd26c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
b4a74bc775caf3de7fc9cde3c30ce482

SHA1
c6ed3161390e5493f71182a6cb98d51c9063775d

SHA256
dfad4e020a946f85523604816a0a9781091ee4669c870db2cabab027f8b6f280

SHA512
55578e254444a645f455ea38480c9e02599ebf9522c32aca50ff37aad33976db30e663d35ebe31ff0ecafb4007362261716f756b3a0d67ac3937ca62ff10e25f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
57fb7a4716716de4b75b6823db0b5c70

SHA1
5ee7caa96bbf5b57aba36c8eb27dbe4ffbdf50bc

SHA256
cc1220355a49cd2de8157b64eda4ad0f618600142f96cfd90fa1f0272c80e487

SHA512
8e7bc03e495a7689f6ff12b888a957eeb0ed20a4067edecfbd748db45403ab56a2f006a0cac5132e6186ffe1ec55216920332d98b799a5c4619c9cc43b461261

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
cbbd527213d7c9aa0406d10ecc5de704

SHA1
55a491ae9f6f5ec1a87f1e20ea900ad09f45a194

SHA256
3880d56c563449c39bcb65253fc8609f9fc0fdb498bf3fe335197fde19d74205

SHA512
1bacb7f4df8843be699152e86bcdb2e69b20c26909dd1abf42979f75bac096388a4113417745e95f3be0909d26624ec4c3d135a2f53657153107a8b3aae0118c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
5b8f36f321b19fede13c4eafc5c73faf

SHA1
f0f4b61b9db1bd6a62aa1768211df472ad139179

SHA256
c84b474f65cf77472bc680342efc6dcae8cb038f9d0538c6eff74b7e29e419f4

SHA512
b67137699ade10bbe768b542bebabe0154c1bb00e2e7d4e31849f40f1295cb43baf60746b606981c637c5715baf94c3fe9baf49d03cf2d03fad5b08a91fe0b00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a435519d-09ab-4d83-a99d-bf27162316f0.tmp
Filesize
6KB

MD5
9c3660e9168adbbb93cbc6ef452e1de6

SHA1
fb3705142bd109f02b708df6959c88bb67fcdcff

SHA256
ade80dad6e26d2348da553711d53bfe3bf99d971ebc227b93032a13730aa3116

SHA512
c8cee8133f071cd64ff4d158ed40d1dd02fe02dc9d8de83696a33b8298a7cabb76eae15daeced724b3d53ca90273109bbfb0f5d8402c7c3d584df148d009de88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
c9cede7e442dffc2db0e508bd4c75418

SHA1
b1d74d058beece322b12393305fcb86feffc546a

SHA256
28afe366f76d0a7d9c4fb48d40b435aae6a6b78acfad4ec08d63d53d84a07218

SHA512
fa42953fa6815222c23f92710cef084d1adae0baf4282e214fd439efa1b9a24711a1a7b41a0a0a08ecce390fffb76e7aa6b1d22a2acc954459cb82bc616b1f18

Download Submit
\??\pipe\LOCAL\crashpad_4076_AZLROIWQQOWNRQKU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads