Analysis

  • max time kernel
    31s
  • max time network
    35s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-06-2024 11:03

General

  • Target

    https://krs.microsoft.com/redirect?id=lxDNVZKK

Score
5/10

Malware Config

Signatures

  • Detected potential entity reuse from brand microsoft.
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://krs.microsoft.com/redirect?id=lxDNVZKK
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3860
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa025546f8,0x7ffa02554708,0x7ffa02554718
      2⤵
        PID:2816
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,2072896521631373594,16862266937027750158,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
        2⤵
          PID:396
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,2072896521631373594,16862266937027750158,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1936
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,2072896521631373594,16862266937027750158,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
          2⤵
            PID:5052
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2072896521631373594,16862266937027750158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
            2⤵
              PID:1684
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2072896521631373594,16862266937027750158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
              2⤵
                PID:4644
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,2072896521631373594,16862266937027750158,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
                2⤵
                  PID:540
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,2072896521631373594,16862266937027750158,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2564
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2072896521631373594,16862266937027750158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
                  2⤵
                    PID:4824
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2072896521631373594,16862266937027750158,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
                    2⤵
                      PID:2560
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2072896521631373594,16862266937027750158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
                      2⤵
                        PID:3908
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2072896521631373594,16862266937027750158,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
                        2⤵
                          PID:2968
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2072896521631373594,16862266937027750158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
                          2⤵
                            PID:2004
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:4552
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:4740

                            Network

                            MITRE ATT&CK Matrix ATT&CK v13

                            Discovery

                            Query Registry

                            1
                            T1012

                            System Information Discovery

                            1
                            T1082

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              c5abc082d9d9307e797b7e89a2f755f4

                              SHA1

                              54c442690a8727f1d3453b6452198d3ec4ec13df

                              SHA256

                              a055d69c6aba59e97e632d118b7960a5fdfbe35cfdfaa0de14f194fc6f874716

                              SHA512

                              ad765cddbf89472988de5356db5e0ee254ca3475491c6034fba1897c373702ab7cfa4bd21662ab862eebb48a757c3eb86b1f8ed58629751f71863822a59cd26c

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              b4a74bc775caf3de7fc9cde3c30ce482

                              SHA1

                              c6ed3161390e5493f71182a6cb98d51c9063775d

                              SHA256

                              dfad4e020a946f85523604816a0a9781091ee4669c870db2cabab027f8b6f280

                              SHA512

                              55578e254444a645f455ea38480c9e02599ebf9522c32aca50ff37aad33976db30e663d35ebe31ff0ecafb4007362261716f756b3a0d67ac3937ca62ff10e25f

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015
                              Filesize

                              204KB

                              MD5

                              081c4aa5292d279891a28a6520fdc047

                              SHA1

                              c3dbb6c15f3555487c7b327f4f62235ddb568b84

                              SHA256

                              12cc87773068d1cd7105463287447561740be1cf4caefd563d0664da1f5f995f

                              SHA512

                              9a78ec4c2709c9f1b7e12fd9105552b1b5a2b033507de0c876d9a55d31678e6b81cec20e01cf0a9e536b013cdb862816601a79ce0a2bb92cb860d267501c0b69

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                              Filesize

                              480B

                              MD5

                              dcb248c68bb723f2a064f5b1866a1c0a

                              SHA1

                              1fff653cbc9f34bacc9844f054b4220eb5c2efbf

                              SHA256

                              7c82f31e3fe0b59ca4a46baa4ba4197b12e147e04e73e935a3a3fab4bda9f27f

                              SHA512

                              8abad32d1ae96ece7ed030ea40fab8756d3db44cf0216b98bea79bce192d6170477c8525e1e2608de949cd6261f9277333ba6502eb75f4c50ef25a57a5e7b71d

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                              Filesize

                              2KB

                              MD5

                              2b3f722e27ed38c3e7e45a034a47228a

                              SHA1

                              2c45b0d4d079d3fba39c16316bf981b7d55d4b63

                              SHA256

                              ec602bd7e2d744659f01e2267b0fd97d7a4321ca3f57b03c4e64281b53eb5e1f

                              SHA512

                              a72714a5a4df1bb677d8df6e11dbb83b9329595979b5ae58f8b3b9c6273e9857f8d2933bef9813c1c1b89cf505a5faf8d7c164d41ca30942c5346611d0957043

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              5KB

                              MD5

                              3e158886823d283f14d2801513ba91be

                              SHA1

                              e827d140889d9d148a263287249e7771fa05db2b

                              SHA256

                              6e40887f7663d318e8c20721c65303a707c18caa55384f0c3325e40a5e2e66b4

                              SHA512

                              55abeea283481af697dcd60c5e27ac5c2d8cf26ddc9a12e8abe616d6652de00ece268dfe89d7f2427ed146145dfc9aa0f49c93bc59b597506485975175ab244f

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              7KB

                              MD5

                              59fa5d6443eeade9b0ef8fd701c6f58b

                              SHA1

                              da767aa020431c39d1a6c80fc204f9a7faf178c0

                              SHA256

                              1f500e64dd0952c3351aad7eae2b75ef2c340d07eed7e212223ee1fd94843d62

                              SHA512

                              c6a13110d8c0898f79da6b03e880421e128a64a667ec9cc827e4d1b9803d771b60f77b6cf8b7815cfc17da3e11fd6a8ef2f62fa28c5ece44644c362a3271affa

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              6KB

                              MD5

                              520c4c23d8394e3bc26c1fecae411959

                              SHA1

                              71fcedc1f579862d1b908e993ad8176e933b2423

                              SHA256

                              b685eede37961eb2e622a6a3462c35446554f5f1d5c7831a3ee93108958b30df

                              SHA512

                              3aae67d437e8b9679c707ef1996331096dccff485cceafec36a699e5ff5c1b4e90b352f01eaff00920679e676bc3658b8d1a75892dce257ff01f2fff9afcff7c

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                              Filesize

                              1KB

                              MD5

                              2530cd93a893b7b1166a981761a18f33

                              SHA1

                              db5ac8765d64e64fa027b8d52637a675db52a3a1

                              SHA256

                              c80101aea40ee8b6d847f275d767c98b35abb37ff840dab97bf5e7c1f3c3b238

                              SHA512

                              d35f75efc10161b363eb72fb1c2ffa6aad7889e05511838e9d50a63bf44a9ecbb77f22f2fe837cb0317df14ecf64b6a8d386d4ca66b95a563c683bea2e935072

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c94b.TMP
                              Filesize

                              372B

                              MD5

                              d2485511b28b4c65287464ec28983619

                              SHA1

                              c9710acdf9f2a961a05b996474006fe01e16d7ec

                              SHA256

                              bce9c559d34b2fa2c78df29b68d90a64c1898ef2329747072ab401886e347e44

                              SHA512

                              f9a9483051e5a65135bb75731fb092af68708b19cc93613fe3dcaeb55bd9606c619677e4b53f5208a2e5ece8da86a6223c1b064817a56ace94c9a390e7e95729

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                              Filesize

                              16B

                              MD5

                              46295cac801e5d4857d09837238a6394

                              SHA1

                              44e0fa1b517dbf802b18faf0785eeea6ac51594b

                              SHA256

                              0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                              SHA512

                              8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                              Filesize

                              16B

                              MD5

                              206702161f94c5cd39fadd03f4014d98

                              SHA1

                              bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                              SHA256

                              1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                              SHA512

                              0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                              Filesize

                              11KB

                              MD5

                              9322c444107baf146c872b6bf9ba91cc

                              SHA1

                              fb17e95009c89779021a85cd403ba9f6ebfe9f32

                              SHA256

                              ebeb69ee04510ae78bb6f6da090d369c8398084c6bbedf965d83a913f4ffd6c0

                              SHA512

                              40dba5fad43b9801df2a0164c4fa8d35dec1a45427b1c88785b8cf77ff5efed69bfe0e98b6d40f7a163f1cb68feebe24491255c221a8811fbc9228d73265c089

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                              Filesize

                              11KB

                              MD5

                              0b270df7e9fc726d00e3235d7a719c50

                              SHA1

                              e7780934f51bbedf8745e3c24c7fbd192ce0b1cf

                              SHA256

                              5ccc39396043e9e34d31808d11b433a173c73257ae52b7205380b7bec9779f09

                              SHA512

                              8c852ce87572c5fd2fcb479cfacf094aeb4c32106e5d2edcf74c05591142846c7e6ebeffc607498a6642303d1e6073827b58f87018602201a16e25e60797ac6a

                            • \??\pipe\LOCAL\crashpad_3860_XYBYQIFGTGHEGWRO
                              MD5

                              d41d8cd98f00b204e9800998ecf8427e

                              SHA1

                              da39a3ee5e6b4b0d3255bfef95601890afd80709

                              SHA256

                              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                              SHA512

                              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e