Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-07-2024 15:27

General

  • Target

    https://aka.ms/o0ukef

Score
5/10

Malware Config

Signatures

  • Detected potential entity reuse from brand microsoft.
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://aka.ms/o0ukef
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:800
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xdc,0xe0,0xe4,0xd8,0x108,0x7ffa974146f8,0x7ffa97414708,0x7ffa97414718
      2⤵
        PID:452
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,4528913309617207634,12590001510717005342,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
        2⤵
          PID:1292
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,4528913309617207634,12590001510717005342,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1008
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,4528913309617207634,12590001510717005342,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
          2⤵
            PID:1184
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,4528913309617207634,12590001510717005342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
            2⤵
              PID:2540
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,4528913309617207634,12590001510717005342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
              2⤵
                PID:4652
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,4528913309617207634,12590001510717005342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
                2⤵
                  PID:4924
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,4528913309617207634,12590001510717005342,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3952 /prefetch:8
                  2⤵
                    PID:3120
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,4528913309617207634,12590001510717005342,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3952 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2488
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,4528913309617207634,12590001510717005342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
                    2⤵
                      PID:2204
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,4528913309617207634,12590001510717005342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
                      2⤵
                        PID:4048
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,4528913309617207634,12590001510717005342,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
                        2⤵
                          PID:3308
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,4528913309617207634,12590001510717005342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
                          2⤵
                            PID:2376
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,4528913309617207634,12590001510717005342,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
                            2⤵
                              PID:1800
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,4528913309617207634,12590001510717005342,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4860 /prefetch:2
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:1776
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:1784
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:5032

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                db9081c34e133c32d02f593df88f047a

                                SHA1

                                a0da007c14fd0591091924edc44bee90456700c6

                                SHA256

                                c9cd202ebb55fe8dd3e5563948bab458e947d7ba33bc0f38c6b37ce5d0bd7c3e

                                SHA512

                                12f9809958b024571891fae646208a76f3823ae333716a5cec303e15c38281db042b7acf95bc6523b6328ac9c8644794d39a0e03d9db196f156a6ee1fb4f2744

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                3a09f853479af373691d131247040276

                                SHA1

                                1b6f098e04da87e9cf2d3284943ec2144f36ac04

                                SHA256

                                a358de2c0eba30c70a56022c44a3775aa99ffa819cd7f42f7c45ac358b5e739f

                                SHA512

                                341cf0f363621ee02525cd398ae0d462319c6a80e05fd25d9aca44234c42a3071b51991d4cf102ac9d89561a1567cbe76dfeaad786a304bec33821ca77080016

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\505b896f-4faa-40f4-bffd-0f617682eb79.tmp

                                Filesize

                                2KB

                                MD5

                                d3d186bfd4dfb18b85997c335ad3787d

                                SHA1

                                f6de8efca7cc2faf14c038008a8b544db04981f4

                                SHA256

                                4843c8415ccb9d3c930532bd6e4ce9603333975e2ed83b65c62c17afc06e0d81

                                SHA512

                                e824c22e1afcdbf5b951808a2eaba2dffbec5c2a19ebea6f63b95fce2a545b1ac335be27c891d43fbf160ad378e3958bf93ecceb8eeb84d0f525930be97739d5

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5c7e6f75-2674-478c-b16b-897aa0e0d7c9.tmp

                                Filesize

                                7KB

                                MD5

                                eabcf521c671454411ead2adaa07270d

                                SHA1

                                ebcc06d3a2dd6073d4585ca4e08b40840339b86d

                                SHA256

                                4b929963213c48bd64ae9c8491235c424fce8fbbe0efd4e0fc041bcdd6af8b1f

                                SHA512

                                6b99f32c8da60115c9bf70e82a19f4b8baecd7c136d107fa7d1a43a70d0ef97794b29945fb3ed402ed9b1d46a57b92d38695659c5ff6512517822eb638075741

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

                                Filesize

                                211KB

                                MD5

                                151fb811968eaf8efb840908b89dc9d4

                                SHA1

                                7ec811009fd9b0e6d92d12d78b002275f2f1bee1

                                SHA256

                                043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

                                SHA512

                                83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                Filesize

                                504B

                                MD5

                                5fc27736175401ea70de39f3d492bbe2

                                SHA1

                                3e3d124387cc0b06bd127d77d5e400ce06819985

                                SHA256

                                571b00bc2463728cef616a397d8a57295520b468a5328a56c747a3516ee7c573

                                SHA512

                                9d878d37e7cc5ec1e7d69038fd3681fc5032432915a943c9edc819e05a96c07b6d5fb97467f80b141d20c6844a1b708cf3a8313f7d670427c40ee0daf8cf68c9

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                Filesize

                                2KB

                                MD5

                                f4f9f190589bf79a76b0ff0890b4fe88

                                SHA1

                                99815660b49d24b7804d44620d16a8bd91b5284a

                                SHA256

                                6d7cb32dcb615e2528a013f51e1b22dc743f5d6808c385361cc2005cb66befd7

                                SHA512

                                c11d06e9e7dc254e55ba4aa8e4f6966a9493fb2ec5036a635e08778c513f5b61dc4a30a5ec1939b06a788ad8954de168ea772a65be36b30e8a551c45d39adec4

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                5KB

                                MD5

                                0112a1024644d52564a2a1a4ebedd3f5

                                SHA1

                                e79c9868eaa7b41421009c724faca4a040fe8553

                                SHA256

                                ab504a7d10155266fcb0feb86c5597d30640249598a2b44582b39e1c0965edfa

                                SHA512

                                281cad82d20795c855396d100c8e84a4e8c40e3344cc83bfce368f72cf8016dac8134e0b06b1c3a6f47aaa0fc3027e2670688e571664a72bc8df016dffc58828

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                38cff80573b8fea633ad249b5dba57f9

                                SHA1

                                90ad4e10fc85ec0a9baeded7318a097ae5dd354f

                                SHA256

                                9c96fd6cb2e8c8efcbb7c48dd0d47d27323aca7d4f6b39e0b8523877e95cd804

                                SHA512

                                f15653e3cd284bab216362f5bafc32d925ebaa5ea250d22d68f9016be9df5d8c170fe67f100468992ae72d73d62e5e675091c45c20cf9b58a35f27e33e74f794

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                Filesize

                                1KB

                                MD5

                                9804793aaf69901a6d59c061ab33a7f5

                                SHA1

                                aca538cc27e25f6a4a09e5ff47a6bb8e4b300fa1

                                SHA256

                                875f591112bcc7730cee294a1781853da9e1ea5218a0439b1814a7c11462f861

                                SHA512

                                f9b9873d4a34b8ce152776babb8c14cf39fbdf24de844bd170a79a30f14a38427dca909f48a27adce123b458c0fa6725d055b51fb8913d70f2d98cec5f5ef8cb

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                Filesize

                                1KB

                                MD5

                                cf1a7eb8650479b5254285082cbfeae0

                                SHA1

                                7f587817f42d52aceac5d7071290e7a5a5a7b7c7

                                SHA256

                                f0a41181baf763dca8aac984b7654b34a7c5438d22e69e0bd96a2f03a8841e70

                                SHA512

                                c256199b2e88da0deb49d634af26e27074a1f33e6119ac3e1965a4d7b77818cda873e9bf74633f275df1b554f2d7324f83d348953e347ed8f95a7d9c6f09fb14

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57902a.TMP

                                Filesize

                                707B

                                MD5

                                f2b1e0e51b07ca51f9e9ba5a9e034af3

                                SHA1

                                6f7c76d1916640c65d6d765e4ff1d7ac4ae20c3e

                                SHA256

                                943803f4a3e1ff7be36e4cdab569ecc2a503105bbdde6e61945a80704c917531

                                SHA512

                                fc034f9bc0f9311006a2e21ef4513651a10ca24bce659048d8265fa3ad52ef6d4527387e31ac15b4c4fcefaa1291d3effdc76c356617cfd3e0410865e5fac41b

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                Filesize

                                11KB

                                MD5

                                c303f586b9a6efba26b9f5fb1bed7626

                                SHA1

                                50ba5cc1655072e7c801897a474c69dc70073ce1

                                SHA256

                                ce823e8c7ec823a6994cd24fab79f94da02829a517a7fa0d13ccb6fdfb9f3f2a

                                SHA512

                                5b34c097c945d2144cfdecbcf9e44e1cf8c868730b37cb3040930f9af03c9f1ad1561701b893000b61666e343c7c846ed80b606c773d8c79465e4c016968e25a

                              • \??\pipe\LOCAL\crashpad_800_IQLNHTNHYLIEGILW

                                MD5

                                d41d8cd98f00b204e9800998ecf8427e

                                SHA1

                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                SHA256

                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                SHA512

                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e