hxxps://dmaadmino365-my[.]sharepoint[.]com/[:]o[:]/g/personal/karmstrong_dickensmitchener_com/EkgOiLrlBZdDlWY7NCZUAlsB61gYmYUnOPf6TJsKeKypyA?e=5%3a19Bf4p&at=9

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dmaadmino365-my.sharepoint.com/:o:/g/personal/karmstrong_dickensmitchener_com/EkgOiLrlBZdDlWY7NCZUAlsB61gYmYUnOPf6TJsKeKypyA?e=5%3a19Bf4p&at=9

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2252	msedge.exe
2252	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4812	identity_helper.exe
4812	identity_helper.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 5084	4972	msedge.exe	83
PID 4972 wrote to memory of 5084	4972	msedge.exe	83
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 3864	4972	msedge.exe	84
PID 4972 wrote to memory of 2252	4972	msedge.exe	85
PID 4972 wrote to memory of 2252	4972	msedge.exe	85
PID 4972 wrote to memory of 2936	4972	msedge.exe	86
PID 4972 wrote to memory of 2936	4972	msedge.exe	86
PID 4972 wrote to memory of 2936	4972	msedge.exe	86
PID 4972 wrote to memory of 2936	4972	msedge.exe	86
PID 4972 wrote to memory of 2936	4972	msedge.exe	86
PID 4972 wrote to memory of 2936	4972	msedge.exe	86
PID 4972 wrote to memory of 2936	4972	msedge.exe	86
PID 4972 wrote to memory of 2936	4972	msedge.exe	86
PID 4972 wrote to memory of 2936	4972	msedge.exe	86
PID 4972 wrote to memory of 2936	4972	msedge.exe	86
PID 4972 wrote to memory of 2936	4972	msedge.exe	86
PID 4972 wrote to memory of 2936	4972	msedge.exe	86
PID 4972 wrote to memory of 2936	4972	msedge.exe	86
PID 4972 wrote to memory of 2936	4972	msedge.exe	86
PID 4972 wrote to memory of 2936	4972	msedge.exe	86
PID 4972 wrote to memory of 2936	4972	msedge.exe	86
PID 4972 wrote to memory of 2936	4972	msedge.exe	86
PID 4972 wrote to memory of 2936	4972	msedge.exe	86
PID 4972 wrote to memory of 2936	4972	msedge.exe	86
PID 4972 wrote to memory of 2936	4972	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dmaadmino365-my.sharepoint.com/:o:/g/personal/karmstrong_dickensmitchener_com/EkgOiLrlBZdDlWY7NCZUAlsB61gYmYUnOPf6TJsKeKypyA?e=5%3a19Bf4p&at=9
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff615746f8,0x7fff61574708,0x7fff61574718
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,1318709508508205047,9989137222323325520,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,1318709508508205047,9989137222323325520,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,1318709508508205047,9989137222323325520,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,1318709508508205047,9989137222323325520,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,1318709508508205047,9989137222323325520,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,1318709508508205047,9989137222323325520,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,1318709508508205047,9989137222323325520,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,1318709508508205047,9989137222323325520,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,1318709508508205047,9989137222323325520,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,1318709508508205047,9989137222323325520,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,1318709508508205047,9989137222323325520,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,1318709508508205047,9989137222323325520,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5844 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9622e603d436ca747f3a4407a6ca952e

SHA1
297d9aed5337a8a7290ea436b61458c372b1d497

SHA256
ace0e47e358fba0831b508cd23949a503ae0e6a5c857859e720d1b6479ff2261

SHA512
f774c5c44f0fcdfb45847626f6808076dccabfbcb8a37d00329ec792e2901dc59636ef15c95d84d0080272571542d43b473ce11c2209ac251bee13bd611b200a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
04b60a51907d399f3685e03094b603cb

SHA1
228d18888782f4e66ca207c1a073560e0a4cc6e7

SHA256
87a9d9f1bd99313295b2ce703580b9d37c3a68b9b33026fdda4c2530f562e6a3

SHA512
2a8e3da94eaf0a6c4a2f29da6fec2796ba6a13cad6425bb650349a60eb3204643fc2fd1ab425f0251610cb9cce65e7dba459388b4e00c12ba3434a1798855c91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
ac52f0d3778d05e5dfbdd2525755d2d5

SHA1
4f55d91958c690a058f9964e1df805cf23443b05

SHA256
ddc02fd0c87f0719fe1d3ea14df8078fc740b75824034ed50d2cc8251810edf0

SHA512
21f49c2997597949b8462bab3259bd333292b245f5b266241227012bd614b289f297b21c71c1a0e84aca9a729727642f78c2508b0021b1a7388ecaff2cea1220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
364B

MD5
5a958e1154f0b62dabfbdf1108fd3d44

SHA1
6834c9f936cd9aed385ea90c2d6987980443c8ee

SHA256
b78e76a07b246f83140052871d55b72dbd44b0587cb0aae61fb057abf256c2f9

SHA512
1c92e47ff13e54703719660637fdcc57a7406d668534c434cf384367ce1561aa84e854f0bdfcb25edfbb065259d4544cb2c777123cdd9e339ca4f3250a4f9aae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eaef6cfb05499fa4d87e7889e63f8026

SHA1
8b624f6a05cf435b50ece31bd76ac6b18974091c

SHA256
15f4aa61001eed05a65a78e098e7fa6d81adce074ddf5156beab9a86a84afd12

SHA512
04df682f46f0acae7fa15a31563bca941b9a144deef2c8ab1612c21df1538400c8ed9025961c53554c32d7919235543983ad075ee3f73f495078f8f9feacb669

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
456a4ba1ee99c5c5cc220d689cb7cd4d

SHA1
a18c88fa5be018133fc253eacf6eb655432247a1

SHA256
b4be3d5c2dab097bb5803f0076b246b336396494d1e2d08a1382fd5f2eeff5c8

SHA512
b199f4bd06556d6708e26c854b9c20bbf1d35c5ce2f5fce00ade06595752b4e820774ac5f0843b965e54f473506d48f9a46c8c7b3a949445846361b98504ed8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
eff99a3ffab386337281728acd343e24

SHA1
c06890912d404499e08fb2034c4fba639c4bf261

SHA256
02074e779b2d29f11c4db2dada8aead4713b370932541a55ba576a7f73a92008

SHA512
9dd7911358b22950ff9f8c7bc777a4d295b4be2c54ed533a5ef4a49f551914d9c68231119981cc187e4edb30db0a1bea4b1b462aaeb1bcfa048127893b1e55bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit