hxxps://unesdoc[.]unesco[.]org/ark[:]/48223/pf0000215505

Analysis

max time kernel
274s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://unesdoc.unesco.org/ark:/48223/pf0000215505

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2096	msedge.exe
2096	msedge.exe
1748	msedge.exe
1748	msedge.exe
1072	identity_helper.exe
1072	identity_helper.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 5052	1748	msedge.exe	83
PID 1748 wrote to memory of 5052	1748	msedge.exe	83
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 3940	1748	msedge.exe	84
PID 1748 wrote to memory of 2096	1748	msedge.exe	85
PID 1748 wrote to memory of 2096	1748	msedge.exe	85
PID 1748 wrote to memory of 2292	1748	msedge.exe	86
PID 1748 wrote to memory of 2292	1748	msedge.exe	86
PID 1748 wrote to memory of 2292	1748	msedge.exe	86
PID 1748 wrote to memory of 2292	1748	msedge.exe	86
PID 1748 wrote to memory of 2292	1748	msedge.exe	86
PID 1748 wrote to memory of 2292	1748	msedge.exe	86
PID 1748 wrote to memory of 2292	1748	msedge.exe	86
PID 1748 wrote to memory of 2292	1748	msedge.exe	86
PID 1748 wrote to memory of 2292	1748	msedge.exe	86
PID 1748 wrote to memory of 2292	1748	msedge.exe	86
PID 1748 wrote to memory of 2292	1748	msedge.exe	86
PID 1748 wrote to memory of 2292	1748	msedge.exe	86
PID 1748 wrote to memory of 2292	1748	msedge.exe	86
PID 1748 wrote to memory of 2292	1748	msedge.exe	86
PID 1748 wrote to memory of 2292	1748	msedge.exe	86
PID 1748 wrote to memory of 2292	1748	msedge.exe	86
PID 1748 wrote to memory of 2292	1748	msedge.exe	86
PID 1748 wrote to memory of 2292	1748	msedge.exe	86
PID 1748 wrote to memory of 2292	1748	msedge.exe	86
PID 1748 wrote to memory of 2292	1748	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://unesdoc.unesco.org/ark:/48223/pf0000215505
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdcc5046f8,0x7ffdcc504708,0x7ffdcc504718
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,10014773391887413444,1291084512323787787,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,10014773391887413444,1291084512323787787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,10014773391887413444,1291084512323787787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,10014773391887413444,1291084512323787787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,10014773391887413444,1291084512323787787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,10014773391887413444,1291084512323787787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,10014773391887413444,1291084512323787787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,10014773391887413444,1291084512323787787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,10014773391887413444,1291084512323787787,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,10014773391887413444,1291084512323787787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,10014773391887413444,1291084512323787787,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,10014773391887413444,1291084512323787787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,10014773391887413444,1291084512323787787,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2616 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
211KB

MD5
e7226392c938e4e604d2175eb9f43ca1

SHA1
2098293f39aa0bcdd62e718f9212d9062fa283ab

SHA256
d46ec08b6c29c4ca56cecbf73149cc66ebd902197590fe28cd65dad52a08c4e1

SHA512
63a4b99101c790d40a813db9e0d5fde21a64ccaf60a6009ead027920dbbdb52cc262af829e5c4140f3702a559c7ac46efa89622d76d45b4b49a9ce01625ef145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
aed27db55739103c3c8a5f775048f32a

SHA1
7f4694c3f947a759a3def238cd2646306a4996f3

SHA256
6c5e0fc1b6eb818a0507be68d1cf6d50daca6f09b810592858acd1afc65a903a

SHA512
7b4e0f1879e72580437512ae757187d25719221e1aa00b5f93860e1d171bffdf9a3a392fcf5e23f845960ca166665afba265647ed349a76390e00ad676aa4179

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ccd5fafe97ca76bae978c9a1e4eec231

SHA1
dfa975e3ee256f2d95125ec61e6d7d4e5d9c0d17

SHA256
1ebb1a2d9d340cbcd44b24d063b5ac75a6d6a49f0a01a31d5d0d2b98c9595c7a

SHA512
1102520c25fe88b5f13f52f2a87c2dc3e3c30cd1fc2e56f4a7065e4b94e12bc039cbe6fa4b9ade8cd6964d1d1ad5a93e7990d5cb3a122196bb25634193a87048

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c8fd1dd22f3b430218522cb71ea91aa4

SHA1
7a590c3a86cdbbbde8610521740758def0671bce

SHA256
3b0f377ed43758b116e3bb96f6aefac2590dc30af7c6df6c751b9650a8a2fb29

SHA512
5ee0766f11b69d59056e67f443ec6ee721cd1c860a22167bdb07a0143a9cf41d4eab4866fc7b340f45e19e583f9b4fa5dbafec846a689ac2d2864075d5bba8f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
318b9ba8d3359c2440a3d969f50f3114

SHA1
7c40f01de76da96e7be429a7aa7663f6ed6f1a47

SHA256
85198f6ec0cb84586b241f54fb89f804f35f6a0d6afc5e3f76995821fd3d8392

SHA512
a5221d61d31f4db609e10294c7ed378b7f31cdce66e3d221e03a83405955ade72176d10c3f1c2e8e66374036b35178972590613f496a8163fef9bf0531cb3322

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bc8a107f88894c2322482d58b6427032

SHA1
e1a6bc3bd4e43104da0a07a736e694f96d915ff9

SHA256
982f90f8ca02ae772c12f98ab5d5d2677d325bef67116fd7ee443393195a55f9

SHA512
9173029de1c39ed97acb48f58bb4c899d2e16af08b09683b6373dedc68b7195fb357aa59a79194f7ed0daadc1ac5a1f567ce8df19ad59db5fab4c507a63d4b6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cc280e45100f7c79e7ab73fe5ae3bf05

SHA1
902c0b14a787095582c0b074cdd03d3ebe719688

SHA256
952e11382e23f28c8e5d8d75764c48a9bfb6d2f78a25b8c9f367280e666349a3

SHA512
39afe791007b52f38fbd6aa9e508c8f0534b0ec70dd8ecc87f754c094c9a32d8fdce5126ab567a8929a918f0b683dcbb7d695f38fc20278e163b05d1131aeee7

Download Submit