hxxps://myaccess[.]microsoft[.]com/bcgov[.]onmicrosoft[.]com#/access-reviews/9414a616-c842-4de7-961f-730e8631edaf

Analysis

max time kernel
960s
max time network
967s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://myaccess.microsoft.com/bcgov.onmicrosoft.com#/access-reviews/9414a616-c842-4de7-961f-730e8631edaf

Score

5^/10

microsoft discovery phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2652	msedge.exe
2652	msedge.exe
4020	msedge.exe
4020	msedge.exe
4836	identity_helper.exe
4836	identity_helper.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 4052	4020	msedge.exe	85
PID 4020 wrote to memory of 4052	4020	msedge.exe	85
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2760	4020	msedge.exe	86
PID 4020 wrote to memory of 2652	4020	msedge.exe	87
PID 4020 wrote to memory of 2652	4020	msedge.exe	87
PID 4020 wrote to memory of 5076	4020	msedge.exe	88
PID 4020 wrote to memory of 5076	4020	msedge.exe	88
PID 4020 wrote to memory of 5076	4020	msedge.exe	88
PID 4020 wrote to memory of 5076	4020	msedge.exe	88
PID 4020 wrote to memory of 5076	4020	msedge.exe	88
PID 4020 wrote to memory of 5076	4020	msedge.exe	88
PID 4020 wrote to memory of 5076	4020	msedge.exe	88
PID 4020 wrote to memory of 5076	4020	msedge.exe	88
PID 4020 wrote to memory of 5076	4020	msedge.exe	88
PID 4020 wrote to memory of 5076	4020	msedge.exe	88
PID 4020 wrote to memory of 5076	4020	msedge.exe	88
PID 4020 wrote to memory of 5076	4020	msedge.exe	88
PID 4020 wrote to memory of 5076	4020	msedge.exe	88
PID 4020 wrote to memory of 5076	4020	msedge.exe	88
PID 4020 wrote to memory of 5076	4020	msedge.exe	88
PID 4020 wrote to memory of 5076	4020	msedge.exe	88
PID 4020 wrote to memory of 5076	4020	msedge.exe	88
PID 4020 wrote to memory of 5076	4020	msedge.exe	88
PID 4020 wrote to memory of 5076	4020	msedge.exe	88
PID 4020 wrote to memory of 5076	4020	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://myaccess.microsoft.com/bcgov.onmicrosoft.com#/access-reviews/9414a616-c842-4de7-961f-730e8631edaf
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff2f5f46f8,0x7fff2f5f4708,0x7fff2f5f4718
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,2430811129469035402,15180978747008963875,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,2430811129469035402,15180978747008963875,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,2430811129469035402,15180978747008963875,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2430811129469035402,15180978747008963875,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2430811129469035402,15180978747008963875,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2430811129469035402,15180978747008963875,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,2430811129469035402,15180978747008963875,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,2430811129469035402,15180978747008963875,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2430811129469035402,15180978747008963875,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2430811129469035402,15180978747008963875,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1464 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2430811129469035402,15180978747008963875,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2430811129469035402,15180978747008963875,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,2430811129469035402,15180978747008963875,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2712 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\9418247e-7bfe-48a2-89c1-00dd7efc8743.tmp

Filesize
10KB

MD5
ac3faa8ebc448c91bed8af5eda3a2942

SHA1
03f1de4c33f138c5d5ff84ba548cfc5c9466e005

SHA256
cf69d113159f7ab3ce5838d5fc50be06eaa6c235db874ed8330805786fb562f3

SHA512
c9012c3b82833055dc8faaee429f45c745a5d2a3282b5572320fdd0277b92ff382b8acaac074a772c87562ed226355aeaa6e6580510cff3d3f67cd29f7055635

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
651676026f3333a79c336786d64f07f9

SHA1
4cdbc2389b9bf6cf18adc2752bf7582331751ab4

SHA256
b4cfbe4c44b2fd4683e9273ed47faaeadeae18610ef4bed364c65ce2840be529

SHA512
eea7a44dad862a118e58ddb358808a1d56744846d858a9e9c5923fde332f645b5f49118803b9596ff1a240838ad00200f3e60b3378a5c36198014cef0771ddeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
452B

MD5
344113e25f6dd67f4cfba70dc4d308ff

SHA1
14ed15f5d627b1d20bf1cde4ed322ecc26eddd4c

SHA256
56e761c3a32dc0059836b903a4d8c3b8156662b98d2b9810decb4eb6a3e9ac95

SHA512
cac1608006610cc7c8606bd5b07227a1d8b3fb7371be4b6f54f90229acc68d3b83be2ef4bd33dcffbd2b9a5bab5053982a911ad1a4369a250120e9f461cf1c4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5d21bc4a0166443bc50add312cb5e138

SHA1
53aad372309867d91de2925ef6745458281a099d

SHA256
fcad0e463b1cf708807bf2773c080da16497efa5ddc50a968c3b9a14c5a5e150

SHA512
51b6062219d4ace3eb9733cb9901d13eb9443235cbbd64137af16f73fd38a84c53c16701fa8efb0a00d8c042c7fc49c7af5973388d797295345d72a442fbbfb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3fc6f52e3ef40c68d60e35a488bdb221

SHA1
0bc6e713d31ba8ccaf038631a22e3ec714a7214a

SHA256
b47cd82a5c8fbe48335ebbb08d39dbdf7c755c585fec9ae07e3e6203bb0d6564

SHA512
08397227e83e67f29c6891eb83f4c2735e09a5b81cb600856b5eeb1f3eb8cf39fa007491a54bfe749de312247910e13a5c8c8b012d19143d969698007225dd91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit