hxxps://secureemail[.]federalreserve[.]gov/s/e?m=ABCRI3r3GldJf6KZbBXopTKp&c=ABAnNUgLmwGOTDdxJUn90ptN&em=cpmimeetingmaterial%40rba[.]gov[.]au

Analysis

max time kernel
241s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://secureemail.federalreserve.gov/s/e?m=ABCRI3r3GldJf6KZbBXopTKp&c=ABAnNUgLmwGOTDdxJUn90ptN&em=cpmimeetingmaterial%40rba.gov.au

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3044	msedge.exe
3044	msedge.exe
2292	msedge.exe
2292	msedge.exe
4072	identity_helper.exe
4072	identity_helper.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 1960	2292	msedge.exe	83
PID 2292 wrote to memory of 1960	2292	msedge.exe	83
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 468	2292	msedge.exe	84
PID 2292 wrote to memory of 3044	2292	msedge.exe	85
PID 2292 wrote to memory of 3044	2292	msedge.exe	85
PID 2292 wrote to memory of 2640	2292	msedge.exe	86
PID 2292 wrote to memory of 2640	2292	msedge.exe	86
PID 2292 wrote to memory of 2640	2292	msedge.exe	86
PID 2292 wrote to memory of 2640	2292	msedge.exe	86
PID 2292 wrote to memory of 2640	2292	msedge.exe	86
PID 2292 wrote to memory of 2640	2292	msedge.exe	86
PID 2292 wrote to memory of 2640	2292	msedge.exe	86
PID 2292 wrote to memory of 2640	2292	msedge.exe	86
PID 2292 wrote to memory of 2640	2292	msedge.exe	86
PID 2292 wrote to memory of 2640	2292	msedge.exe	86
PID 2292 wrote to memory of 2640	2292	msedge.exe	86
PID 2292 wrote to memory of 2640	2292	msedge.exe	86
PID 2292 wrote to memory of 2640	2292	msedge.exe	86
PID 2292 wrote to memory of 2640	2292	msedge.exe	86
PID 2292 wrote to memory of 2640	2292	msedge.exe	86
PID 2292 wrote to memory of 2640	2292	msedge.exe	86
PID 2292 wrote to memory of 2640	2292	msedge.exe	86
PID 2292 wrote to memory of 2640	2292	msedge.exe	86
PID 2292 wrote to memory of 2640	2292	msedge.exe	86
PID 2292 wrote to memory of 2640	2292	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://secureemail.federalreserve.gov/s/e?m=ABCRI3r3GldJf6KZbBXopTKp&c=ABAnNUgLmwGOTDdxJUn90ptN&em=cpmimeetingmaterial%40rba.gov.au
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdef0446f8,0x7ffdef044708,0x7ffdef044718
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,4235692692982949802,3554028522605477286,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:2
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1844,4235692692982949802,3554028522605477286,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1844,4235692692982949802,3554028522605477286,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,4235692692982949802,3554028522605477286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,4235692692982949802,3554028522605477286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1844,4235692692982949802,3554028522605477286,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1844,4235692692982949802,3554028522605477286,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,4235692692982949802,3554028522605477286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,4235692692982949802,3554028522605477286,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,4235692692982949802,3554028522605477286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,4235692692982949802,3554028522605477286,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,4235692692982949802,3554028522605477286,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5836 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
fbc6dc0965fe6e12937b13356d17a365

SHA1
71f99792f5d826102f0df36a8f723cedda9195e9

SHA256
e5745cc86e17f753e319170baab4148a41d3dcb7c03cdbd3ad230d47cf81a134

SHA512
1d1722ff60a016598fe01705eb8ea4ac4f15cf5a5b104e62d7d19a62a9727e7f415e090a69372bacbe45216b8b2892e57c59cbb40d7634378db5438f9e5514c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
996b6305519ca6d0daaf2841f0c0093c

SHA1
a9571d029cb89e2a841add0c73fba082a8528feb

SHA256
1f1375c7698a65d1af7cec5934a4227a64194289faf69db7f255d7440e455310

SHA512
262fa00257154d612bf78d7f6b112c96652248cac67e0c2420407219f71dd487da3438940e62599bd78af7cc9f1e6630e2b275a430592322b7cab47e7e175e38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
04c0053e1a792f63612844e4d63958a1

SHA1
bbccc7955fa83c763960e1152bde3c79f2a49bb9

SHA256
630f46be7fdf52de9cb7fa84f3a7766bc7e889caa16407da79bfc0b2443c60d6

SHA512
57db8c8c5632aa57349834b1043e5cd56748c8c37df8864dcf19be9d5aab2c622cbc3a494733507ba71d8b64714d6ff00fa80b709b88ecbde72eed8848d6ed02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
87264b6e43e05ba6f7a3e81a73fdf9e8

SHA1
9262737461abe6d947fc26ff538885e6a74471fa

SHA256
d2cd2680760b062e45dcf3df4f62429cf32d6568589bcb8ce9c85e85a732111c

SHA512
d7eae6e3f1e35f7c9fbf28e7a4fa3f5506367f6a5cdd2423f63572499b9e6fc677993e475349644cf95427077ff464ffdeb69313823d28a3c2207875609a04de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0e1d150d616fca02f7263507438507f8

SHA1
42d50566db8e6e9e5d71093dc031c7e030f1f468

SHA256
f514184c700f9ceb2b44610710aaef489b9f3e9b713f47731848903a1582cfc4

SHA512
ace552eae3de851886651198d1ea881a2a0a35e4f0a0e9dc2b9c24734749203729ca0fab43545329fbac2d75d754f241fb4fa1e4edabd358281f21bca73ae31d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
45b64be981b4bd6f19a0ecb45824f2f5

SHA1
1d8ba970f1d85d8807e3be7bb29201cb7e4eb1a1

SHA256
e9d0a5635197e6b746a8b4878c9756ecb52931f04223e3d9325ec073c1422d93

SHA512
aa8bb5fd62d53f50e45276c637dbeb2e752749e50e454fc7cb66a07e9f32e06e416399447a17c1db6fc663427966ac2220ab3a7a3d7b09f119fb7851688878bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58da00.TMP

Filesize
203B

MD5
e7014057e7b5dc556e8a32aaf3a070fc

SHA1
2580a3d630d780cb49211b4fdf8cf686d760ee9c

SHA256
a80bba3231d109d3a1e1962ae70eacf6a5662070d48366b32e7f300b15550e88

SHA512
16609ede1b4ef4a0379ee3102e46c7d290f906645d4cff724bb31c6a78132fc85490b6dc2ad96e490c762c02e72b30c4c91c8728de9c66a21192a3937bfe23eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4f2076b6905fe40289aad3cb84666440

SHA1
df6c66e1cd4ec9693b597cc5697da3bc60c30f52

SHA256
18bc123d6df443819690ff650d0b4286d8a25069db02d372104dd27d8e955eeb

SHA512
4549bce9b345e17aede5824b3539ef5e2571f73a5f681cea667ab18a1f1db9cb36980dd083b6685a897fbcdabb1558fcc72271fd33505c1ca54cec8e19fd899b

Download Submit