hxxps://url[.]us[.]m[.]mimecastprotect[.]com/s/4_50C68yPvsMgGKJT6h2H5jzUI?domain=click[.]eml[.]nordstrom[.]comhxxps://url[.]us[.]m[.]mimecastprotect[.]com/s/A-wKC73zQwfy0WkYFBiJHo0kKZ?domain=click[.]eml[.]nordstrom[.]com

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://url.us.m.mimecastprotect.com/s/4_50C68yPvsMgGKJT6h2H5jzUI?domain=click.eml.nordstrom.comhttps://url.us.m.mimecastprotect.com/s/A-wKC73zQwfy0WkYFBiJHo0kKZ?domain=click.eml.nordstrom.com

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2676	msedge.exe
2676	msedge.exe
1364	msedge.exe
1364	msedge.exe
784	identity_helper.exe
784	identity_helper.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 1896	1364	msedge.exe	84
PID 1364 wrote to memory of 1896	1364	msedge.exe	84
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2032	1364	msedge.exe	85
PID 1364 wrote to memory of 2676	1364	msedge.exe	86
PID 1364 wrote to memory of 2676	1364	msedge.exe	86
PID 1364 wrote to memory of 3452	1364	msedge.exe	87
PID 1364 wrote to memory of 3452	1364	msedge.exe	87
PID 1364 wrote to memory of 3452	1364	msedge.exe	87
PID 1364 wrote to memory of 3452	1364	msedge.exe	87
PID 1364 wrote to memory of 3452	1364	msedge.exe	87
PID 1364 wrote to memory of 3452	1364	msedge.exe	87
PID 1364 wrote to memory of 3452	1364	msedge.exe	87
PID 1364 wrote to memory of 3452	1364	msedge.exe	87
PID 1364 wrote to memory of 3452	1364	msedge.exe	87
PID 1364 wrote to memory of 3452	1364	msedge.exe	87
PID 1364 wrote to memory of 3452	1364	msedge.exe	87
PID 1364 wrote to memory of 3452	1364	msedge.exe	87
PID 1364 wrote to memory of 3452	1364	msedge.exe	87
PID 1364 wrote to memory of 3452	1364	msedge.exe	87
PID 1364 wrote to memory of 3452	1364	msedge.exe	87
PID 1364 wrote to memory of 3452	1364	msedge.exe	87
PID 1364 wrote to memory of 3452	1364	msedge.exe	87
PID 1364 wrote to memory of 3452	1364	msedge.exe	87
PID 1364 wrote to memory of 3452	1364	msedge.exe	87
PID 1364 wrote to memory of 3452	1364	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://url.us.m.mimecastprotect.com/s/4_50C68yPvsMgGKJT6h2H5jzUI?domain=click.eml.nordstrom.comhttps://url.us.m.mimecastprotect.com/s/A-wKC73zQwfy0WkYFBiJHo0kKZ?domain=click.eml.nordstrom.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc289d46f8,0x7ffc289d4708,0x7ffc289d4718
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,753247223395573369,698318538138415257,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,753247223395573369,698318538138415257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,753247223395573369,698318538138415257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,753247223395573369,698318538138415257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,753247223395573369,698318538138415257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,753247223395573369,698318538138415257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,753247223395573369,698318538138415257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,753247223395573369,698318538138415257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,753247223395573369,698318538138415257,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,753247223395573369,698318538138415257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,753247223395573369,698318538138415257,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,753247223395573369,698318538138415257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,753247223395573369,698318538138415257,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
185B

MD5
a7af94cd04667dd36257e4b08c889f99

SHA1
c59805fb7f8807624691bec59f91a93099d08d10

SHA256
9f2cc891f62be97eaba46a756df24922093ce588659b999483737e0bb7d9b885

SHA512
dcde0216feb693ddae88eab48939b0681e0e2213b0ec2534d5291224dcc9610d81826a4d77c1bf919d6577d25d29f495ee568d0141cbc1cf1b643c92084c5ab5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ac714c42606bdf0df8fd3b07b479c1aa

SHA1
fed63ccdc04fc5edf3bb8c88df7615f79e7a5a35

SHA256
af6bd6c0dba738362385bf69e9c7f5459f5e9583e8ba6828e07e8860c0f86603

SHA512
c96c825e09292bb1d26e43694285df171e08a732f0d8e4d3b3c6fe8e7511131ca9e320987d737a8bdc18a7f246e45e13a050f58bd6631d9ee23eee29299b6758

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2656e89ac866f34c41b4065f16cdc409

SHA1
a2b3ea8d025cc633ca0e97b3f185a66273cd2bb4

SHA256
c212140009c5bbbb978c2eea5e23d97b7c9d2329ee27993f62b9f782673c1b97

SHA512
69afd1928beed8e1d09c7fb67da43e84ff146d7e9deb3477cfee104f3096c8e23e7eba525e1e05fd1d104961cbe9d02ab19eed180f2bbc61b339d71abd57081e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
75fb87a40bbde1ddb426927e826f11e9

SHA1
67fc59ae7142cf20aa47a02bc68f0e1cb04a7fb8

SHA256
2e4a025315ceaa61a83804d4f12739f7aa7279e0ec6b8cd47cf9678bd24b71e7

SHA512
9dddff29094602b10da7bba0d060a63b0199ec8df9feecbbc6b257e1e1be628572ba0fb119747f607ea2017a5213c1cef140d67d4006790e6343d202d5b21674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
023d25a47b838a6f9ba2de873a219c28

SHA1
ebde0b46a1c6ae1250143e559def8817464dee73

SHA256
ed652f6e6b4211105fa76f3d049cc6db8d0c0eb5f22a0f87ab179f954dc2323c

SHA512
be32f1b472fafc7bf308f2625eaa065b4043ff011418e753d2c220e318d4d5d160c5ea4421c464d44808b6505a84634434915dc7ccdc6e14f039cfda9f45ef75

Download Submit