hxxp://4office365[.]from-mo[.]com/

Analysis

max time kernel
145s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://4office365.from-mo.com/

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1804	msedge.exe
1804	msedge.exe
4272	msedge.exe
4272	msedge.exe
1592	identity_helper.exe
1592	identity_helper.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 4064	4272	msedge.exe	83
PID 4272 wrote to memory of 4064	4272	msedge.exe	83
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 4336	4272	msedge.exe	84
PID 4272 wrote to memory of 1804	4272	msedge.exe	85
PID 4272 wrote to memory of 1804	4272	msedge.exe	85
PID 4272 wrote to memory of 4092	4272	msedge.exe	86
PID 4272 wrote to memory of 4092	4272	msedge.exe	86
PID 4272 wrote to memory of 4092	4272	msedge.exe	86
PID 4272 wrote to memory of 4092	4272	msedge.exe	86
PID 4272 wrote to memory of 4092	4272	msedge.exe	86
PID 4272 wrote to memory of 4092	4272	msedge.exe	86
PID 4272 wrote to memory of 4092	4272	msedge.exe	86
PID 4272 wrote to memory of 4092	4272	msedge.exe	86
PID 4272 wrote to memory of 4092	4272	msedge.exe	86
PID 4272 wrote to memory of 4092	4272	msedge.exe	86
PID 4272 wrote to memory of 4092	4272	msedge.exe	86
PID 4272 wrote to memory of 4092	4272	msedge.exe	86
PID 4272 wrote to memory of 4092	4272	msedge.exe	86
PID 4272 wrote to memory of 4092	4272	msedge.exe	86
PID 4272 wrote to memory of 4092	4272	msedge.exe	86
PID 4272 wrote to memory of 4092	4272	msedge.exe	86
PID 4272 wrote to memory of 4092	4272	msedge.exe	86
PID 4272 wrote to memory of 4092	4272	msedge.exe	86
PID 4272 wrote to memory of 4092	4272	msedge.exe	86
PID 4272 wrote to memory of 4092	4272	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://4office365.from-mo.com/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae5c746f8,0x7ffae5c74708,0x7ffae5c74718
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,16406734023876891412,407586636916584601,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,16406734023876891412,407586636916584601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,16406734023876891412,407586636916584601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16406734023876891412,407586636916584601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16406734023876891412,407586636916584601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16406734023876891412,407586636916584601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,16406734023876891412,407586636916584601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,16406734023876891412,407586636916584601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16406734023876891412,407586636916584601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16406734023876891412,407586636916584601,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16406734023876891412,407586636916584601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16406734023876891412,407586636916584601,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,16406734023876891412,407586636916584601,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5308 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
190B

MD5
c301dba9b1559281102b844e13d436e2

SHA1
92fe18f7e3b3e563bb47c378be11757f5662e665

SHA256
f678c2541d25f54ed6edc6f38edd0f248ec2444dadcd9fc53fc0d8ffb2367325

SHA512
a7668b3f3edb3f9bc5300e15aa8ab87ca5fd360c985d4e77ae6d37586726a150820fdb257d636bdc9c9ab9265145e1020d87d3f605d698e4e58a702c8a32c6a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9151e90b1225cb44952371360fb04fad

SHA1
2f0820a9c95e87bd7e965165374b479e39e7ace8

SHA256
4482ec8059b3b2abfb02bb2f22fa2f575db0f50a50f4f96a65ec92e8b200f9d1

SHA512
8dbd11eabcde70ecc611625a4dbf8368106ccc82c35923fac6f8400c1f050249e2b952793426c34ec170d24273b0af6274c8422b31485f21a01aa31618606451

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
45f9fbd5fd68b8d1369579fe97f2c5ad

SHA1
443618e0f880298bead9c5984546619408e4272a

SHA256
01c5486c3ed27098ab66984818d774223a5a9343bde65a1a12df9128e7f15492

SHA512
e7e4eb418810b54d1fae30701fbae0ad7e6331b7e42a4291bc30dcacdba3cb4b1e5a36f4606342bb67d0d94e91f6539b51bf1a892fb3deb976516538a2d16c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
95e4382cb5193c55431c34a0c105ec9b

SHA1
c0e5dc31869cf27236d4f9a9d07eb92b2053fc03

SHA256
f199cb4b1e3561b367a481eb47be2a90343822f6ba52eed49b424495425a513d

SHA512
444987cb7b57e780855b0772270cba5eb6e75fe3531373406466d835d74cdba3ceb8da371d3e39c803de57fb0730cc403381e102258508c95c53e1bd118d4f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
ad82a6ec63cd78d560ddd21b60f52b80

SHA1
d30c8f14344b66df28154a4f5c63c46af9a2f82d

SHA256
e1fc52a5fca985bc5b35493d81037e4b68a5976004c5548898aa3c2bbaae5402

SHA512
a540ddd05c2fb1411a775ae998f3b31bfb95cbb7d48759b18541ce2f4503d5b5f08ca8523fd3f7c56ff566fd7fa5668b84dde10b07f7fe1c0f4bdd32f869ab5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f28e.TMP

Filesize
204B

MD5
e620b917f1dfe1189877394703f5e03f

SHA1
8a166647d5ee5a5134b5dea0466b6018cd616a08

SHA256
3046cc6aaeb7fc0120f6ce4e8656d651f58eb67cf3ba345d5c3654a9bc60464e

SHA512
738267c44bba0a0f27502ca6bb5912555d2a92eb8b6a42a244e0dab68e50814f8660ea267ad55cb478c31a998c852ae50ccc77d597a5323f170a8b5e36b1fa53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
09395610165a8b61378f8742ebc02850

SHA1
dbd8d504481e5da1be2ce85337bcc40e3f2937be

SHA256
e6696ab3663ad4dfb35d8d6246a60678191595910cd37b2f60d1b739dfb6847a

SHA512
a30fde2454bea6acec878ef2b3fcec630f67b9119a25ca49409d3adfd22b3a809ef0acef9635d333165e67b8fc23e2240b4b4fe2a50d39bb8eef4e0b169c5c5b

Download Submit