hxxps://rpalace[.]testbandtech[.]com/one/offf/

Analysis

max time kernel
35s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://rpalace.testbandtech.com/one/offf/

Score

7^/10

microsoft discovery phishing

Malware Config

Signatures

A potential corporate email address has been identified in the URL: [email protected]
phishing
Detected potential entity reuse from brand MICROSOFT.
phishing microsoft
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5100	msedge.exe
5100	msedge.exe
3576	msedge.exe
3576	msedge.exe
2056	identity_helper.exe
2056	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 4216	3576	msedge.exe	84
PID 3576 wrote to memory of 4216	3576	msedge.exe	84
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 3252	3576	msedge.exe	85
PID 3576 wrote to memory of 5100	3576	msedge.exe	86
PID 3576 wrote to memory of 5100	3576	msedge.exe	86
PID 3576 wrote to memory of 4548	3576	msedge.exe	87
PID 3576 wrote to memory of 4548	3576	msedge.exe	87
PID 3576 wrote to memory of 4548	3576	msedge.exe	87
PID 3576 wrote to memory of 4548	3576	msedge.exe	87
PID 3576 wrote to memory of 4548	3576	msedge.exe	87
PID 3576 wrote to memory of 4548	3576	msedge.exe	87
PID 3576 wrote to memory of 4548	3576	msedge.exe	87
PID 3576 wrote to memory of 4548	3576	msedge.exe	87
PID 3576 wrote to memory of 4548	3576	msedge.exe	87
PID 3576 wrote to memory of 4548	3576	msedge.exe	87
PID 3576 wrote to memory of 4548	3576	msedge.exe	87
PID 3576 wrote to memory of 4548	3576	msedge.exe	87
PID 3576 wrote to memory of 4548	3576	msedge.exe	87
PID 3576 wrote to memory of 4548	3576	msedge.exe	87
PID 3576 wrote to memory of 4548	3576	msedge.exe	87
PID 3576 wrote to memory of 4548	3576	msedge.exe	87
PID 3576 wrote to memory of 4548	3576	msedge.exe	87
PID 3576 wrote to memory of 4548	3576	msedge.exe	87
PID 3576 wrote to memory of 4548	3576	msedge.exe	87
PID 3576 wrote to memory of 4548	3576	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://rpalace.testbandtech.com/one/offf/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa048146f8,0x7ffa04814708,0x7ffa04814718
  2⤵
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,4003788286060367331,5005459120518424326,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,4003788286060367331,5005459120518424326,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,4003788286060367331,5005459120518424326,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4003788286060367331,5005459120518424326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4003788286060367331,5005459120518424326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4003788286060367331,5005459120518424326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,4003788286060367331,5005459120518424326,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,4003788286060367331,5005459120518424326,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4003788286060367331,5005459120518424326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4003788286060367331,5005459120518424326,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4003788286060367331,5005459120518424326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2384 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4003788286060367331,5005459120518424326,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
  2⤵
  PID:1676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5b31f8ca2b5b614fa941e8c0fca20a91

SHA1
98311eea5644738678a0b726b85bb13d3e8602ff

SHA256
81982a035de4b1e7b4b7fc90ee1f607a488d332228afd85130a01abd60a0b852

SHA512
ceaab29a44d2448f19f9989c0d875b737eb6220c712a7f9e270b24594737b32b26891094161b11adb6e8d219f44d1414e613123b91cd7466d3533dd9bb1bdcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
43e0cd10cbc3a5f67571f2981afe8e9e

SHA1
67096456ec5b5064fa3b068f3d8d1bb0918c362f

SHA256
fd257b65bc5c0130000e8266f7df35473c1dfdd94a34b1447869e1095e936388

SHA512
8816e87125b61882f501b71025476f2db20cfc5ecade3dd7137a2c30d71b4be8064ff8623f3db6019447943595741bf5df8469fd65050fb134b47bb4486153b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ae560edb1f164a0c290b150a732dcb8d

SHA1
c18c6cc73ef950794e8a0f41306f87880e3b458e

SHA256
8bf706117400e04abb5798c13b04de8714b68bea83ee5f13a2a1295fe4e27219

SHA512
dba69e6a07b978bcff6d1051f0e90acb3c41422bd251b8b08cba005dc7876b8404823fb8ee5f6006b293f978538d48f85d8bb1ae3a6abb1c6e70476b5e217f01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
537B

MD5
40a0f64535d1837c3a36fc73c6ece5c5

SHA1
16b35472c72383f5844f70cd8af661241f8e138c

SHA256
e6ad36ae9adc365c7a427d28308b161da86530398cc19ca103f32d63709d31b5

SHA512
12fa9e78740e7d9060ae058e730619757aeea2bf5b4483012a37da00d30f4745f41c46e36183791e5ae14412e1e056c74958acb37856385c0840eddffeae9009

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ed0f.TMP

Filesize
203B

MD5
1f26b49a4cb599d0424ee50b3b979e15

SHA1
508e64ba50cf395a75b3d9c6763dea14462b56c9

SHA256
506f6429620b84f382c3e83465bbaf3ad37a5f85e81e0b799993fcda58543fe0

SHA512
58eb5288eb7da9c0e8496b534558b1c17f53c9b7c9721bd6c6c1a6913665595b9df46a8f027f1c273553994c4c5e9d724df68966cf12eea9e071042097d6390e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
79e8df06f63e28b0fe0d9ecd74e95ae3

SHA1
ee04bfcabbca4f35e0149d3e9dd2d2a985901f26

SHA256
e6faeaf404406d14d2318f8a898f3587b4a23834fda1c2a3e96d8e83b40c6508

SHA512
0104667e229dba502b6e48c2df6b569f9c6e43b5bcf25a80cd2c8fb0fbc59c72456db5e3215f9d02a954b3ae9611e3f591da58fba9dbea1db204641107c4763e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit