Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/01/2023, 18:34

General

  • Target

    login.html

  • Size

    27KB

  • MD5

    d7e398e2ff1a47b8889d7dc6c0818d22

  • SHA1

    da98ab4b635e764fa13961987f840014eb546197

  • SHA256

    6fc287b2dc57fce3b1d7a95c8fdb6605e74d10e6644a800d67531965e2bdb7d8

  • SHA512

    f164b3a00de85e58f43390d52a71f7ed05d68b1c5647a2f42c33ad6e0fa4ed5d560e09f7668a268246ad6ab79c7bf6c58114aa9b92fecfd965c9d31eb18090f3

  • SSDEEP

    384:mZ0e3ujIp/n7M0IQqC9RZfxSAZn0fZ91mP6GQmD3syZj5XCqzGX3o:C0GugIqjfxSAZnmZmDQysyZ9n

Score
6/10

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\login.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4272
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4272 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1124
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4104
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffaf25046f8,0x7ffaf2504708,0x7ffaf2504718
      2⤵
        PID:1432
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
        2⤵
          PID:4464
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3788
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
          2⤵
            PID:3252
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:1
            2⤵
              PID:720
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4356 /prefetch:1
              2⤵
                PID:1972
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4372 /prefetch:1
                2⤵
                  PID:4392
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5516 /prefetch:8
                  2⤵
                    PID:224
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5760 /prefetch:8
                    2⤵
                      PID:4060
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6000 /prefetch:8
                      2⤵
                        PID:5104
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
                        2⤵
                        • Drops file in Program Files directory
                        PID:64
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6fe975460,0x7ff6fe975470,0x7ff6fe975480
                          3⤵
                            PID:3896
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6000 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4636
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
                          2⤵
                            PID:452
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6904 /prefetch:1
                            2⤵
                              PID:3652
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
                              2⤵
                                PID:2456
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6880 /prefetch:8
                                2⤵
                                  PID:3488
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5524 /prefetch:8
                                  2⤵
                                    PID:4844
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:4628
                                  • C:\Windows\system32\AUDIODG.EXE
                                    C:\Windows\system32\AUDIODG.EXE 0x508 0x4f8
                                    1⤵
                                      PID:3604

                                    Network

                                    MITRE ATT&CK Enterprise v6

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

                                      Filesize

                                      1KB

                                      MD5

                                      d573b2aa87eba6871bbfacafe3025db5

                                      SHA1

                                      6250740ebe65f64db1f0f8a773be17525f27b9d8

                                      SHA256

                                      21761b2fe7450acdcd63254f296c9ac41b2d931c79af613e8ce2400e8b675d19

                                      SHA512

                                      e2b8de3dffd78c6d2d376e444e1c1d83a49bbba5c13b268155a388cab2599ecc93974c5e05878affa207d015cc7980b1dde3d131517eb904f2c4e5a9fb6778f6

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

                                      Filesize

                                      1KB

                                      MD5

                                      7d2df1da9f7f5a57eb49e4aba4c87f19

                                      SHA1

                                      845461c1c0040e9dd244832f6d26ed8e32c0427e

                                      SHA256

                                      acf81a925312c5f925c415f10f83c5a08aceae7aa7e37f8ce0cc4ccfc4c3a6da

                                      SHA512

                                      2a9bff8f6444939897cb231d9174b7718145ea39c8b82d5eaeec96c4e7ef8ae6943a79aefe44bc5fafb21d9e02970f4f47e31bcdaaff4d180c90df245690c33f

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

                                      Filesize

                                      471B

                                      MD5

                                      03c43ce055f8989a6508481c8acb6608

                                      SHA1

                                      3dc33276158435396c4272531a62707a18a4a875

                                      SHA256

                                      1e977bad400e43c86966889b895bbf3b00b929b4bf497c791ad0ed2a0749fd3e

                                      SHA512

                                      fb69a674b2c2aa697a7c1fc94490298949831762d9d9612266314727ea85f84035df089f62e1aec24474caa1fc52fc94ea704d161335d37c1cf746c72af1f8ab

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

                                      Filesize

                                      724B

                                      MD5

                                      f569e1d183b84e8078dc456192127536

                                      SHA1

                                      30c537463eed902925300dd07a87d820a713753f

                                      SHA256

                                      287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

                                      SHA512

                                      49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

                                      Filesize

                                      410B

                                      MD5

                                      63b740f18b49b4e5eb2db78116b065b3

                                      SHA1

                                      567663689a89503549d82f54c73b144fe41e559e

                                      SHA256

                                      c6ca917d56c9058ed3ec87d68d3f48bd83ef23cabea01ad1b3ac19580c2cf062

                                      SHA512

                                      e19f70e778ce31c775da73711518dd922469e6e32929626aa79bbb489bf7dcff725ffdbaff76466483b8407af8d4bc97c6ab4723055f093390ba6367f2250532

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

                                      Filesize

                                      446B

                                      MD5

                                      b8e830d68ab19fdb598b62a57ace543b

                                      SHA1

                                      baf048f550353cbffb70efb2c48671026118a564

                                      SHA256

                                      f9d0feead655c0243ef3f1f3053aed8d160ca03bcb3214cae34f1114746a2159

                                      SHA512

                                      ae28b4fc64f39ea6e201f59bd2f1255f28f1871dc390a242b812ee6872873b0ddbbc494f62faaef55a3f9134e7e26a6ea2f59c20045f960817f06e319114526f

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

                                      Filesize

                                      434B

                                      MD5

                                      ca99292c0e2f05f0b6a0c445a0889c13

                                      SHA1

                                      849fe2081008531b21961ac03b5d6c2cbec6bd89

                                      SHA256

                                      654f955ea27cecf7699eb369f3f0265900e907df8b6cb91db441135199262dab

                                      SHA512

                                      05c617aa41061c4f5733278ccf295469cbef5724cdc007856b1ad6083fb73e5492e619324aa02fb044917c4631de75b5e54a2b7a9a729c4ec8c9b3c989e369cb

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

                                      Filesize

                                      392B

                                      MD5

                                      467bfcf83809c9e4ee914d9455b13eca

                                      SHA1

                                      361c046088fba455d725ff7cdd7552e12e65d107

                                      SHA256

                                      d2156ffc7d9c8f6d42bbafbfe8ced77f96336fd21133da9da2b1a2ce6af85fc4

                                      SHA512

                                      926baa03c092f7231c1af9c11f2ced8a673dd4ad2067334d3e7f25ae0e8f44aaeb02bd4450c000d8872cf2dac044004aa2e427e281334508db93591e1bfa261d