d840f8db5d713c7a03b3f622c96e21093ca91b29a78512c869c0fee201de1d9e

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97e11f04844f7b44f1b41355458393c6.html
Size

3.5MB
MD5

97e11f04844f7b44f1b41355458393c6
SHA1

4ae832cb3a0b995cb47a2d6b23c1d265f8713055
SHA256

d840f8db5d713c7a03b3f622c96e21093ca91b29a78512c869c0fee201de1d9e
SHA512

cdd046c165e6d234357e84f8e255b972a281d3d20d8f012df1fc2ce945905c5a64ea80ff99a2e2331093878317e71e6d85a97d0b2b1c4859c8db9aa38918ba4e
SSDEEP

12288:oLZhBVKHfVfitmg11tmg1P16bf7axluxOT6Nfi:ovpjte4tT6Ni

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1652	msedge.exe
1652	msedge.exe
396	msedge.exe
396	msedge.exe
4192	identity_helper.exe
4192	identity_helper.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 228	396	msedge.exe	84
PID 396 wrote to memory of 228	396	msedge.exe	84
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1912	396	msedge.exe	87
PID 396 wrote to memory of 1652	396	msedge.exe	85
PID 396 wrote to memory of 1652	396	msedge.exe	85
PID 396 wrote to memory of 4944	396	msedge.exe	86
PID 396 wrote to memory of 4944	396	msedge.exe	86
PID 396 wrote to memory of 4944	396	msedge.exe	86
PID 396 wrote to memory of 4944	396	msedge.exe	86
PID 396 wrote to memory of 4944	396	msedge.exe	86
PID 396 wrote to memory of 4944	396	msedge.exe	86
PID 396 wrote to memory of 4944	396	msedge.exe	86
PID 396 wrote to memory of 4944	396	msedge.exe	86
PID 396 wrote to memory of 4944	396	msedge.exe	86
PID 396 wrote to memory of 4944	396	msedge.exe	86
PID 396 wrote to memory of 4944	396	msedge.exe	86
PID 396 wrote to memory of 4944	396	msedge.exe	86
PID 396 wrote to memory of 4944	396	msedge.exe	86
PID 396 wrote to memory of 4944	396	msedge.exe	86
PID 396 wrote to memory of 4944	396	msedge.exe	86
PID 396 wrote to memory of 4944	396	msedge.exe	86
PID 396 wrote to memory of 4944	396	msedge.exe	86
PID 396 wrote to memory of 4944	396	msedge.exe	86
PID 396 wrote to memory of 4944	396	msedge.exe	86
PID 396 wrote to memory of 4944	396	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\97e11f04844f7b44f1b41355458393c6.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff52ce46f8,0x7fff52ce4708,0x7fff52ce4718
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,15610747048112225339,9469638071764434116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,15610747048112225339,9469638071764434116,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2504 /prefetch:8
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,15610747048112225339,9469638071764434116,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15610747048112225339,9469638071764434116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15610747048112225339,9469638071764434116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,15610747048112225339,9469638071764434116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,15610747048112225339,9469638071764434116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15610747048112225339,9469638071764434116,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15610747048112225339,9469638071764434116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15610747048112225339,9469638071764434116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15610747048112225339,9469638071764434116,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,15610747048112225339,9469638071764434116,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1828 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eb20b5930f48aa090358398afb25b683

SHA1
4892c8b72aa16c5b3f1b72811bf32b89f2d13392

SHA256
2695ab23c2b43aa257f44b6943b6a56b395ea77dc24e5a9bd16acc2578168a35

SHA512
d0c6012a0059bc1bb49b2f293e6c07019153e0faf833961f646a85b992b47896092f33fdccc893334c79f452218d1542e339ded3f1b69bd8e343d232e6c3d9e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
981B

MD5
b2f17966d0b40996a9fccf3a8ee656f7

SHA1
fab8b6b7b91db66e58aae8169f17e5db6ce3b8b9

SHA256
4d1148d8ec8c6b98eb86c7b4e2fd3029f7b336070880d1352c5d038e40096bbc

SHA512
c67971753c053ebdbb600ad61da0611f2ae8250f57aa125e54fd9a6bce1d9746ea406f3d6da205140dc07475f29bbc29d3854a5bc8f3de75f738e43d31cbd6a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
648452a5f59afcf8ac98f9f4f0d393eb

SHA1
1bed2d4f43ee1384d6efc5e7d9a6d672721ea9aa

SHA256
c6f801ae197ce668561ac59f4078b9bd26432048edcd07707d1c76e16b502a36

SHA512
3c7eec67386866eae8a6ea4c48b0be46c0f74626d9dc1aeb777f07865828c62f10d506c270ae350ce39ace605cd6d8bd6e7d49225b331004e0393c88ef32dc08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6570fb2743af1bf47e798e0e5a2349a3

SHA1
051070a20229bfe57e18f75d491239a5d8805ebe

SHA256
6a5a2cacbb2bb20e0247cc0497107f01b95de64253154b2404da476c85ca3790

SHA512
29fddd9f559cd220f3d0a4db22d37dc21f6738bb80df89c8a98f5733c1ef17e8b48607527f0a137027e98127433c3831d481639f643ac38a865608c5bb593e38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
2bbbdb35220e81614659f8e50e6b8a44

SHA1
7729a18e075646fb77eb7319e30d346552a6c9de

SHA256
73f853ad74a9ac44bc4edf5a6499d237c940c905d3d62ea617fbb58d5e92a8dd

SHA512
59c5c7c0fbe53fa34299395db6e671acfc224dee54c7e1e00b1ce3c8e4dfb308bf2d170dfdbdda9ca32b4ad0281cde7bd6ae08ea87544ea5324bcb94a631f899

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
473d0f3ab74e5265160a4eea118a1267

SHA1
f4eeb62e3c2d44b09894c2492e7f362dab462143

SHA256
c0780c4a950413625b509589d31d656941409ca8331d5abd51740bec4171c3e9

SHA512
66d9c9e8be05ae9d90a9371cd681d8bef108ee04907eb879f43b4720a4f1e29f04dc50d3efcefa4da519e61e5a9b0ae16684a6716a153065e01976583b8eca52

Download Submit