8e36708a5f076592f2536f553467265d51fae2dbdd52e127f6345f319bbaa5c3

Analysis

max time kernel
147s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
12-02-2024 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

email-html-2.html
Size

2KB
MD5

8ee3a8e8c8deaff9838d8301645c2552
SHA1

b3b060b25d0836ab2d150234a280feef2e9ed23f
SHA256

0137c8876265febf56ce0156c5a1b78837049ddcc5fa6e000e54cea9e2151887
SHA512

26b37780767176fc47e900b70af92c4cfc82a06fe555f6364267642fccd8ee9aa9c065866261fd995308e0645f3e0115c24e5a590150b3754e6088fd6ab691a8

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
3704	msedge.exe
3704	msedge.exe
3164	msedge.exe
3164	msedge.exe
1340	msedge.exe
1340	msedge.exe
3396	identity_helper.exe
3396	identity_helper.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3164 msedge.exe
3164 msedge.exe
3164 msedge.exe
3164 msedge.exe
3164 msedge.exe
3164 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3164 wrote to memory of 1108	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 1108	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2756	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3704	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3704	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3932	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3932	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3932	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3932	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3932	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3932	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3932	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3932	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3932	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3932	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3932	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3932	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3932	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3932	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3932	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3932	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3932	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3932	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3932	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3932	3164	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\email-html-2.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbe6d53cb8,0x7ffbe6d53cc8,0x7ffbe6d53cd8
2⤵
PID:1108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1828,13090395598568091402,18310483765507734276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1828,13090395598568091402,18310483765507734276,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
2⤵
PID:2756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1828,13090395598568091402,18310483765507734276,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
2⤵
PID:3932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13090395598568091402,18310483765507734276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
2⤵
PID:3008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13090395598568091402,18310483765507734276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
2⤵
PID:4176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1828,13090395598568091402,18310483765507734276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4204 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13090395598568091402,18310483765507734276,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
2⤵
PID:248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13090395598568091402,18310483765507734276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
2⤵
PID:2420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13090395598568091402,18310483765507734276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
2⤵
PID:2044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13090395598568091402,18310483765507734276,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
2⤵
PID:3120

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1828,13090395598568091402,18310483765507734276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1828,13090395598568091402,18310483765507734276,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3284 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0bed556ffeb1e69835b408d733b041f0

SHA1
e2aec94abd489a26f36a9694c7ef3903af6409b6

SHA256
7d60b9117a935eaba25d7273a5b5e8ba04ece22672661ecb37a3c8a08f61def3

SHA512
47d492a7c72f9d12511f070d7d28451b1c52c5f0d446890e704b02bbc51330b1890c5ac4e050d514ff1bfd9c64421adeebee114718042af5aee3f5fdfb413fc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
efe88beb422cc84c57d65ed75970a4c6

SHA1
16f417dd4e050d5de5fa2bf61ec652b25857c220

SHA256
df89d8237137422d9236aff3b94fec7421697126140a44658231d827dc9e125c

SHA512
c58b5b3df8da0cdc5817765264601ea2d64a936e6e8bb748af670ef1bf7e668db958fb1a8f5312d76c056bea167785e3f609296e0853c99d3b9f86b42a52ee42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
268cb6ddf60aebdc342d7a8d2b4fb649

SHA1
20a037f89c669851851125e822803943e0d1dbd7

SHA256
687b7bd0da68108d7e75ce283b5604f4855eb35d6c1b56c430c51421b78db4b1

SHA512
5cf7be5a35680d8e2e7f100a02d5a51fad6dd8bf0932307edd3ac9153456d4efa267f1f9678b88dc55c188680c4d9de29e962e97280397012e1ca08713f5f6f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bdba1c1db0b874004f5791294b67a567

SHA1
16279e67f868fcfc2febd7fb5ae7cdac39b6f27e

SHA256
f06f3f8c32ac9194d05b32a03374f0e8727eb9a4c60a82591d41ee86b74c1f3f

SHA512
b59cb3e7f72c33055bae6aad3f7a9d5b2ce13772f755af7bc726c8908198f7c52bb6bbf541d66f1eb46c0b012b31b1242b3456c68ea5319294e72ea5086c8d4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
5e1542ec05a1840cfb56ae87d1c2e16e

SHA1
25bdd95b83b7c614a6446609cff6ecbcab58d9d8

SHA256
41acd6ffea81ff1b8b58a4693696a397817473eb899edbf6606314820a8e40b8

SHA512
12c32368cbedc3d2515907ab740c75022fc4eaecec9b45734f346db0df209e667b066b2fcd891e84193868ecec8b892e7b484c66a8b329562bad53a69b25c0db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
c28056e2d24fa1012b781c72ac28e2fc

SHA1
f4aa36a5b949299557ed600ba273db36ec4c6633

SHA256
6d8d78e90c21a4b2b416417ac2a997e67019dfd3221e9e44b29b228f454b704a

SHA512
dbd926eb54c2989aea0fb1de241416a08699955326f7e6c2c54c8c527ee7f1d43ed608226efc015effacbd8329b72a00ea1751e635d959ac125e2cee9e103426

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f37869d0b2b97474426dc34c60df3e52

SHA1
38fda43bee26a25d9128a1b5e07c417464333aae

SHA256
79d704a7c142294d040331a8b6d89cc231fb4012aeba0a217d01c0d1f9d47163

SHA512
a4db5920e7da2add9e2cbf98e62724430d636b32b8f1b965ee1d6154a373e37bce3e91f18e0ab046121a3b21a3347b177ff452edaccb09cd5dfc9725adf3f000

Download Submit
\??\pipe\LOCAL\crashpad_3164_PHSYOGBRGCDVXTGK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit