beff1ab37d045a0437464495bba0cfe8800fd7ba7289165e02837a0f9e1cfc1f

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a1b63d2b8acd0496a6a0da6c2109a53.html
Size

53KB
MD5

9a1b63d2b8acd0496a6a0da6c2109a53
SHA1

907ce8686ec72dbc2110f84b7a45ef90678f8e3d
SHA256

beff1ab37d045a0437464495bba0cfe8800fd7ba7289165e02837a0f9e1cfc1f
SHA512

607858fdd40d4d9daa3d1334fe112a37db1bb036b7d2ccb6d09d44309f14afa6529b2c68902778265fbba3bcaf7996b42864b24e7985a2b419583ba135360875
SSDEEP

768:k+5pHvvCIoo9XCoRVu6ueszT8sXNRh4F7/H:k+bHv7oySofu6ub8sXHh4F7

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4792	msedge.exe
4792	msedge.exe
4636	msedge.exe
4636	msedge.exe
4924	identity_helper.exe
4924	identity_helper.exe
3804	msedge.exe
3804	msedge.exe
3804	msedge.exe
3804	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 2396	4636	msedge.exe	84
PID 4636 wrote to memory of 2396	4636	msedge.exe	84
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4536	4636	msedge.exe	86
PID 4636 wrote to memory of 4792	4636	msedge.exe	85
PID 4636 wrote to memory of 4792	4636	msedge.exe	85
PID 4636 wrote to memory of 1396	4636	msedge.exe	87
PID 4636 wrote to memory of 1396	4636	msedge.exe	87
PID 4636 wrote to memory of 1396	4636	msedge.exe	87
PID 4636 wrote to memory of 1396	4636	msedge.exe	87
PID 4636 wrote to memory of 1396	4636	msedge.exe	87
PID 4636 wrote to memory of 1396	4636	msedge.exe	87
PID 4636 wrote to memory of 1396	4636	msedge.exe	87
PID 4636 wrote to memory of 1396	4636	msedge.exe	87
PID 4636 wrote to memory of 1396	4636	msedge.exe	87
PID 4636 wrote to memory of 1396	4636	msedge.exe	87
PID 4636 wrote to memory of 1396	4636	msedge.exe	87
PID 4636 wrote to memory of 1396	4636	msedge.exe	87
PID 4636 wrote to memory of 1396	4636	msedge.exe	87
PID 4636 wrote to memory of 1396	4636	msedge.exe	87
PID 4636 wrote to memory of 1396	4636	msedge.exe	87
PID 4636 wrote to memory of 1396	4636	msedge.exe	87
PID 4636 wrote to memory of 1396	4636	msedge.exe	87
PID 4636 wrote to memory of 1396	4636	msedge.exe	87
PID 4636 wrote to memory of 1396	4636	msedge.exe	87
PID 4636 wrote to memory of 1396	4636	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\9a1b63d2b8acd0496a6a0da6c2109a53.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffea8d446f8,0x7ffea8d44708,0x7ffea8d44718
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,10095869912972197271,14097478708263679225,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,10095869912972197271,14097478708263679225,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,10095869912972197271,14097478708263679225,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10095869912972197271,14097478708263679225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10095869912972197271,14097478708263679225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10095869912972197271,14097478708263679225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
  2⤵
  PID:628
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,10095869912972197271,14097478708263679225,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 /prefetch:8
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,10095869912972197271,14097478708263679225,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10095869912972197271,14097478708263679225,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10095869912972197271,14097478708263679225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10095869912972197271,14097478708263679225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10095869912972197271,14097478708263679225,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,10095869912972197271,14097478708263679225,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1386433ecc349475d39fb1e4f9e149a0

SHA1
f04f71ac77cb30f1d04fd16d42852322a8b2680f

SHA256
a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc

SHA512
fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\824b47c0-a3d8-457b-a62d-a946a077ec6c.tmp

Filesize
6KB

MD5
0373fb9e02c8f9aea6532243f3f3fa94

SHA1
07a55725373cca8fa2c4b8c05e0852fde6e9035a

SHA256
1a3b80c1cdc72d30f45725426da41139d13e1c9bba990f04940b90f3b51d7518

SHA512
3af823afb990c94f8196bdbeaabe435e9f13797c12de92e7ee6696ec4ae923135bf5a79a86e32b9372c2bf5c6bce0c04320f0eec79e17756acc67ce1ea75817c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
54f6c7e701e76bcfa8aaefe3afe787aa

SHA1
2414e0a6aab629bda6bcea7b9d6a49a39cc342db

SHA256
b6273a02bb2b31cb783e86fcd3e005732f2d359bbab4899c9f1aeb07c6df9f77

SHA512
12f0a538d806aea10d72711b7e0c1645d7c8e90559ddd3c9c09143e690ca85f35bde7ab989d5b3fb23e67e9f79620809919506742dd52dd7f97facf971eac916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
0db4d6ca1521e2daf1ce43a4e404296e

SHA1
eea7542c9e54440022d5444d0d60a7e7235d82e6

SHA256
9c1dbd085bf34aae8b107e02bfc4e157eb461c4083bf961d727b171027c412a0

SHA512
b6afcf92b5f52bd0dd47b85b4c31ef8e060a65a77b8eec86b10200fe032f203605ecb044bf9d8e8eefea026b05a90f4d73fc1a72fef84de5d0c6ac30acae62bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9c978d0041122929dba837e1dc562169

SHA1
5477010a89018727fb82d2998488ce349deffb09

SHA256
4bf60332dff52a75bf8d887c44fcbc934d9389ff7c8c61694980e0ff2cf25bab

SHA512
0ba5f6bb21f06f05945bc22dbe1e67699b36824eee40b09c214e1c264073a403a2ba5817696ae5a663b35eff680263704da26ef3d81c7d7092aa65d83be84a5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0e023fbf9d90cb521874c4e00020a102

SHA1
2909555d92d6497cc48be755da450bc6b5dc500d

SHA256
d70f9e31b33c275bebc4ee02f81c70ac3f98b5a5d716ba5bdd06fb09656ed44e

SHA512
7525bf442b66ed16d26b95ed9a019a20132e04a5cbc90265b3f6738d46f0f2bcad242a1d3261ee81030c92b01b06dafb3e6837b3bc1cf1d443c3264d39a270d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e664066e3aa135f185ed1c194b9fa1f8

SHA1
358ff3c6ad0580b8ae1e5ef2a89a4e597c2efdc5

SHA256
86e595be48dbc768a52d7ea62116036c024093e1302aced8c29dd6a2d9935617

SHA512
58710818b5f664006a5aa418da6c8cd3f709c2265bc161f81b9dfe6cdb8304fabaa4ce9deba419fe4281623feeeaa0321f481ae5855d347c6d8cf95968ee905e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
034c275c4af1211b0116a14700382177

SHA1
987a0a5b9712898f2d958ccbc7a02c939d73549a

SHA256
9a6db93a451bad60d7b94c260905e21454265d9bd5eae1acda366d5d95820889

SHA512
8ca6460bf1e4773c0ac37223c3f0b680c98ab5b31fdae7924349c9ce487d07f432421faa9ae771d6d6cf5862f964f03597b75433009302093634ad515377ee7f

Download Submit