278bf1145597975011578aeebdf8b11c12c8d1a8d81e0c209c9194985b829026

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 23:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

attachment-1.html
Size

26KB
MD5

19dafa22603ea87d26121fe97ced7748
SHA1

fa5d12ba455175049aaaafaeeba8e374103cb495
SHA256

d6b39575fddab21e63691b1fea2a0b62466946c1e2c06b9011988fce506580d2
SHA512

859668bffabd68d20a976d35cf30090fc4647e521361ea7502545b485160d5ff63e15d53b6e485213801d07ab04b0575bb4a62a10738a53d6f116909da956afb
SSDEEP

768:AqYJMVYhdArb8P2bcuv5P5YxT7lD8ALGdjwr5Km93U9pUX:JbKgM7aAy2Ym93U9pUX

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4108	msedge.exe
4108	msedge.exe
5680	msedge.exe
5680	msedge.exe
1804	identity_helper.exe
1804	identity_helper.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5680 wrote to memory of 5696	5680	msedge.exe	67
PID 5680 wrote to memory of 5696	5680	msedge.exe	67
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 5548	5680	msedge.exe	84
PID 5680 wrote to memory of 4108	5680	msedge.exe	85
PID 5680 wrote to memory of 4108	5680	msedge.exe	85
PID 5680 wrote to memory of 3484	5680	msedge.exe	86
PID 5680 wrote to memory of 3484	5680	msedge.exe	86
PID 5680 wrote to memory of 3484	5680	msedge.exe	86
PID 5680 wrote to memory of 3484	5680	msedge.exe	86
PID 5680 wrote to memory of 3484	5680	msedge.exe	86
PID 5680 wrote to memory of 3484	5680	msedge.exe	86
PID 5680 wrote to memory of 3484	5680	msedge.exe	86
PID 5680 wrote to memory of 3484	5680	msedge.exe	86
PID 5680 wrote to memory of 3484	5680	msedge.exe	86
PID 5680 wrote to memory of 3484	5680	msedge.exe	86
PID 5680 wrote to memory of 3484	5680	msedge.exe	86
PID 5680 wrote to memory of 3484	5680	msedge.exe	86
PID 5680 wrote to memory of 3484	5680	msedge.exe	86
PID 5680 wrote to memory of 3484	5680	msedge.exe	86
PID 5680 wrote to memory of 3484	5680	msedge.exe	86
PID 5680 wrote to memory of 3484	5680	msedge.exe	86
PID 5680 wrote to memory of 3484	5680	msedge.exe	86
PID 5680 wrote to memory of 3484	5680	msedge.exe	86
PID 5680 wrote to memory of 3484	5680	msedge.exe	86
PID 5680 wrote to memory of 3484	5680	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\attachment-1.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc458346f8,0x7ffc45834708,0x7ffc45834718
  2⤵
  PID:5696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,2229309000781103113,3317438813926988212,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,2229309000781103113,3317438813926988212,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,2229309000781103113,3317438813926988212,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2229309000781103113,3317438813926988212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2229309000781103113,3317438813926988212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,2229309000781103113,3317438813926988212,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,2229309000781103113,3317438813926988212,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2229309000781103113,3317438813926988212,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2229309000781103113,3317438813926988212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2229309000781103113,3317438813926988212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2229309000781103113,3317438813926988212,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:5720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,2229309000781103113,3317438813926988212,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5440 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e71d66ce903fcba6050e4b99b624fa7

SHA1
139d274762405b422eab698da8cc85f405922de5

SHA256
53b34e24e3fbb6a7f473192fc4dec2ae668974494f5636f0359b6ca27d7c65e3

SHA512
17e2f1400000dd6c54c8dc067b31bcb0a3111e44a9d2c5c779f484a51ada92d88f5b6e6847270faae8ff881117b7ceaaf8dfe9df427cbb8d9449ceacd0480388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2d07499a-cf3f-4a23-a32d-d7c7cde334b3.tmp

Filesize
5KB

MD5
5373366e8358e58272df860f4f619b6c

SHA1
9ca8d961e7ec375e01d681abc40d78d5163be9d2

SHA256
c6c1498e27ddb7ac1868de3bfdb6aa428264057e3184360547c8c8fdfae9b0ff

SHA512
84bb20ac657ed2e9b5742f4d26201d0822ec87363a4478ad5dea66185900e639dffe4ff02f3911e3530c076903f762eb31b4e3096131a53c71ef6a3951188f35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
330B

MD5
f269161b16fcd67528a1b71c40b4c887

SHA1
acdaa2e087069a7a6eb3e9887740ad6f26d88051

SHA256
065f8d50008fe50b02c3f456068687cd0673e757614c32c7a17b04a98271e3d0

SHA512
7e587ebd691568ceecb22d9f9786551bbdd069ee9652c50b89220f289a8b0179cd695df6ab27072bd23a10ca914e01eb2663050838a645c787067376ff054beb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c707b0a886aca02d4995f535e912ae60

SHA1
421fbb02ffd15e5dd6ef08752543159876d0b480

SHA256
9ef03fc95b72d69c21cdef159aeaad54c7c89041b423e8d8ebea6a50411ec96f

SHA512
94b762c402b833ae9daa5645560cfac44a9788cb4bd34ee73c69f0086d1f0d7b2a823dd5556b4b5f5f1be6fcbb1ccf3821ceab605ff6b80347e282ae9b34d1a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1b1b142e24215f033793d1311e24f6e6

SHA1
74e23cffbf03f3f0c430e6f4481e740c55a48587

SHA256
3dca3ec65d1f4109c6b66a1a47b2477afaf8d15306a523f297283da0eccbe8b1

SHA512
a569385710e3a0dc0d6366476c457927a847a2b2298c839e423c485f7dcce2468a58d20133f6dc81913056fb579957e67f63cf1e20b910d61816210447cd1f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6c59f3588b07d57c89c6d125b7dae8fc

SHA1
cb4514d2f9cde19c48e36a8269d617f0fb849aba

SHA256
8150d2f51920a4348eb23dbd419a4b37351c12eab8f7b455ac824c5e181e4748

SHA512
61250a069628a2351a7309d4ced2db92ffa5798661aa7cf876a87ad6b42beb3570101174cd388708ecc9f0978f11b0442cf621991b31b64544340620943b637b

Download Submit