13c91364d9992ecced2181cbfe2ce580887b73ff3f4b06004291d870f19a4a48

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98625d7d53b27b27541a8b9007907a8d.html
Size

1.5MB
MD5

98625d7d53b27b27541a8b9007907a8d
SHA1

95cd5bf3fcc2f1065282b8ea018da89304bd30a8
SHA256

13c91364d9992ecced2181cbfe2ce580887b73ff3f4b06004291d870f19a4a48
SHA512

7cdd2ac849f3c30c8fee6629a81c7723b3efedb765c3dcb6153ce14638f984b07dccafa8364c0d6809cf9ee227cf33640e6dee7ac32043b4c777622bad044aac
SSDEEP

24576:vd7EhYykwXFVkFqAg9VbXkf8YaBzfvnFZVs2PKm5F2lBUD7tRwlicG6ydIAXtxOU:skuHWtxyBzfvryR8clTKdZA67jx

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3992	msedge.exe
3992	msedge.exe
3076	msedge.exe
3076	msedge.exe
2776	identity_helper.exe
2776	identity_helper.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 1736	3992	msedge.exe	84
PID 3992 wrote to memory of 1736	3992	msedge.exe	84
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 4636	3992	msedge.exe	86
PID 3992 wrote to memory of 3076	3992	msedge.exe	85
PID 3992 wrote to memory of 3076	3992	msedge.exe	85
PID 3992 wrote to memory of 4660	3992	msedge.exe	87
PID 3992 wrote to memory of 4660	3992	msedge.exe	87
PID 3992 wrote to memory of 4660	3992	msedge.exe	87
PID 3992 wrote to memory of 4660	3992	msedge.exe	87
PID 3992 wrote to memory of 4660	3992	msedge.exe	87
PID 3992 wrote to memory of 4660	3992	msedge.exe	87
PID 3992 wrote to memory of 4660	3992	msedge.exe	87
PID 3992 wrote to memory of 4660	3992	msedge.exe	87
PID 3992 wrote to memory of 4660	3992	msedge.exe	87
PID 3992 wrote to memory of 4660	3992	msedge.exe	87
PID 3992 wrote to memory of 4660	3992	msedge.exe	87
PID 3992 wrote to memory of 4660	3992	msedge.exe	87
PID 3992 wrote to memory of 4660	3992	msedge.exe	87
PID 3992 wrote to memory of 4660	3992	msedge.exe	87
PID 3992 wrote to memory of 4660	3992	msedge.exe	87
PID 3992 wrote to memory of 4660	3992	msedge.exe	87
PID 3992 wrote to memory of 4660	3992	msedge.exe	87
PID 3992 wrote to memory of 4660	3992	msedge.exe	87
PID 3992 wrote to memory of 4660	3992	msedge.exe	87
PID 3992 wrote to memory of 4660	3992	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\98625d7d53b27b27541a8b9007907a8d.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfc9046f8,0x7ffcfc904708,0x7ffcfc904718
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,11111476292588466909,17454050434312287441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,11111476292588466909,17454050434312287441,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,11111476292588466909,17454050434312287441,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11111476292588466909,17454050434312287441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11111476292588466909,17454050434312287441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,11111476292588466909,17454050434312287441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,11111476292588466909,17454050434312287441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11111476292588466909,17454050434312287441,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11111476292588466909,17454050434312287441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11111476292588466909,17454050434312287441,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11111476292588466909,17454050434312287441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,11111476292588466909,17454050434312287441,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4232 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d5564ccbd62bac229941d2812fc4bfba

SHA1
0483f8496225a0f2ca0d2151fab40e8f4f61ab6d

SHA256
d259ff04090cbde3b87a54554d6e2b8a33ba81e9483acbbe3e6bad15cbde4921

SHA512
300cda7933e8af577bdc1b20e6d4279d1e418cdb0571c928b1568bfea3c231ba632ccb67313ae73ddeae5586d85db95caffaedd23e973d437f8496a8c5a15025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e7d43c118fc22c97dd038d4c022e674f

SHA1
02145a24a947b07d8bab9fc4974992e0c4e0e1b4

SHA256
de8ffaa70a58b4f80581fea0916856688b836ac8b5087066d8ae463c95fe084b

SHA512
8a3bc69dc22140c544881e55412bf78f8d4f3a101c6dde83bfa4e3dc68b3dbafaad3bbcb52708fc81a64efedadfa761d955047dcbf97406165c315d5ef036b45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7dff76910b888668e707d504b9b2c63a

SHA1
6701ec7be8f39013aa775f327132e94f791f9783

SHA256
34d653302a6e6e589393495580a958e7e84d76b73a1b89da1f895e61d5c34af2

SHA512
26a6107bef97a4c745a991393ce8593eb4a6e87885075912f400ff7d4561445729d8c863c93e01008477f3033058b9b865fe09f8310e1f6fd2ab7679903719f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
90eb6a7cdab37c47615b3f825c019556

SHA1
7cccb7f10282c2a8313d160fd894f7b8d9a2c329

SHA256
d577b3596d30221fcad70db9305b4e40cc854e447794e92994893110d67d353e

SHA512
b90d2577e05a3a0425d13439b455205c0329623fdc269a2190a8b4ac79c36e99fd7efb1546990ff41cbd0b3c44775b2cfc83f9ca8de4e13feec24cbb7fe5ab24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
801b76ab9e49d67166d0a71126943fb5

SHA1
5c6a698341a0c6d5462e28d3b643d5bad1172d67

SHA256
066ba148c5b2fe1c75023963175f83fdd7977a6ab21c9572e9dfce029e58a4e9

SHA512
23f5b7ecf3839d43057b3de515ae60bb4affcb3c1231987995be35e33efd01c95b41ce1254e89aa1150f87ece6d9eed61c25f4877bd0494948648bda587a21dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
6ad5b6f5d1d7bbe24df099c7a9e836a7

SHA1
b54b2fbdbfb5ea04eaa38c5f80eb8e4689c86c58

SHA256
a74b62e13539afc9f000669309b33b81a0ebcefc4fd7a5ab464b259a94785846

SHA512
6513f16f91c9c2c2f9ad2f0cc64b334a51a19fa6efeb5dd409e993c5990668cfcff574b72be61b2a0c20e9992796573da86305e4a66f3f6d5ad9bc8b468de6b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
4KB

MD5
61fa0dc4feff29132f0c3b30933b3b36

SHA1
ad234aa356fa0dc86c72b032c52a5025a2039014

SHA256
5c483423f5e1e4df55d580c10842b693559a0dbab55731638434812aeb9f2eff

SHA512
2799079cd95cc2bdf28ff661e77951f3c00e15afe22843032a1fc803030a84a74b01c1481ea37388accbf812aae7ebdef42abea26f6383dafd5436c25b81d435

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
5KB

MD5
f60a3e20809172deb003412dd52b0d48

SHA1
cffea50feeae6c99facd240fcab75589948e2bba

SHA256
e99c4e3825c6aadb36685e4b74e37eafcaaa639072f804fb6c1e8be505963001

SHA512
c24f4af23145e965f6b59919c5070653181eea8e67b50418a96817a41f9a287b2e79b7cefa2f8e42e301d6be4acceddcc357648877e1a361ee4e5e013cd96898

Download Submit