c722b0568a7650a398e879cdc562e60f181a19a0ed3b2da7c26e6d38e2138d51

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2024 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99028589be1510bbc03ec1b5144ba16d.html
Size

11KB
MD5

99028589be1510bbc03ec1b5144ba16d
SHA1

a8e73cb0634062ff2f578b36a37aed2b2d17b1e5
SHA256

c722b0568a7650a398e879cdc562e60f181a19a0ed3b2da7c26e6d38e2138d51
SHA512

b2738ee448e467cfa8abc449500bd2c86aaf4447d6e3403697c0e13f5e2115181014565f56c2e838d69e3ba32162d3a5fa9b996ca3341edc05eb78ce41c87c2a
SSDEEP

192:1ugU0NNAon4AnuP6dbOKRLsBjconOrQMTiEzEZ8Ug7gG7W8aYF:1u70NNAoxRLc4CEzESF

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
864	msedge.exe
864	msedge.exe
4872	msedge.exe
4872	msedge.exe
1100	identity_helper.exe
1100	identity_helper.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 1524	4872	msedge.exe	34
PID 4872 wrote to memory of 1524	4872	msedge.exe	34
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 2408	4872	msedge.exe	87
PID 4872 wrote to memory of 864	4872	msedge.exe	85
PID 4872 wrote to memory of 864	4872	msedge.exe	85
PID 4872 wrote to memory of 1596	4872	msedge.exe	86
PID 4872 wrote to memory of 1596	4872	msedge.exe	86
PID 4872 wrote to memory of 1596	4872	msedge.exe	86
PID 4872 wrote to memory of 1596	4872	msedge.exe	86
PID 4872 wrote to memory of 1596	4872	msedge.exe	86
PID 4872 wrote to memory of 1596	4872	msedge.exe	86
PID 4872 wrote to memory of 1596	4872	msedge.exe	86
PID 4872 wrote to memory of 1596	4872	msedge.exe	86
PID 4872 wrote to memory of 1596	4872	msedge.exe	86
PID 4872 wrote to memory of 1596	4872	msedge.exe	86
PID 4872 wrote to memory of 1596	4872	msedge.exe	86
PID 4872 wrote to memory of 1596	4872	msedge.exe	86
PID 4872 wrote to memory of 1596	4872	msedge.exe	86
PID 4872 wrote to memory of 1596	4872	msedge.exe	86
PID 4872 wrote to memory of 1596	4872	msedge.exe	86
PID 4872 wrote to memory of 1596	4872	msedge.exe	86
PID 4872 wrote to memory of 1596	4872	msedge.exe	86
PID 4872 wrote to memory of 1596	4872	msedge.exe	86
PID 4872 wrote to memory of 1596	4872	msedge.exe	86
PID 4872 wrote to memory of 1596	4872	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\99028589be1510bbc03ec1b5144ba16d.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3d9146f8,0x7ffe3d914708,0x7ffe3d914718
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,17541918826048444134,3677852451536448495,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,17541918826048444134,3677852451536448495,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,17541918826048444134,3677852451536448495,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17541918826048444134,3677852451536448495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17541918826048444134,3677852451536448495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17541918826048444134,3677852451536448495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17541918826048444134,3677852451536448495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17541918826048444134,3677852451536448495,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17541918826048444134,3677852451536448495,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17541918826048444134,3677852451536448495,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17541918826048444134,3677852451536448495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17541918826048444134,3677852451536448495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17541918826048444134,3677852451536448495,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,17541918826048444134,3677852451536448495,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1260 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1386433ecc349475d39fb1e4f9e149a0

SHA1
f04f71ac77cb30f1d04fd16d42852322a8b2680f

SHA256
a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc

SHA512
fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
314B

MD5
64e58d0c5d91e184afd05eacc543d400

SHA1
81b3266665da70da1dc1c71ae9797cef78b51455

SHA256
a0ede9d5d3c34318597e106321193141c21fa48aad207a7483f6ae6cac938787

SHA512
554f4fed245a54acf9a77ecd1dc2fdc320238b35a9bf11c31e5c0caf173fa03808aefe75f6a8da50977e859b706ad4db4591bfaeda9b341d9be6014b2240a2a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
12b494fe13cba67eddbd48bd1a1d686b

SHA1
18ee3513c64e5bc2918b54b3dd3da853c060a95d

SHA256
8cb218f5e7c9d80735bccddcb0ba9c1857882b1160d771968a1acc5a3ed8bef9

SHA512
f331c54be3261ee349740ecc0193d11608f8ce3d827f4e060ce312b5cee8d06f2c6080f93475451ffeadde25150a9a388c0640d5afb3434890e1869001bf843b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3c0db558fddbc9e4df9bb33d498226de

SHA1
ead033a46fbe2a1a2954321e73401eb46be639ff

SHA256
afccc170000add391d50127cb0ef85d191af88052d7bbb12b5b06199d0498991

SHA512
d55eb8b1605a10e652cdbe96e5b1346e40bbbe0df0128569fc8c9609256fc096aa2015d465225730789ab1ce665353c4e24098135d6294e3873c8ed1f3961a3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e664066e3aa135f185ed1c194b9fa1f8

SHA1
358ff3c6ad0580b8ae1e5ef2a89a4e597c2efdc5

SHA256
86e595be48dbc768a52d7ea62116036c024093e1302aced8c29dd6a2d9935617

SHA512
58710818b5f664006a5aa418da6c8cd3f709c2265bc161f81b9dfe6cdb8304fabaa4ce9deba419fe4281623feeeaa0321f481ae5855d347c6d8cf95968ee905e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
48ad837aa91972ec6d18f7013445a857

SHA1
c4e950e46f075bf2b61f01d86a7d30f4bf436118

SHA256
85f558f58f5a9e12a8868b6e37b719cb510d46345ed2112119f8bd8d8ffe26f8

SHA512
98525bfcde150fa6939d6a4d6d06bea93587ca85553e1b0bff8d6829c5633731ea76a004685bed4939475ea7aa4f221a361070b4fe202e8947a91078191a4cd1

Download Submit