e7da3cd5f2863f25a3727bb30c5d4643b1b2aa5614c68712585d4275e62766a2

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2024, 09:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9b49c646e898a5be0de1cc821a8beaf4.html
Size

5KB
MD5

9b49c646e898a5be0de1cc821a8beaf4
SHA1

89bde3ca62902820a664304a9df60e9adf4b999f
SHA256

e7da3cd5f2863f25a3727bb30c5d4643b1b2aa5614c68712585d4275e62766a2
SHA512

4fdb567c080a805c52d58db634b7a977e530e951280d8087faee8dcbfac18a095d1a315c07ae9741ca2de524c33bb0bc6339a59562e1528a2dc469c24cccc010
SSDEEP

48:ESsjiC+Wf0nLuPgf9NVdPaoZ16PlruYMhtt5OWC:pstf0n6w7HFZsPTIrDC

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4684	msedge.exe
4684	msedge.exe
3016	msedge.exe
3016	msedge.exe
1480	identity_helper.exe
1480	identity_helper.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2308	3016	msedge.exe	84
PID 3016 wrote to memory of 2308	3016	msedge.exe	84
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4320	3016	msedge.exe	86
PID 3016 wrote to memory of 4684	3016	msedge.exe	85
PID 3016 wrote to memory of 4684	3016	msedge.exe	85
PID 3016 wrote to memory of 2644	3016	msedge.exe	87
PID 3016 wrote to memory of 2644	3016	msedge.exe	87
PID 3016 wrote to memory of 2644	3016	msedge.exe	87
PID 3016 wrote to memory of 2644	3016	msedge.exe	87
PID 3016 wrote to memory of 2644	3016	msedge.exe	87
PID 3016 wrote to memory of 2644	3016	msedge.exe	87
PID 3016 wrote to memory of 2644	3016	msedge.exe	87
PID 3016 wrote to memory of 2644	3016	msedge.exe	87
PID 3016 wrote to memory of 2644	3016	msedge.exe	87
PID 3016 wrote to memory of 2644	3016	msedge.exe	87
PID 3016 wrote to memory of 2644	3016	msedge.exe	87
PID 3016 wrote to memory of 2644	3016	msedge.exe	87
PID 3016 wrote to memory of 2644	3016	msedge.exe	87
PID 3016 wrote to memory of 2644	3016	msedge.exe	87
PID 3016 wrote to memory of 2644	3016	msedge.exe	87
PID 3016 wrote to memory of 2644	3016	msedge.exe	87
PID 3016 wrote to memory of 2644	3016	msedge.exe	87
PID 3016 wrote to memory of 2644	3016	msedge.exe	87
PID 3016 wrote to memory of 2644	3016	msedge.exe	87
PID 3016 wrote to memory of 2644	3016	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\9b49c646e898a5be0de1cc821a8beaf4.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee4ba46f8,0x7ffee4ba4708,0x7ffee4ba4718
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,2337543273953443067,3758859907173256280,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,2337543273953443067,3758859907173256280,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,2337543273953443067,3758859907173256280,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2337543273953443067,3758859907173256280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2337543273953443067,3758859907173256280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,2337543273953443067,3758859907173256280,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,2337543273953443067,3758859907173256280,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2337543273953443067,3758859907173256280,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2337543273953443067,3758859907173256280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2337543273953443067,3758859907173256280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
  2⤵
  PID:472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2337543273953443067,3758859907173256280,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,2337543273953443067,3758859907173256280,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5312 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d5564ccbd62bac229941d2812fc4bfba

SHA1
0483f8496225a0f2ca0d2151fab40e8f4f61ab6d

SHA256
d259ff04090cbde3b87a54554d6e2b8a33ba81e9483acbbe3e6bad15cbde4921

SHA512
300cda7933e8af577bdc1b20e6d4279d1e418cdb0571c928b1568bfea3c231ba632ccb67313ae73ddeae5586d85db95caffaedd23e973d437f8496a8c5a15025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
184B

MD5
195170a47b6af07cb36f37d88ab13618

SHA1
b74d924e2c94817f5ae3dc78d3ef99412324fc72

SHA256
1075c7c549880e9614caa73ddb7bdfa50b3a191a655bb36f438d0492bca7fbb1

SHA512
7e071def0fd2841838dbfa41b1ff2b78ac1091c0efcb6f394a3bd0d9edd03932711f1d5273308bba010683316355a3c8c254066cc7c1337579d114af18ee1de4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d408b489663a5066fd1191fa7edae149

SHA1
79068be750c1bb1f32f4f5c5d537d515f98153b5

SHA256
3cefc3f491c1737e4b5e9922c47c2fdb429b7b5ac787293aa9eed0a37f715575

SHA512
57d083f806765a16afa3160240fac6caec172f7e55ad0ad7f58ec052a893b8b5d17724a1a0edaccaf38c2a967db27c723feb17230f4fd9df35873a8eb209d288

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
724b7c16cbf6b8690af0b8ca06c7ce36

SHA1
e1fe1ae5e44c642fa93d81bc13676f9e21aa1d44

SHA256
6cea350be820710c58503ad5cb4a3748bde5990f228ef4e922bb0c0a5275427e

SHA512
d8ebf4515cd9ed70defdaf500821d1c074dac931c700395f7b1b42f36bf3ddbacf0f890f8b49068501938237f320bc413b8460eb29a37f9662c3496084a91162

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1d1c7c7f0b54eb8ba4177f9e91af9dce

SHA1
2b0f0ceb9a374fec8258679c2a039fbce4aff396

SHA256
555c13933eae4e0b0e992713ed8118e2980442f89fbdfb06d3914b607edbbb18

SHA512
4c8930fe2c805c54c0076408aba3fbfb08c24566fba9f6a409b5b1308d39c7b26c96717d43223632f1f71d2e9e68a01b43a60031be8f1ca7a541fe0f56f4d9f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ca72239133c08c17d9ce1370823030da

SHA1
6d14724232e3413f9adafbf70686eb3794f32bb1

SHA256
50604f93095b654b58a4ca4891762e1cb979a193e53bbec84566696861b087af

SHA512
b68a86d01f9be1a1310d99c56a717d963149eaf24f9b3ba2c5547ff02078d161df78243dc62b39f67e154720193bd6a515c645ad092768a52fb422f8df072be4

Download Submit