229f0664e2673714d97f8cab0ccb934331b3491b08ab4191db626430954cda7f

Analysis

max time kernel
1682s
max time network
1690s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cq9m0yxajidv4vf.html
Size

311KB
MD5

e5dcdef751bc5699ac12534d6e0db60f
SHA1

a721a729284f45e1a678d09a3359056b11beb70f
SHA256

229f0664e2673714d97f8cab0ccb934331b3491b08ab4191db626430954cda7f
SHA512

74d27c078c0595d31051c19d6baf4b5dfb042463803f38399628a19fa549e519e48b38d62ad596ca65aa188f1be0a94d7bb89066be21534c1e096d4e3d0a678a
SSDEEP

3072:ai5gAkHnjP/Q6KSEy/3HfPaW+LN7DxRLlzglKkxbm:LgAkHnjP/QBSEg/PCN7jBkxbm

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1784	msedge.exe
1784	msedge.exe
3060	msedge.exe
3060	msedge.exe
2900	identity_helper.exe
2900	identity_helper.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2892	3060	msedge.exe	84
PID 3060 wrote to memory of 2892	3060	msedge.exe	84
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 5056	3060	msedge.exe	86
PID 3060 wrote to memory of 1784	3060	msedge.exe	85
PID 3060 wrote to memory of 1784	3060	msedge.exe	85
PID 3060 wrote to memory of 3748	3060	msedge.exe	87
PID 3060 wrote to memory of 3748	3060	msedge.exe	87
PID 3060 wrote to memory of 3748	3060	msedge.exe	87
PID 3060 wrote to memory of 3748	3060	msedge.exe	87
PID 3060 wrote to memory of 3748	3060	msedge.exe	87
PID 3060 wrote to memory of 3748	3060	msedge.exe	87
PID 3060 wrote to memory of 3748	3060	msedge.exe	87
PID 3060 wrote to memory of 3748	3060	msedge.exe	87
PID 3060 wrote to memory of 3748	3060	msedge.exe	87
PID 3060 wrote to memory of 3748	3060	msedge.exe	87
PID 3060 wrote to memory of 3748	3060	msedge.exe	87
PID 3060 wrote to memory of 3748	3060	msedge.exe	87
PID 3060 wrote to memory of 3748	3060	msedge.exe	87
PID 3060 wrote to memory of 3748	3060	msedge.exe	87
PID 3060 wrote to memory of 3748	3060	msedge.exe	87
PID 3060 wrote to memory of 3748	3060	msedge.exe	87
PID 3060 wrote to memory of 3748	3060	msedge.exe	87
PID 3060 wrote to memory of 3748	3060	msedge.exe	87
PID 3060 wrote to memory of 3748	3060	msedge.exe	87
PID 3060 wrote to memory of 3748	3060	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\cq9m0yxajidv4vf.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcdfb246f8,0x7ffcdfb24708,0x7ffcdfb24718
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,17079345522515415389,18401717900629172443,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,17079345522515415389,18401717900629172443,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,17079345522515415389,18401717900629172443,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,17079345522515415389,18401717900629172443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,17079345522515415389,18401717900629172443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,17079345522515415389,18401717900629172443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,17079345522515415389,18401717900629172443,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,17079345522515415389,18401717900629172443,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,17079345522515415389,18401717900629172443,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,17079345522515415389,18401717900629172443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,17079345522515415389,18401717900629172443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1256 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,17079345522515415389,18401717900629172443,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,17079345522515415389,18401717900629172443,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4676 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d5564ccbd62bac229941d2812fc4bfba

SHA1
0483f8496225a0f2ca0d2151fab40e8f4f61ab6d

SHA256
d259ff04090cbde3b87a54554d6e2b8a33ba81e9483acbbe3e6bad15cbde4921

SHA512
300cda7933e8af577bdc1b20e6d4279d1e418cdb0571c928b1568bfea3c231ba632ccb67313ae73ddeae5586d85db95caffaedd23e973d437f8496a8c5a15025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
568a7ff522f2f040de14c3beb3bd6a24

SHA1
e91c698d09636e0cb3e74c7539260f05b6da8bd7

SHA256
c0aa0a00fa08b05c09f3efbc8d476adcf370f3b2a5b3ddf715c214c2328ac215

SHA512
b4345850861fa81c64af4b1c8614af3a7e1d097d66ae8576071ff25e034b7e032a225dc4deb8ac21d1172f67eeba75b267020bab5a842d76b5e10732164983be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
76b98a485dd8df7e9094149d2e93c3df

SHA1
a158eec6b7d14484a9a43ad6ebd2e2edf5beeb8d

SHA256
69094fc8f5abd4b206a06021c843bcaeb85c51bcf6cb8f76c956054474c0930f

SHA512
9a53fffb0158fd594fcf11288cc03eea192ec59d5788dcfd3ff656b34c84afa93834a22c0c4f2969f4ca1430714aac73299fe8601d8f6d0f410aad50f4657530

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c2da9fa773507159ce109cce3e60f023

SHA1
3e87ade96f6e30795d5df33f438e556aed315ed7

SHA256
d666bd5fbafa020a3cbc0e7256c56fcacd066c94065fd0d4452d894603fa77cc

SHA512
80e17eb64460e867ca6da80f6c9a6dd91545e4d325f642aeb64b388e177bbf56b8c990624071464a459421ca399be4f27b94a2ef54d531c083954746d3376297

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1d1c7c7f0b54eb8ba4177f9e91af9dce

SHA1
2b0f0ceb9a374fec8258679c2a039fbce4aff396

SHA256
555c13933eae4e0b0e992713ed8118e2980442f89fbdfb06d3914b607edbbb18

SHA512
4c8930fe2c805c54c0076408aba3fbfb08c24566fba9f6a409b5b1308d39c7b26c96717d43223632f1f71d2e9e68a01b43a60031be8f1ca7a541fe0f56f4d9f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4aa3f89bffbaa56d88c500d33450c503

SHA1
28241f839576e6ea28c81ca762dcff22a0b49342

SHA256
228dfc185c8868c9d73f6075ffc568dbc66a15b6364bd00bcd6538fa0b4e7206

SHA512
6f814a907410a40223546293ec6350f22844c4d97fb9052261a278fdd22dc969f357ac1f6e3f1b982541b569412cee969699bd21bae91cf89d0e58e1b3e6aee2

Download Submit