9800732090589271a1e0a7b6c53b05c9a366655e8ab4f9e3d7c5a838f943c376

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-02-2024 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9800732090589271a1e0a7b6c53b05c9a366655e8ab4f9e3d7c5a838f943c376.html
Size

819KB
MD5

a4ec5c3ec1f4d7159a709e3989701320
SHA1

9aadafbfc5779477796d87252a458971870788b5
SHA256

9800732090589271a1e0a7b6c53b05c9a366655e8ab4f9e3d7c5a838f943c376
SHA512

1a1e3fc95e9ffb2939a764456f637235fe628dfb8157c89cfabe839a3932539a8fee84d87036a46823197a64cff507578cf27c9659df47f4ff06ea796115de53
SSDEEP

6144:aSrPGb6pFz+J6dCcfOMcXLtEGYKM29+9oPyv1LIpc1JRqSYL:0EGd79UoPyOL

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3908	msedge.exe
3908	msedge.exe
4384	msedge.exe
4384	msedge.exe
5036	identity_helper.exe
5036	identity_helper.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 1460	4384	msedge.exe	84
PID 4384 wrote to memory of 1460	4384	msedge.exe	84
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 380	4384	msedge.exe	85
PID 4384 wrote to memory of 3908	4384	msedge.exe	86
PID 4384 wrote to memory of 3908	4384	msedge.exe	86
PID 4384 wrote to memory of 1700	4384	msedge.exe	87
PID 4384 wrote to memory of 1700	4384	msedge.exe	87
PID 4384 wrote to memory of 1700	4384	msedge.exe	87
PID 4384 wrote to memory of 1700	4384	msedge.exe	87
PID 4384 wrote to memory of 1700	4384	msedge.exe	87
PID 4384 wrote to memory of 1700	4384	msedge.exe	87
PID 4384 wrote to memory of 1700	4384	msedge.exe	87
PID 4384 wrote to memory of 1700	4384	msedge.exe	87
PID 4384 wrote to memory of 1700	4384	msedge.exe	87
PID 4384 wrote to memory of 1700	4384	msedge.exe	87
PID 4384 wrote to memory of 1700	4384	msedge.exe	87
PID 4384 wrote to memory of 1700	4384	msedge.exe	87
PID 4384 wrote to memory of 1700	4384	msedge.exe	87
PID 4384 wrote to memory of 1700	4384	msedge.exe	87
PID 4384 wrote to memory of 1700	4384	msedge.exe	87
PID 4384 wrote to memory of 1700	4384	msedge.exe	87
PID 4384 wrote to memory of 1700	4384	msedge.exe	87
PID 4384 wrote to memory of 1700	4384	msedge.exe	87
PID 4384 wrote to memory of 1700	4384	msedge.exe	87
PID 4384 wrote to memory of 1700	4384	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\9800732090589271a1e0a7b6c53b05c9a366655e8ab4f9e3d7c5a838f943c376.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9661446f8,0x7ff966144708,0x7ff966144718
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,2412954235188358413,11805238428854316229,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,2412954235188358413,11805238428854316229,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,2412954235188358413,11805238428854316229,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2412954235188358413,11805238428854316229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2412954235188358413,11805238428854316229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,2412954235188358413,11805238428854316229,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 /prefetch:8
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,2412954235188358413,11805238428854316229,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2412954235188358413,11805238428854316229,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2412954235188358413,11805238428854316229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2412954235188358413,11805238428854316229,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2412954235188358413,11805238428854316229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,2412954235188358413,11805238428854316229,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4920 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fa070c9c9ab8d902ee4f3342d217275f

SHA1
ac69818312a7eba53586295c5b04eefeb5c73903

SHA256
245b396ed1accfae337f770d3757c932bc30a8fc8dd133b5cefe82242760c2c7

SHA512
df92ca6d405d603ef5f07dbf9516d9e11e1fdc13610bb59e6d4712e55dd661f756c8515fc2c359c1db6b8b126e7f5a15886e643d93c012ef34a11041e02cc0dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
674B

MD5
5ecc6e87c3046c5418a16b0bd9d92b66

SHA1
f78881eb1632e89d19b89b60fe3b2e9f91bf00e9

SHA256
f7c60b5f5d67af2b83257f356a7322e67c538cbdaa86bc5f84524b7df1aa7067

SHA512
ea4bb0931f5422ed5ea9bf2d2a0e6a3fc3e353357c31b0ece2479fc69d076654aeec8f4e4f874a3ef7bbff1c9aedf0dab1fd3148e9aa7d3abd47907819fcc8f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d8833b96dd8baf792a9b28b3cd8f111d

SHA1
94cad47650e12f350fa828b0ae7f11aacfd41e0e

SHA256
065f2ac347c32d1e092b38a9def550cd10cd5af6d33f20ec76327cd29bbda441

SHA512
248e49118655952c486cf2f8050fb6539e1f7756eda190188be6897dcc08b0cf4b19b9dc59d8a073bb10a89f4161f0d3bf6cdfc9838491763e2f9981db9d9055

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3da611aa533a1771fbea28d1d27ba568

SHA1
8b77b14b15900e3a835f79527b4e171b6ee1b3c3

SHA256
9dea3a3439b7d54ed1e7c5bcd3e657a54e2c523bb19a8c924070dbf10cb1f513

SHA512
a117cdbf958a4d8656824be89a8000705ee51704aae66bbfe92cdb66b7607dc36bbca41ff709baabd0ba810c45b025efb2a3416dc70cb05e178ed60e6e29df73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
917dedf44ae3675e549e7b7ffc2c8ccd

SHA1
b7604eb16f0366e698943afbcf0c070d197271c0

SHA256
9692162e8a88be0977395cc0704fe882b9a39b78bdfc9d579a8c961e15347a37

SHA512
9628f7857eb88f8dceac00ffdcba2ed822fb9ebdada95e54224a0afc50bccd3e3d20c5abadbd20f61eba51dbf71c5c745b29309122d88b5cc6752a1dfc3be053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ed911b1f38a3294878c819ff2aaede8a

SHA1
f839d29997363ba6372ed8c9e125dd56a3c674af

SHA256
8b2cb18f42d4a435431659d052f9996f6d5040abd29249e1bf06eefa5a172329

SHA512
c43a105cbe01691a1c45b17082dd797a48ce51889e47a9b7b263d05754b4cfc016b6c8d2c00ffc43060180642f0825ef111c39f42b6ca9992e92558dae649d7b

Download Submit