0cb40db63bb31ddcb02354f16f9bc3bc7551926dcc62be94bedc2cbd1a9e3c1d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240220-en
resource tags

arch:x64arch:x86image:win10v2004-20240220-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

redirect.html
Size

6KB
MD5

c45404e62b8dec4694e816a8ff46e998
SHA1

eae11c2d5ef1b1cff29dfe9db723c9181167197d
SHA256

0cb40db63bb31ddcb02354f16f9bc3bc7551926dcc62be94bedc2cbd1a9e3c1d
SHA512

065119397d9a09b646be637ca843bafd108ced90d16b8b77b60f14730e154f4ccdaefea177b56f315ecc7e188ed159f1cef23a8239c5a3b089f0a5ca97f0d43e
SSDEEP

192:duHLxX7777/77QF7EyrY0Lod4BYCIpHOfX4:dur5HYc0+CIpHOfX4

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3552	msedge.exe
3552	msedge.exe
4040	msedge.exe
4040	msedge.exe
1820	identity_helper.exe
1820	identity_helper.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4040 wrote to memory of 4300	4040	msedge.exe	77
PID 4040 wrote to memory of 4300	4040	msedge.exe	77
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3616	4040	msedge.exe	86
PID 4040 wrote to memory of 3552	4040	msedge.exe	85
PID 4040 wrote to memory of 3552	4040	msedge.exe	85
PID 4040 wrote to memory of 4084	4040	msedge.exe	87
PID 4040 wrote to memory of 4084	4040	msedge.exe	87
PID 4040 wrote to memory of 4084	4040	msedge.exe	87
PID 4040 wrote to memory of 4084	4040	msedge.exe	87
PID 4040 wrote to memory of 4084	4040	msedge.exe	87
PID 4040 wrote to memory of 4084	4040	msedge.exe	87
PID 4040 wrote to memory of 4084	4040	msedge.exe	87
PID 4040 wrote to memory of 4084	4040	msedge.exe	87
PID 4040 wrote to memory of 4084	4040	msedge.exe	87
PID 4040 wrote to memory of 4084	4040	msedge.exe	87
PID 4040 wrote to memory of 4084	4040	msedge.exe	87
PID 4040 wrote to memory of 4084	4040	msedge.exe	87
PID 4040 wrote to memory of 4084	4040	msedge.exe	87
PID 4040 wrote to memory of 4084	4040	msedge.exe	87
PID 4040 wrote to memory of 4084	4040	msedge.exe	87
PID 4040 wrote to memory of 4084	4040	msedge.exe	87
PID 4040 wrote to memory of 4084	4040	msedge.exe	87
PID 4040 wrote to memory of 4084	4040	msedge.exe	87
PID 4040 wrote to memory of 4084	4040	msedge.exe	87
PID 4040 wrote to memory of 4084	4040	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\redirect.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff21e246f8,0x7fff21e24708,0x7fff21e24718
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,14029852330508849665,6372638437443668110,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,14029852330508849665,6372638437443668110,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,14029852330508849665,6372638437443668110,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14029852330508849665,6372638437443668110,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14029852330508849665,6372638437443668110,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14029852330508849665,6372638437443668110,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14029852330508849665,6372638437443668110,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4328 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,14029852330508849665,6372638437443668110,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,14029852330508849665,6372638437443668110,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14029852330508849665,6372638437443668110,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4360 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14029852330508849665,6372638437443668110,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14029852330508849665,6372638437443668110,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14029852330508849665,6372638437443668110,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,14029852330508849665,6372638437443668110,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3828 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b1f40e0d6ceaf161dfc1dfdddcfc44af

SHA1
b6557a6331b4c54efb30597ad4da0be03013a23e

SHA256
065557e5cddcc8022528dc82c5fd618ca28c153d6e34978d2ba84d33227eed48

SHA512
0d7fd3eabf2d2b426c627531b29e433cab175232c169a77623213b7b9935458b3067a2860137b030235526e49ca4df6867534135cf9da60697d6fa43441e7818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
18bc1d880e1a43364e572a20540c025b

SHA1
93b7043da91e7697d7268a52ca9a434a55ddbb75

SHA256
11fcaea6cf095ba038a344829e699198e7c981149f15e30a51229b8dbca6937f

SHA512
3e8ca38dbd4d9aa865fdfa359033fb47f581b93842f1ccb667f243cc630bfabf8390cbf8ed1de6110b18819f0d831312304806667bc68fdd13ea1bb09b44742e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
d8cde44e9aa9cac989263413fe2c403f

SHA1
1fdde8c0d08f526eff89e4c51f3b5a9af6ef4610

SHA256
82c4b924cc15f1e946e496e5395937b14ed401138d6fa7521adb59cf98d56ee0

SHA512
442b87d550f12007b7c2b1bcd8205420a69727d462b0d64706ff1f1065e7f6ce002c53712aabf71be1123f3b27acb72c53e28488c2a4ed372e543c0d3e87752c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ce9f0265f04c93ae2d113efb2b027a3a

SHA1
b6d99a6aba69dbf40fec987eb9672b62680d9236

SHA256
988cf95418a22500ec33f973fa541612e64eb54acc8f53ac53d3bcf09afc6364

SHA512
f39daad16acd609716a00d53350264009c91bb39066d7936a9914de3209e577b0f05c729a808d0657e63bd734797fe265aa1d4e22ea431b91a4c3e2c6f3de4f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9f8a952a68a6f9f86a67061ca259aec9

SHA1
b2fe937176ef9bec662fe406566a950d032ca8fb

SHA256
ac216e2b4ee585489a28a8d2d9b4e8ff4eb488411bd5774a2f666cbdb5e05bb1

SHA512
4bc7956118bcee5eb6a4cbcfa5507d4a15ef8280ccd1e4cbf3bb383c7236921df1f9f9f1be7fa5001bbf73c95464fe55cd98ae17f57b72252ce83d5496237a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
05e3df065c9ad35026f4911698c8189c

SHA1
237cabb9ba155ef61d2fee2746ec720bef37a343

SHA256
e4870971918ad3d2f2ca4dd38e53aed59c4bfb19f3b25adb1f420459a616ff3f

SHA512
e1303563448bba5dee0735a4e2a6b0ab0c4544987ee0b180eeaa15231669aecf10ae73a71f9b1cbba3b67b346d6c8324ef043e34962dcb0e04e37abb485dfe1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
51cd86ed4a85642913b20fb2486a5d49

SHA1
bb1e25ca5acca809a7b02fcc09e3baf65fb8f121

SHA256
11e0261a4a0e8662fa1edce138f24a8d511951fd35439065ae637a1c869dffc6

SHA512
604bb9858bacc881376d6c757a6f4277f0f747083ac187f6db0508c03bb1b5d083b6f4a3bf52be8df5662d048447f38127eb7aa9ad7f5e858cc11598433201f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
12e26b62f77b7d5fb33a8267f7ae500f

SHA1
8ae3a3b15c1c76fc3edb91a9181fc47fd36170e1

SHA256
5461b17b341e458b2859b025c76766a201db8e3067ff4e8033630cb5a187e8fc

SHA512
35e09d76bf0acde743d64c862344e1cff7f04ced052b21d4e2745a2209272e496dc545234b40f1fe7b3c6e373bdf1349166cb30cbf94deb48df1c29731678333

Download Submit