0c645dd01b7fceeecf6be5a13c7251ec31d9c0c27dcfab610878574aac8050a7

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240220-en
resource tags

arch:x64arch:x86image:win10v2004-20240220-enlocale:en-usos:windows10-2004-x64system
submitted
20-02-2024 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Deadpool.html
Size

9KB
MD5

4a20f570105222203ecb3202145cbfe5
SHA1

2de01f566fab3cb462609acd8f1a0b72bd14c53b
SHA256

0c645dd01b7fceeecf6be5a13c7251ec31d9c0c27dcfab610878574aac8050a7
SHA512

4c1f8714685bd220353110be3addc7e8879afec9eeb0367433370542f06eece794725f9e860d90570f5633cf4ea6567357b9834958ecd144138a71561d2bac01
SSDEEP

192:OxqEJZD64uPpB2m03tK4U2ZMCTDbzaCK9Xt9yvegPHgoC2d9Z66:OpUpB2f3tKMMCTDbzaCOyvz

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
976	msedge.exe
976	msedge.exe
2848	msedge.exe
2848	msedge.exe
1656	identity_helper.exe
1656	identity_helper.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 4516	2848	msedge.exe	52
PID 2848 wrote to memory of 4516	2848	msedge.exe	52
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 2952	2848	msedge.exe	85
PID 2848 wrote to memory of 976	2848	msedge.exe	87
PID 2848 wrote to memory of 976	2848	msedge.exe	87
PID 2848 wrote to memory of 552	2848	msedge.exe	86
PID 2848 wrote to memory of 552	2848	msedge.exe	86
PID 2848 wrote to memory of 552	2848	msedge.exe	86
PID 2848 wrote to memory of 552	2848	msedge.exe	86
PID 2848 wrote to memory of 552	2848	msedge.exe	86
PID 2848 wrote to memory of 552	2848	msedge.exe	86
PID 2848 wrote to memory of 552	2848	msedge.exe	86
PID 2848 wrote to memory of 552	2848	msedge.exe	86
PID 2848 wrote to memory of 552	2848	msedge.exe	86
PID 2848 wrote to memory of 552	2848	msedge.exe	86
PID 2848 wrote to memory of 552	2848	msedge.exe	86
PID 2848 wrote to memory of 552	2848	msedge.exe	86
PID 2848 wrote to memory of 552	2848	msedge.exe	86
PID 2848 wrote to memory of 552	2848	msedge.exe	86
PID 2848 wrote to memory of 552	2848	msedge.exe	86
PID 2848 wrote to memory of 552	2848	msedge.exe	86
PID 2848 wrote to memory of 552	2848	msedge.exe	86
PID 2848 wrote to memory of 552	2848	msedge.exe	86
PID 2848 wrote to memory of 552	2848	msedge.exe	86
PID 2848 wrote to memory of 552	2848	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Deadpool.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe5bcb46f8,0x7ffe5bcb4708,0x7ffe5bcb4718
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,4811189486653390291,6468752854736779094,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,4811189486653390291,6468752854736779094,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,4811189486653390291,6468752854736779094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,4811189486653390291,6468752854736779094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,4811189486653390291,6468752854736779094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,4811189486653390291,6468752854736779094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,4811189486653390291,6468752854736779094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,4811189486653390291,6468752854736779094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:8
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,4811189486653390291,6468752854736779094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,4811189486653390291,6468752854736779094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,4811189486653390291,6468752854736779094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,4811189486653390291,6468752854736779094,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1124 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9ebd667e8db80b0ab07f02f3dc844252

SHA1
461bade20eebf59e30e8c3620640d6df6db79249

SHA256
d04531e41d70e7832898e797081335b3f0314b09141a01de921ff679dba41b0f

SHA512
75f92d1f4ab942c3fdd3b70542956ea246f718aa8808a53f33d52278505f4f783e4c0458e5093ea4f459e72faea431f926373883eed2ec7da1109bd7efc6fb57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f621c7614503377ba83f2fcfca1c303b

SHA1
c7ec737f8e0262052e038691e5b38db37bdfe56e

SHA256
c2d2e04acc5e2cd129dd3211f73b498043051b74a2f661c1199224b37b681b26

SHA512
203e5e582007efb7d11b0442e85d4e37a4cc1332bd6367cd74b0d4b9de0d0df85757bdc66474f62309bf530841ab7a5e4c0d43c95aa416b7175129e2e2b36c26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
184B

MD5
91a7db4f77b7016eb47f0e08e9d2ec13

SHA1
37a699b7f4fe97e81df7641b29b3d55cd156c94f

SHA256
6f912d9a570f472106de9d13131e40d95fce809f86264a51dc646eee4125beb8

SHA512
442b678c47e45fc44dacd3429d155e0165c9de5244b228e8cbe8a384f927ab822b54ca26c684565f1ddef4cb40246f046bb06ec8520f7e8a9f0c1de2403bee05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
afad84dcec1934646889b69662c36474

SHA1
4cc0a202e060a0ee1d7c27c0538f57f5cf1c64fa

SHA256
d8eed9f7cdb5457f7f043737a00abd1306031ee4d1fb91fb70bfd00d15377790

SHA512
c0b7cc20ec5461645e821a3ae8363828262a2673829f18f385c17d116799ca6a1a36f770939f02f30c7e5a20cd67642890f7410ebb2f979f3b67c33c30b3c07d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d8885ba159572699caf2780159c66b2a

SHA1
44bca20fb743b64a36af85360b7fb98e761e45c0

SHA256
6ccdd93a3bd22eba21b5217503c436701e6b12b9031db7dd16f266b83dcd64bd

SHA512
a425157a521526f74a3069071b6612840072be789f0bd6d22c29c88150f5375c3c55b276317a0b6c18a22a06e51a226d044276c4fbefe61960bb07d7de568187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eb6fc5c030998b70593de71d02b0d545

SHA1
8b31577ea233115fa848abe2de9433fefe75a17c

SHA256
95ebb8597923b838a39d36ca86cf346072d093d782cfc9f5cec93c19f53c9a53

SHA512
767d1f3620ae48b656f016c5cc28f885df5b1494625d643ba0996bc88bc3eb442da13cdc48af45c7e243c8f816130bc046625f698317cab49fe7043662e49f73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
54a506ef919e9e1aeb5b48ec14c61602

SHA1
6a055d8e350b92a0a7bb91362d33fa6b9cf65999

SHA256
b23d8b2ca07d092f9d00b54a734e8f5295470c3fe46557792276373ff94d3a72

SHA512
f717c6cad07571bc4a869e513201dbc3ed1a01917aa59123aee82c36d79075d845eb56d3828b0671298f867eb3f6327d0a3ed560bc93d10e7c5ec817cf3531b2

Download Submit