8c4264835d2644b9d8779b10b9f1f5a07b3f9e178eac1a53beb1538788b8a9e6

Analysis

max time kernel
1681s
max time network
1686s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windows-12-dev.html
Size

185KB
MD5

567d9c2430219fb62a70a135efe57648
SHA1

0b5007bb768548095653dee371f49a352e72086d
SHA256

8c4264835d2644b9d8779b10b9f1f5a07b3f9e178eac1a53beb1538788b8a9e6
SHA512

f1f6f145d19b7f2fbfcf50be8e0daeeae881cbfd0c5fbd07519efad56bfdd1e1a4e881bc84d8523778c64f65b3398ec09038b1007ddae24f2e8102f49c08fdf6
SSDEEP

1536:8CeWiaVNBd8LHVEvK4DE7mR4DEllxbOvN30vD9325s4DvdGKCsI5Wav1U+QLKs13:8CejbLIcazlldWFWKA5WP

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
800	msedge.exe
800	msedge.exe
3036	msedge.exe
3036	msedge.exe
4136	identity_helper.exe
4136	identity_helper.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2052	3036	msedge.exe	85
PID 3036 wrote to memory of 2052	3036	msedge.exe	85
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 4556	3036	msedge.exe	87
PID 3036 wrote to memory of 800	3036	msedge.exe	86
PID 3036 wrote to memory of 800	3036	msedge.exe	86
PID 3036 wrote to memory of 4032	3036	msedge.exe	88
PID 3036 wrote to memory of 4032	3036	msedge.exe	88
PID 3036 wrote to memory of 4032	3036	msedge.exe	88
PID 3036 wrote to memory of 4032	3036	msedge.exe	88
PID 3036 wrote to memory of 4032	3036	msedge.exe	88
PID 3036 wrote to memory of 4032	3036	msedge.exe	88
PID 3036 wrote to memory of 4032	3036	msedge.exe	88
PID 3036 wrote to memory of 4032	3036	msedge.exe	88
PID 3036 wrote to memory of 4032	3036	msedge.exe	88
PID 3036 wrote to memory of 4032	3036	msedge.exe	88
PID 3036 wrote to memory of 4032	3036	msedge.exe	88
PID 3036 wrote to memory of 4032	3036	msedge.exe	88
PID 3036 wrote to memory of 4032	3036	msedge.exe	88
PID 3036 wrote to memory of 4032	3036	msedge.exe	88
PID 3036 wrote to memory of 4032	3036	msedge.exe	88
PID 3036 wrote to memory of 4032	3036	msedge.exe	88
PID 3036 wrote to memory of 4032	3036	msedge.exe	88
PID 3036 wrote to memory of 4032	3036	msedge.exe	88
PID 3036 wrote to memory of 4032	3036	msedge.exe	88
PID 3036 wrote to memory of 4032	3036	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\windows-12-dev.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed12e46f8,0x7ffed12e4708,0x7ffed12e4718
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,541166640656052247,4848996266919426928,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,541166640656052247,4848996266919426928,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:2
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,541166640656052247,4848996266919426928,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,541166640656052247,4848996266919426928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,541166640656052247,4848996266919426928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,541166640656052247,4848996266919426928,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,541166640656052247,4848996266919426928,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,541166640656052247,4848996266919426928,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,541166640656052247,4848996266919426928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,541166640656052247,4848996266919426928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,541166640656052247,4848996266919426928,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,541166640656052247,4848996266919426928,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4008 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f246cc2c0e84109806d24fcf52bd0672

SHA1
8725d2b2477efe4f66c60e0f2028bf79d8b88e4e

SHA256
0c1014ae07c2077dd55d7386cc9cf9e0551be1d67fe05a6006957427ae09fec5

SHA512
dcf31357eb39a05213550a879941e2c039ec0ba41e4867d5d630807420f070289552d56d9f16c6d11edcdb0f9448bf51e7d2e460e88aa9c55a5bfe5d8d331640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
257B

MD5
a3302b80b2ce1805cdf6e1c58a4fdd35

SHA1
f13f3ceaf1e9b52f461ec33e7beab92b704c5cbc

SHA256
0fe499c642b673a60ddd7f0177abae212d8a17b9f31f0da33211f627b841daf7

SHA512
9f616bd7ce8b07b4c1b485b368dd9c4f05e6fe830ed62f48efaea0c2e1f42a9e2e64e2f290fe3ef9e6d725af80f5806274da819a352d38fd2ca95341b5331e94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5fe013955bffbe40d0e0f69b9e4cd334

SHA1
4ce59ca5d51ddbbccb1e92f11f82b6e40d746930

SHA256
935b1c65480c8f83a7a96082d2d0924f33e4748d4ef41b3ca7f80946f37325a1

SHA512
e9e4482c88212501711f7f3586544acfb260de8dddd391bd9b6b49fb6b343d89332dba836d0397036a67b1e86da5cd6abb9a54364e44993acc102d1af7407e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ec2fdee79ae888c51c6ac6e840bf0eb3

SHA1
b5b8379cdb1e7382468c894cf3b914d94fb616e9

SHA256
6b80146ff3c16ed179c9e5034f0023361bddd252099579625552dfc6a349ca08

SHA512
75f3b67839ac8bbb828ccabd189a3d490af2083b5460ae8fb4a4be7d63073ce75e0edcfbad3953630320cb38dfa080ba11d92e3819971bb7ccb323fddcbd9f6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1d07f8e32d30636edf6e31592539b73f

SHA1
1341a2d7e3f6ff2d4b31d74d97a6a859877034d9

SHA256
7ddb0580f1023826a96818c04f98800ebbfbdaef21dcf98e10cc25e768477fad

SHA512
36e2df1900200f1e41c5a495a66ce6dadf77bacb9e51c5bbae39960f77ea0e32f2a0cbaff070706f73ac848ba5674635d5c32328a9be502761e1894ed536e269

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9c95f1f6571ac9d2a850c8c287004a66

SHA1
ddd1de95ac70cee23bdad14ce20e1ab3189f0c22

SHA256
1cc2c8a5f64ed39aa8cfc7ad92a387f261aae4de54dfa3abd2b417cc51465cc6

SHA512
d70dd9d7bcfb1400cb4b4794c8084bc15458729ceb13f43616fd399fb79c91f2fbbefed95c88babb85f8608dfa81793815a8a909e3826e63857171067e4427eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5e62a6848f50c5ca5f19380c1ea38156

SHA1
1f5e7db8c292a93ae4a94a912dd93fe899f1ea6a

SHA256
23b683118f90c909ce86f9be9123ff6ac1355adb098ffbb09b9e5ec18fc2b488

SHA512
ce00590890ed908c18c3ec56df5f79c6c800e3bea2ad4629b9788b19bd1d9e94215fb991275e6ec5a58ac31b193e1c0b9cbaa52ff534319a5e76ec4fc8d3ba54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8da9d4d29850b7e6f5d4602d5895cd25

SHA1
c6e33db7a5cab2b2bda475694ddd475c0890fac3

SHA256
9b64bf98ae6046a19ad8806953c4963d045abaf0fa79963055e2993ae98c9546

SHA512
1578abaf27583a24a262cf08ec2bedf3f903b594f497c5c1bf08c6cc8f2fd35a5ea60157d65107df8fc8ede9b8a97c10aa32212cb6acc0ac11fc6fbca7a1f363

Download Submit