6de8ff740d50531c969526ce34407073d741cfb58d5cfed5c625a6583070dc17

Analysis

max time kernel
150s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2024, 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

email-html-2.html
Size

5KB
MD5

52f8fb6fe2e4267ac58e00702a775134
SHA1

69b3de064139cb195d50452258fabf769b0288cb
SHA256

a28619530339daffac97d2703ccc86da98aa7e7d258f6f21f72b2ef822a01625
SHA512

bee49251120b75427a0c5725f6b3d189f01b360b2dfa4f77b0e3857ffcf225b0a57bf96ecc9eebef3ecbdadcf93eddaf66070878afc237dd7356348bf8b00b47
SSDEEP

96:/LeeeeBABTQ0frE+/ABTQ0frE+zDABTQ0frE+/ABTQ0frE+2FIABTQ0frE+/ABTk:pe7L/e7LzDe7L/e7L2FIe7L/e7LHe7Lv

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
396	msedge.exe
396	msedge.exe
4720	msedge.exe
4720	msedge.exe
3564	identity_helper.exe
3564	identity_helper.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 5016	4720	msedge.exe	85
PID 4720 wrote to memory of 5016	4720	msedge.exe	85
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 4384	4720	msedge.exe	86
PID 4720 wrote to memory of 396	4720	msedge.exe	87
PID 4720 wrote to memory of 396	4720	msedge.exe	87
PID 4720 wrote to memory of 4740	4720	msedge.exe	88
PID 4720 wrote to memory of 4740	4720	msedge.exe	88
PID 4720 wrote to memory of 4740	4720	msedge.exe	88
PID 4720 wrote to memory of 4740	4720	msedge.exe	88
PID 4720 wrote to memory of 4740	4720	msedge.exe	88
PID 4720 wrote to memory of 4740	4720	msedge.exe	88
PID 4720 wrote to memory of 4740	4720	msedge.exe	88
PID 4720 wrote to memory of 4740	4720	msedge.exe	88
PID 4720 wrote to memory of 4740	4720	msedge.exe	88
PID 4720 wrote to memory of 4740	4720	msedge.exe	88
PID 4720 wrote to memory of 4740	4720	msedge.exe	88
PID 4720 wrote to memory of 4740	4720	msedge.exe	88
PID 4720 wrote to memory of 4740	4720	msedge.exe	88
PID 4720 wrote to memory of 4740	4720	msedge.exe	88
PID 4720 wrote to memory of 4740	4720	msedge.exe	88
PID 4720 wrote to memory of 4740	4720	msedge.exe	88
PID 4720 wrote to memory of 4740	4720	msedge.exe	88
PID 4720 wrote to memory of 4740	4720	msedge.exe	88
PID 4720 wrote to memory of 4740	4720	msedge.exe	88
PID 4720 wrote to memory of 4740	4720	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\email-html-2.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffaa8046f8,0x7fffaa804708,0x7fffaa804718
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,6156923390996690060,15510296163435848793,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,6156923390996690060,15510296163435848793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,6156923390996690060,15510296163435848793,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6156923390996690060,15510296163435848793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6156923390996690060,15510296163435848793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,6156923390996690060,15510296163435848793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,6156923390996690060,15510296163435848793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6156923390996690060,15510296163435848793,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6156923390996690060,15510296163435848793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6156923390996690060,15510296163435848793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6156923390996690060,15510296163435848793,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6156923390996690060,15510296163435848793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6156923390996690060,15510296163435848793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,6156923390996690060,15510296163435848793,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4db60c9bb06ea5452df26771fa873ac

SHA1
c118183a1315a285606f81da05fc19367a2cdfe1

SHA256
f168242e74bfde18bacb9e18945a39bb447188eba916c7adf0f342ed8d82281e

SHA512
180ed98f9d5a14a22687a099c4a0ba6b586610f7b8b4c8de89f3b91713b07a2ef3726fcd318cb4e270b1745213b898037d29cca4b490d0c91833b797d69ac406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f5b0bf4edca2187f7715ddd49777a1b2

SHA1
eb78099013d0894a11c48d496f48973585f0c7c0

SHA256
562016f9159ef363fcbe62ed13ee26052b31d4f67dc5ea6d60864a7d5dfa50a1

SHA512
1039b98cffd32ca4c9e37486b96e01b167d76b19dd8440a21da4932d677c463f4c5ce2260239e8337f59bd61ff3111905e23ab71d3ca5b20e7d2935fea7952c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2a268b31ea5ee35dea51559705a9d6c0

SHA1
30318193353aa4ac49a740c35df86c94195d6290

SHA256
449657f931cffc348ea2b00b89f0c471401f70431ba668d0037e196f9517ed27

SHA512
014797050b145c7747e7dff45b26deebcba1a580b02c9de572f3bbfeaff62984c10160074cf956142d387b2b960650825eec4858e9167f226c74b10ba9e3ca4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
92aa519059198cf59dcf5665ca988390

SHA1
2ef68410b9fddff3437a4c864d2c8c556f6dd4de

SHA256
32089ea742044c743f04c3dff290cf0d444e3bcba92b709507a8c429755e21be

SHA512
eff2900122f41061533d93ae51a55992b81692fb157af58ce57021f86660f3b2acf8e14fae9ecaa4ada87c5b60218c6b4ed6d996438d6c11ead6665080f5218d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
df34a82fdcffaaeaf5e80eb1aa86ca19

SHA1
d5347bdb28289cc2229251ecc6e62d56dc4f7f7c

SHA256
4c7280eeb1c249dda4405ea00c39087543ec0dcb4e7a895b2f0dd8134d1bdeeb

SHA512
af290c41d786010241b71bc26f7c5e03f6d4942e5b040e1dd639209c141e09a04b96b7b4ee986bf481ebf0f2f1b88665623e655ee4db2ef165c6ceb1534bf80a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
820bf0f962aae97c8e4ec84595332179

SHA1
ce95baafc3c0a792f698b163d9a311d2d74c0196

SHA256
c76aa5ffd6975be06ad7eb00a23642993a5a3061ef24c07f4843ac10dfe7efaf

SHA512
fde9f5a6198987d67d2ba05af2985994c5763f12e78e37daecc6943b1581fa793be4191b53ff20af550efb442d24bf10f169d49b8581a1a2fc5c50ea782b1d49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
06402f75d07375bd189c17add3163493

SHA1
abd8c7f478a4846500853481639fd4f9efd6a279

SHA256
baa218d23b3e1b6e0e7cd4efcc1cf34d034a3ed57b6d10ac433135fc03272e4b

SHA512
8152e08503c56dd115d78d8ce089d6dbe94a19d95ddbbe0d505315e215430f046e36ad4f66f7bb74e238f048b8f35689610cc669c2d38b95ef7dba2e4860b7e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit