97bd10295008d4cd6d4a2d913b58dff500f9f01f35038152b92a7197136aa1b6

Analysis

max time kernel
150s
max time network
157s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
22-02-2024 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

login.html
Size

68KB
MD5

4af63d480cb734bfb7daa9e039b86aad
SHA1

a04c2a3cc1b146486c43b5e7627f177c7fe93e5f
SHA256

97bd10295008d4cd6d4a2d913b58dff500f9f01f35038152b92a7197136aa1b6
SHA512

accd380d953985ea55c40d75a51571bc710a416e87ea49da786da976dbe7bed10c838b51db202ed43641f8b69eef471e1a047e48d17a8b1b23ffadc80288cb95
SSDEEP

1536:c6BkdFyWDL8vMdBH+JmR3I8cd785eNgGsFX3qh1LRzQq5Y8UHmB:c6edFyWDIvMdBH+JU3I9d78sNg7XShRV

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1112	msedge.exe
1112	msedge.exe
5040	msedge.exe
5040	msedge.exe
1932	msedge.exe
1932	msedge.exe
4320	identity_helper.exe
4320	identity_helper.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 248	5040	msedge.exe	36
PID 5040 wrote to memory of 248	5040	msedge.exe	36
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 4544	5040	msedge.exe	82
PID 5040 wrote to memory of 1112	5040	msedge.exe	81
PID 5040 wrote to memory of 1112	5040	msedge.exe	81
PID 5040 wrote to memory of 1644	5040	msedge.exe	83
PID 5040 wrote to memory of 1644	5040	msedge.exe	83
PID 5040 wrote to memory of 1644	5040	msedge.exe	83
PID 5040 wrote to memory of 1644	5040	msedge.exe	83
PID 5040 wrote to memory of 1644	5040	msedge.exe	83
PID 5040 wrote to memory of 1644	5040	msedge.exe	83
PID 5040 wrote to memory of 1644	5040	msedge.exe	83
PID 5040 wrote to memory of 1644	5040	msedge.exe	83
PID 5040 wrote to memory of 1644	5040	msedge.exe	83
PID 5040 wrote to memory of 1644	5040	msedge.exe	83
PID 5040 wrote to memory of 1644	5040	msedge.exe	83
PID 5040 wrote to memory of 1644	5040	msedge.exe	83
PID 5040 wrote to memory of 1644	5040	msedge.exe	83
PID 5040 wrote to memory of 1644	5040	msedge.exe	83
PID 5040 wrote to memory of 1644	5040	msedge.exe	83
PID 5040 wrote to memory of 1644	5040	msedge.exe	83
PID 5040 wrote to memory of 1644	5040	msedge.exe	83
PID 5040 wrote to memory of 1644	5040	msedge.exe	83
PID 5040 wrote to memory of 1644	5040	msedge.exe	83
PID 5040 wrote to memory of 1644	5040	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\login.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff941e23cb8,0x7ff941e23cc8,0x7ff941e23cd8
  2⤵
  PID:248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,14418284671359738112,3961840992184475620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,14418284671359738112,3961840992184475620,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,14418284671359738112,3961840992184475620,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14418284671359738112,3961840992184475620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14418284671359738112,3961840992184475620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,14418284671359738112,3961840992184475620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3012 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,14418284671359738112,3961840992184475620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14418284671359738112,3961840992184475620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14418284671359738112,3961840992184475620,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14418284671359738112,3961840992184475620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14418284671359738112,3961840992184475620,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,14418284671359738112,3961840992184475620,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1308 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
12b71c4e45a845b5f29a54abb695e302

SHA1
8699ca2c717839c385f13fb26d111e57a9e61d6f

SHA256
c353020621fa6cea80eaa45215934d5f44f181ffa1a673cdb7880f20a4e898e0

SHA512
09f0d1a739102816c5a29106343d3b5bb54a31d67ddbfcfa21306b1a6d87eaa35a9a2f0358e56cc0f78be15eeb481a7cc2038ce54d552b9b791e7bee78145241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce319bd3ed3c89069337a6292042bbe0

SHA1
7e058bce90e1940293044abffe993adf67d8d888

SHA256
34070e3eea41c0e180cb5541de76cea15ef6f9e5c641e922d82a2d97bdce3aa3

SHA512
d42f7fc32a337ecd3a24bcbf6cd6155852646cae5fb499003356f713b791881fc2e46825c4ff61d09db2289f25c0992c10d6fadb560a9bea33284bd5acc449f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f2eb73871a619f352f5a42b9bba33b02

SHA1
cd549b620acea3c84878b519b017b9af48b31a42

SHA256
2a5809ab631df333daae0d4cffc2121efba63927bee4192d596bb27eca500559

SHA512
0113459976a80cffe4e82b67ecbbb6d609578780c924a5152dab5e66f3c2e2d9286f8bea0c1eb3cbccd1281f268761d90e9dc6dfa07ae55525408aa6090e09be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f8a8bcbfb6732feeb9c5d23d63d616d2

SHA1
5cb58cd44745a0050c5933e7e9f274cce926d9c7

SHA256
26c59269bc9cc99ef1be3856f746e7c0821ad9f0c94521ff1efa714cf58f74e3

SHA512
4e0dd1dfc0c42a9fea31432732443a1554d0cee8ed70b524916cf839356fe6ab82c6b47bbe9096ded08f8d9ad5adc35b47f630fe901ec18bfd61ac485da18c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aa9e5fda51e23dd36a4f8e49fcd335ca

SHA1
1ebf4305e1baf02194742fe9e3cb79df64f1ee04

SHA256
afc0ae5d0a24cafa7eb6707321464cfd5f9eac7328ae370b3b6b2d5cd457407b

SHA512
fa703147d36aa270c921e43ed4145e8a8f86275ded530e4b6e8e6c04621523fcbdcafc58b7e1ab25b66822f302fb966018cb6692abc84fa44a9a4039eebcaca1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
00120bfc5559f9454cc6cf40ca71bc27

SHA1
543a022c58950271b3095e651ce8caf5afb760d2

SHA256
d8b207d48a039e1d3b6b96b789d7ff64b5f24e88d789f7d3b1f2bd4be5e166f6

SHA512
1f596bbc2f53b5558e011a177d421256eb4db3a0210457ef814e5e7b9c9d35b5509f0b6e22077e01f4bcc59e680a673ea24d652db50577a999560a0671865f0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
537B

MD5
402759cc446c728a1dfc59d2cfc0040e

SHA1
2f69489652bede4c945459953c5378e6c84000ce

SHA256
6e4363f04f36d2f193f2141dcaf470d674eb19e07b37abcfde0f57c609466880

SHA512
9985ccc1061e4d002fdc5547412ab614114118afbdd108e43a5e1b07ae8c98330deaa0e50620ddddfe3cbcdc6ac99cc32f716c748544987a49ee940deae288e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58652d.TMP

Filesize
537B

MD5
c307e6d7be9a9faaf7f98d9ec4e58b7a

SHA1
bc68ffe1b35b4e910a3846e1656b42ab9870b572

SHA256
c8d36befac9d7cc35df0364acf68d54d4fa1f6e0015918ed334beec5c7909716

SHA512
3249944ad22f2cc9b96572aff71bf4cc0cb4c33612442ae577a1fcd92c2c32826c2e60da43991aa74e7d6109e37df9ea0ad5243dd7609045270368f5c070c77f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b8b03ef8fa892a2a73e8e24185be3ef3

SHA1
db40cbe9fb9e76588393d322352a065aeed09cf1

SHA256
0f5ad4635bfe7e5ff74335005d4fc73dd4428ae474a6d2da83010274476caaba

SHA512
f0790ff2615efa34786b3251feab66bd88d4449c6c1ac75e8fb5909b73f9c8ee05448694e7e866569fa57f8d2d2f75ecd84b154e92ac9aa44cc21f38dd51e6ee

Download Submit