efbfce0bffd520f1cf2ec914b8b8d10c46833270351a4a327c20790d6e5d444d

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a142d72f87b3d2870a98af197b881314.html
Size

338KB
MD5

a142d72f87b3d2870a98af197b881314
SHA1

8e0eec960799983c54788d997b78b032a579aaa7
SHA256

efbfce0bffd520f1cf2ec914b8b8d10c46833270351a4a327c20790d6e5d444d
SHA512

4401b2caba358ac6b5bcabf3d0751ca3f5be3c72fa67ecdd835e532fc5a93a3e446cd70018c9ef8839a372878562064f3fe643f8ca76d287b879aa4622d23b18
SSDEEP

3072:Nv7ULFbKEFmJoC5vT/cHDI6jKnjH/auGOnyfhmrPYo2v6OXyx:fofY

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1656	msedge.exe
1656	msedge.exe
3088	msedge.exe
3088	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 3900	3088	msedge.exe	90
PID 3088 wrote to memory of 3900	3088	msedge.exe	90
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 4604	3088	msedge.exe	92
PID 3088 wrote to memory of 1656	3088	msedge.exe	91
PID 3088 wrote to memory of 1656	3088	msedge.exe	91
PID 3088 wrote to memory of 2124	3088	msedge.exe	93
PID 3088 wrote to memory of 2124	3088	msedge.exe	93
PID 3088 wrote to memory of 2124	3088	msedge.exe	93
PID 3088 wrote to memory of 2124	3088	msedge.exe	93
PID 3088 wrote to memory of 2124	3088	msedge.exe	93
PID 3088 wrote to memory of 2124	3088	msedge.exe	93
PID 3088 wrote to memory of 2124	3088	msedge.exe	93
PID 3088 wrote to memory of 2124	3088	msedge.exe	93
PID 3088 wrote to memory of 2124	3088	msedge.exe	93
PID 3088 wrote to memory of 2124	3088	msedge.exe	93
PID 3088 wrote to memory of 2124	3088	msedge.exe	93
PID 3088 wrote to memory of 2124	3088	msedge.exe	93
PID 3088 wrote to memory of 2124	3088	msedge.exe	93
PID 3088 wrote to memory of 2124	3088	msedge.exe	93
PID 3088 wrote to memory of 2124	3088	msedge.exe	93
PID 3088 wrote to memory of 2124	3088	msedge.exe	93
PID 3088 wrote to memory of 2124	3088	msedge.exe	93
PID 3088 wrote to memory of 2124	3088	msedge.exe	93
PID 3088 wrote to memory of 2124	3088	msedge.exe	93
PID 3088 wrote to memory of 2124	3088	msedge.exe	93

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\a142d72f87b3d2870a98af197b881314.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a44846f8,0x7ff9a4484708,0x7ff9a4484718
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,14643504031458720744,15159118964766270805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,14643504031458720744,15159118964766270805,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,14643504031458720744,15159118964766270805,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,14643504031458720744,15159118964766270805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,14643504031458720744,15159118964766270805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,14643504031458720744,15159118964766270805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,14643504031458720744,15159118964766270805,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d62cefeb0c8fbab806b3b96c7b215c16

SHA1
dc36684019f7ac8a632f5401cc3bedd482526ed7

SHA256
752b0793cf152e9ea51b8a2dc1d7e622c1c1009677d8f29e8b88d3aa9427dd01

SHA512
9fc3968fec094be5ca10a0d927cb829f7f8157425946ebd99a346b7e63c977cb3f37560af1a4bc8f87ab19b43b3ed86fd5b37f89d1a9b2dc86e3c73142c3065b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7ee1c6757da82ca0a9ae699227f619bc

SHA1
72dcf8262c6400dcbb5228afcb36795ae1b8001f

SHA256
62320bde5e037d4ac1aa0f5ff0314b661f13bb56c02432814bffb0bd6e34ed31

SHA512
dca56a99b7463eddf0af3656a4f7d0177a43116f401a6de9f56e5c40a49676cea5c38b6c458f426c6bff11165eec21104cfa9ca3e38af39d43188b36d3f22a0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
76c3ec7df81e758e84714f3d4ed7b22e

SHA1
22d0a134388b88ddb2fad62215ebae7a972b4de9

SHA256
a8cf32d60d637eba69fe399de37750ea3f3b5b77c8501da17f2f5e12f63e57b1

SHA512
ec37a4a177e0f62ec51fa43e47a1286f96f5221b82570410423ba8db72ce18d1522ddef2054c54ff46d21aebd5f2238a0f10c6d7033651c494ee47070c202799

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
855B

MD5
a2f7e7b8403dbb9caaa46b16a7f2d061

SHA1
b3da5c6ac49fe24798169b5cb0b3952b442063bb

SHA256
d754401c49aeda184763e298930794028ff3725052103e4315a5b6204c5eab42

SHA512
f576097ae57355dde7bb8ae6b3014f658c74de3da2bb021f395b4a85c598f1dbde9ebc4c096ccac389cda2859a6d1face24ce2d2f47e0ea8b55cf0434807d2e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8197208b2f5560c4323b6a378aa57684

SHA1
a5d32583ce202d5f3b6ee8d275863646141017f9

SHA256
5b50b35c2a27a38934b506b0191921d0c67295a3cf0269b06010e138b0e7e861

SHA512
a4f03d1b94c0f3b0d7f99904dd8acb3a952c158e80249ade47d49ff6bea65191e43209b42abac24b81706e6cebfd572a2c425d9c5d29ff9b163ce64447552505

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
20a04b298b1153288919910e02506676

SHA1
8d76067b1f0b27a6778d2f3278daaab26b5f35fa

SHA256
30a64eef13ce4217c53458f4d89b0e750b569a46c31a6a758fd06e54bc140740

SHA512
7d9e2e22fe497d27214a47da98962abeb08cb691c9203923842abb517ba6b330ae783789730cd7daede1c16f728b1edb49939e63f06199a58a8c3e0a017dcfbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a2c919865b910048dc37d61c898fcc39

SHA1
cca0711b4f5be3176d15b10961d85131c2bd90f4

SHA256
ea96413c9c7bcbaae3b79ffbc36514b510adba704a6441e5159ce8756e381051

SHA512
020e7d3339288d1974eb75b9d0a438b4528fb67ea3aebe9246602bf80710af354e608f852eba60f7f06de77e5d9bb21766f42ea8b21abc71f19b7433d4c47209

Download Submit