fb3a17208650d2001d121330d29114404bb2a47092fe8e672bd716d44669adc8

Analysis

max time kernel
146s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 11:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a1b69c7a3bce1550dae2f869a9f70d1a.html
Size

3.5MB
MD5

a1b69c7a3bce1550dae2f869a9f70d1a
SHA1

e02ddc7a069e75315891bcb711385a53bc9b84ac
SHA256

fb3a17208650d2001d121330d29114404bb2a47092fe8e672bd716d44669adc8
SHA512

d652ed0914b60df38039daf46faec83e2119adebb714cc7a7b1834b9d843e54e005fdff222102aebf08c49682b7949c879d75677e4c8039dc013ea3dad05e505
SSDEEP

12288:jLZhBVKHfVfitmg11tmg1P16bf7axluxOT6Nya:jvpjte4tT6sa

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4256	msedge.exe
4256	msedge.exe
4764	msedge.exe
4764	msedge.exe
4984	identity_helper.exe
4984	identity_helper.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 3340	4764	msedge.exe	19
PID 4764 wrote to memory of 3340	4764	msedge.exe	19
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 1716	4764	msedge.exe	49
PID 4764 wrote to memory of 4256	4764	msedge.exe	47
PID 4764 wrote to memory of 4256	4764	msedge.exe	47
PID 4764 wrote to memory of 528	4764	msedge.exe	48
PID 4764 wrote to memory of 528	4764	msedge.exe	48
PID 4764 wrote to memory of 528	4764	msedge.exe	48
PID 4764 wrote to memory of 528	4764	msedge.exe	48
PID 4764 wrote to memory of 528	4764	msedge.exe	48
PID 4764 wrote to memory of 528	4764	msedge.exe	48
PID 4764 wrote to memory of 528	4764	msedge.exe	48
PID 4764 wrote to memory of 528	4764	msedge.exe	48
PID 4764 wrote to memory of 528	4764	msedge.exe	48
PID 4764 wrote to memory of 528	4764	msedge.exe	48
PID 4764 wrote to memory of 528	4764	msedge.exe	48
PID 4764 wrote to memory of 528	4764	msedge.exe	48
PID 4764 wrote to memory of 528	4764	msedge.exe	48
PID 4764 wrote to memory of 528	4764	msedge.exe	48
PID 4764 wrote to memory of 528	4764	msedge.exe	48
PID 4764 wrote to memory of 528	4764	msedge.exe	48
PID 4764 wrote to memory of 528	4764	msedge.exe	48
PID 4764 wrote to memory of 528	4764	msedge.exe	48
PID 4764 wrote to memory of 528	4764	msedge.exe	48
PID 4764 wrote to memory of 528	4764	msedge.exe	48

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\a1b69c7a3bce1550dae2f869a9f70d1a.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbe76a46f8,0x7ffbe76a4708,0x7ffbe76a4718
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,17898629142566829766,6025204584173805734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,17898629142566829766,6025204584173805734,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
  2⤵
  PID:528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,17898629142566829766,6025204584173805734,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17898629142566829766,6025204584173805734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17898629142566829766,6025204584173805734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,17898629142566829766,6025204584173805734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,17898629142566829766,6025204584173805734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17898629142566829766,6025204584173805734,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17898629142566829766,6025204584173805734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17898629142566829766,6025204584173805734,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4264 /prefetch:1
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17898629142566829766,6025204584173805734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,17898629142566829766,6025204584173805734,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5024 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
91746379e314b064719e43e3422d0388

SHA1
65f1a2b5a93922d589142a6edf99b5b35d986dba

SHA256
0b3cf8ae20afd84c9bf06546e876c84922cb5800526df72a628479f4d5487df7

SHA512
a783d8d9613cf92020fc36fd27d384dbd4e105a1ebd02c4507bf7263e61ff5b377e6d1734b066700782fa64bcbeb11af31ac3972d404625cbdb587cfa3bc0808

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ccf8b7b618672b2da2775b890d06c7af

SHA1
83717bc0ff28b8775a1360ef02882be22e4a5263

SHA256
ef08e2971a9ba903c9b91412275b39aabfd6d4aa5c46ade37d74ff86f0285420

SHA512
eb550889db8c4c0e7d79b2bd85c7d0e61b696df10ce3d76c48ab21b935c7ecc7b12403a00d6570e7d8e4121f72747242c2358f8f0823f804e704bd44ed603b97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
981B

MD5
67159d855ea183e1f6ba6b6625909fd9

SHA1
b04bd3d6247fdcc58e52b0ae1b809d263b8e3722

SHA256
e5162bb238ff224db308b069b93fa119d32217c77e27e769e4f0afa922cf3bc6

SHA512
12477ae5428e4d6719e3f57f92106fe0e33b630f435e4141648de339b7da557f9db9bf9441a027b343465f7c9785b09d9079f4b7eb32250509a0e67cfdc20c60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3ee29984cd6124a3b647b2a6d4f7d56f

SHA1
82baa1fd063529eae7f6a5c8ca5bcae8107ad912

SHA256
92597b93dc842e3ea0cc0a5b35b1a1e1af83b755356151f78b0d464b78a9be75

SHA512
8931ffa413195dcd11fc8cc72522f742aee73d739059578595b426c758a6bc6ac76f440d93a606999be7ec8cb6e9f9c1d38ab9f77644c108f2d8a19e8e89ee93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
561909e6c739cdf3113ce117c77d9a4d

SHA1
7d54270476afca92c5a74a5060a943cf05c0c98e

SHA256
b0a97dbab88e4f954da2b100b43ff26ff6f8e4e54fdc8f4aabe686d7e571699e

SHA512
d1834d70572ffb401429c1c0a6e399d0b799007b5095a0a3e053e484963db0eba61e50fe647b171bae13ec233752629c9b51a305eb6b4df82fa5712ae6a32fe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1ad72958fb197bdacb79417d8e606349

SHA1
27b0c193e1235c3d2101d687930bea43fef23680

SHA256
448ce8122dc0591cd81ed047183c0a0a46da8c33b39efcf585da864470ae4724

SHA512
f5ad5d9577b39927eb80cc6543d24f1e52f02cd45d8bcdce74fe6da6b3cd31990b39dda177f4451b9f6fe9a9d4e5f2c65647ef7fb6fde6eebf6a2442075111cf

Download Submit