1edfa1ce44c4d69e19999c59e8f0c26e594999dd5bf73bafc0c2f9bdec38f403

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25-02-2024 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a370f66af41662c6d90cc9c18a8c3aa2.html
Size

2KB
MD5

a370f66af41662c6d90cc9c18a8c3aa2
SHA1

e79fca8f748ec9cc490010f63870c65bcd122b23
SHA256

1edfa1ce44c4d69e19999c59e8f0c26e594999dd5bf73bafc0c2f9bdec38f403
SHA512

4ffea46221bd83ed8cc84bfe7bf5aa2572f6397996ab80ce55b5ef2b5654f5dc4b30020bf27046fd2fc282aef5f54affb3e62f56ed2e0b93a404cdd319eb17e7

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4916	msedge.exe
4916	msedge.exe
1780	msedge.exe
1780	msedge.exe
4892	identity_helper.exe
4892	identity_helper.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 4712	1780	msedge.exe	43
PID 1780 wrote to memory of 4712	1780	msedge.exe	43
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 1732	1780	msedge.exe	89
PID 1780 wrote to memory of 4916	1780	msedge.exe	93
PID 1780 wrote to memory of 4916	1780	msedge.exe	93
PID 1780 wrote to memory of 1980	1780	msedge.exe	90
PID 1780 wrote to memory of 1980	1780	msedge.exe	90
PID 1780 wrote to memory of 1980	1780	msedge.exe	90
PID 1780 wrote to memory of 1980	1780	msedge.exe	90
PID 1780 wrote to memory of 1980	1780	msedge.exe	90
PID 1780 wrote to memory of 1980	1780	msedge.exe	90
PID 1780 wrote to memory of 1980	1780	msedge.exe	90
PID 1780 wrote to memory of 1980	1780	msedge.exe	90
PID 1780 wrote to memory of 1980	1780	msedge.exe	90
PID 1780 wrote to memory of 1980	1780	msedge.exe	90
PID 1780 wrote to memory of 1980	1780	msedge.exe	90
PID 1780 wrote to memory of 1980	1780	msedge.exe	90
PID 1780 wrote to memory of 1980	1780	msedge.exe	90
PID 1780 wrote to memory of 1980	1780	msedge.exe	90
PID 1780 wrote to memory of 1980	1780	msedge.exe	90
PID 1780 wrote to memory of 1980	1780	msedge.exe	90
PID 1780 wrote to memory of 1980	1780	msedge.exe	90
PID 1780 wrote to memory of 1980	1780	msedge.exe	90
PID 1780 wrote to memory of 1980	1780	msedge.exe	90
PID 1780 wrote to memory of 1980	1780	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\a370f66af41662c6d90cc9c18a8c3aa2.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd794b46f8,0x7ffd794b4708,0x7ffd794b4718
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,2570217193705728446,4767792577112120552,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:1732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,2570217193705728446,4767792577112120552,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2570217193705728446,4767792577112120552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2570217193705728446,4767792577112120552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,2570217193705728446,4767792577112120552,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2570217193705728446,4767792577112120552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2570217193705728446,4767792577112120552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,2570217193705728446,4767792577112120552,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,2570217193705728446,4767792577112120552,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2570217193705728446,4767792577112120552,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2570217193705728446,4767792577112120552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2570217193705728446,4767792577112120552,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4388 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,2570217193705728446,4767792577112120552,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e189354a800c436e6cec7c07e6c0feea

SHA1
5c84fbda33c9276736ff3cb01d30ff34b032f781

SHA256
826adca1e688de79a3ec5b91c75990927fb2a33ae717f474608c68336053f427

SHA512
ceb069a5e83a634503e253846fa17b8bf7aaa539c3353ce61251633d69068e24c5eadd1b496f43058790d2b513e65d2c0b0213730813d0b58bb82a00596e05e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9e3e150cfe464e9ebf0a6db1aa5e7a2

SHA1
3cb184e2781c07ac000661bf82e3857a83601813

SHA256
2325a6292907263d1fb089a09f22fbcc6bad56f4961d427efdef1abaef097bcc

SHA512
f5eb1e76eb9441cf5000d8d4db9296077b61714ead5012779c084b37f4bba07614055738f5dce69b13b25975d9b7c03eab049b7685eee09b23fd8d4a7d71a039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
657d5acc79b735b85184cf2f8d916bda

SHA1
82ebe8b8ee92cb22ccf714102aa51875b3c724e6

SHA256
82584e887725fba44f49960aa057a85e1342a39df9b42d0bac14e030fea8332c

SHA512
863f9b70b322362d726f7c1065ecd4c13c370ede028e3ee8a56bb952f56fb489a77e0fd597256ffa44c96528aab44cc49b7eced48ee403f151569251d42b07e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3d37d903fbc3195a6ec5ca92cbbc00f4

SHA1
bae795c237a75284149f1ca4cff5cd7298f0aac6

SHA256
0a7808e2ed94dc8b8813e406a12ed94827de7a7a266b397988bc6271e2b08aab

SHA512
7a66833a5df8b2b4d90040c3270a5326f62a5e4fe481bffaf8a9db9ac04be96906f75d2116912c755f3c5c5f1363a7ca619cfb2a282cfe8ebf8ca8f9c1216bfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bea05b85c0a9c4b539e0dc30448d72b1

SHA1
2aadd023378dbddc2d78377a49b08069f27dbd13

SHA256
f316f2e9e12949721e00fb80f1ecf59b07155392cb5655e8378676fde324ccc4

SHA512
52c1f738662cde21970f24b60181ecfc5cd18d7620dffc70ef4662e6853ffc80a0ac28f1c1a73d2726a932fd599f2a8e950bfe517cc532e5706735b7b36ea3d3

Download Submit