9c7639fecf13958a43bfb407e86cf0e1fe21d5b50ee1f8f1bbafce001f11796e

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2024, 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3fb6c99abfa77e7280fd79a2ecbb849.html
Size

14KB
MD5

a3fb6c99abfa77e7280fd79a2ecbb849
SHA1

d480c455ba2dc3f83562b4cb3e5b2b6fc48b8554
SHA256

9c7639fecf13958a43bfb407e86cf0e1fe21d5b50ee1f8f1bbafce001f11796e
SHA512

babdd27a24c6a3c20fbc2bcb6c6eb6db6da8ff56b3d185ffdabd056422564679d9656e73d72a72e3969140e9b95cf265065ac73a2f3d1f156d6419c1bb7b16db
SSDEEP

192:+yEioELD/ZmXg8oWllefMJkZQ3wf1vHmlKt6DvE:aioWD/ZmXg8SZQ+mlXrE

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4532	msedge.exe
4532	msedge.exe
4608	msedge.exe
4608	msedge.exe
1244	identity_helper.exe
1244	identity_helper.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 4720	4608	msedge.exe	58
PID 4608 wrote to memory of 4720	4608	msedge.exe	58
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4448	4608	msedge.exe	89
PID 4608 wrote to memory of 4532	4608	msedge.exe	88
PID 4608 wrote to memory of 4532	4608	msedge.exe	88
PID 4608 wrote to memory of 1528	4608	msedge.exe	90
PID 4608 wrote to memory of 1528	4608	msedge.exe	90
PID 4608 wrote to memory of 1528	4608	msedge.exe	90
PID 4608 wrote to memory of 1528	4608	msedge.exe	90
PID 4608 wrote to memory of 1528	4608	msedge.exe	90
PID 4608 wrote to memory of 1528	4608	msedge.exe	90
PID 4608 wrote to memory of 1528	4608	msedge.exe	90
PID 4608 wrote to memory of 1528	4608	msedge.exe	90
PID 4608 wrote to memory of 1528	4608	msedge.exe	90
PID 4608 wrote to memory of 1528	4608	msedge.exe	90
PID 4608 wrote to memory of 1528	4608	msedge.exe	90
PID 4608 wrote to memory of 1528	4608	msedge.exe	90
PID 4608 wrote to memory of 1528	4608	msedge.exe	90
PID 4608 wrote to memory of 1528	4608	msedge.exe	90
PID 4608 wrote to memory of 1528	4608	msedge.exe	90
PID 4608 wrote to memory of 1528	4608	msedge.exe	90
PID 4608 wrote to memory of 1528	4608	msedge.exe	90
PID 4608 wrote to memory of 1528	4608	msedge.exe	90
PID 4608 wrote to memory of 1528	4608	msedge.exe	90
PID 4608 wrote to memory of 1528	4608	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\a3fb6c99abfa77e7280fd79a2ecbb849.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd2a3046f8,0x7ffd2a304708,0x7ffd2a304718
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,3378015650163998156,3071315580239598457,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,3378015650163998156,3071315580239598457,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,3378015650163998156,3071315580239598457,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3378015650163998156,3071315580239598457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3378015650163998156,3071315580239598457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,3378015650163998156,3071315580239598457,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,3378015650163998156,3071315580239598457,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3378015650163998156,3071315580239598457,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3378015650163998156,3071315580239598457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3378015650163998156,3071315580239598457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3378015650163998156,3071315580239598457,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,3378015650163998156,3071315580239598457,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1984 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
65a51c92c2d26dd2285bfd6ed6d4d196

SHA1
8b795f63db5306246cc7ae3441c7058a86e4d211

SHA256
bb69ea4c761c6299b0abbc78f3728f19b37454a0b4eb607680ed202f29b4bb01

SHA512
6156dd7cec9fee04971c9a4c2a5826ba1bb3ef8b6511f1cdf17968c8e5a18bc0135510c2bd05cc26f3e7ae71f6e50400cf7bec536b78d9fa37ede6547cfa17e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce1273b7d5888e76f37ce0c65671804c

SHA1
e11b606e9109b3ec15b42cf5ac1a6b9345973818

SHA256
eb1ba494db2fa795a4c59a63441bd4306bdb362998f555cadfe6abec5fd18b8c

SHA512
899d6735ff5e29a3a9ee7af471a9167967174e022b8b76745ce39d2235f1b59f3aa277cc52af446c16144cce1f6c24f86b039e2ca678a9adac224e4232e23086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
daab206bab44909fb2c7cc6230d2e6f5

SHA1
0852fbeb595e285628e146ecbf1ce444e4c431d4

SHA256
4d75c5be2b5296804533ea2c700fc5a12d5fc71dfc02c4579241061d0ebe2ece

SHA512
d30aa22feaa233205e9c5bd6cfaeca8169b81addaebc885105e00b1f199d406bc011fe657f8d1c833f0a538963d239c5717e293bfad9cfa44117e66bbf8cdff4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f593c02727d5cb46abe3c29c97c622f2

SHA1
c74a9614bf00680fb70a6e50e945ff6a44dc0a4f

SHA256
2869c589962cbea5c1aa42d45a2b13b2b7c890f3d2dd58bb86518beee545eecf

SHA512
7992622fcedaffb9612e1540fd7080a745d3c37e3df67a7c57216c177a3e18b0987823818e838050e493972dea2f17947f96b9947c0b2943ca500e08da8ebc91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e74e2f31a77f2b4f28c1a81c17109ec0

SHA1
1c14d777b47d544d6fd38efcf3902ab854da01ad

SHA256
b08e1b953107e3ea40c6d19429111a16a96b76734544fdc315a1cc0dfbb06303

SHA512
4165c752d34f211b23dd7bdffc52372d5ce82bc8652bccb20e0d837cf66f6c5e3f2d749fa14e2f1fcb6d565224f775b63fc2cb4727e2b95f0ed545142bc22f26

Download Submit