cbbb0cdb55566edab49a31fe750a304ad3eaa4d0b54a608824c8beb8fd8068ba

Analysis

max time kernel
145s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/02/2024, 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9f7acfe0cc47170667fc301d60d9e74.html
Size

62KB
MD5

a9f7acfe0cc47170667fc301d60d9e74
SHA1

56c64c4985bc295fd1cdb7e7326d1e03fd8e92d9
SHA256

cbbb0cdb55566edab49a31fe750a304ad3eaa4d0b54a608824c8beb8fd8068ba
SHA512

32ff03c2450591dc97086db5055f3d486afbe7ff48ccb2eb3eca647334a03c1fe9b828f69381df995f7b6192d77164e71a0bfd3d7c272376e12e0684761397fc
SSDEEP

1536:kWkAKvhVBQuSZo91bJSIFodfh+yXxZFHVZt45F:kRAcSoLodfh+yXxZFHVZt45F

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3416	msedge.exe
3416	msedge.exe
628	msedge.exe
628	msedge.exe
1844	identity_helper.exe
1844	identity_helper.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 3864	628	msedge.exe	61
PID 628 wrote to memory of 3864	628	msedge.exe	61
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3932	628	msedge.exe	89
PID 628 wrote to memory of 3416	628	msedge.exe	88
PID 628 wrote to memory of 3416	628	msedge.exe	88
PID 628 wrote to memory of 4288	628	msedge.exe	90
PID 628 wrote to memory of 4288	628	msedge.exe	90
PID 628 wrote to memory of 4288	628	msedge.exe	90
PID 628 wrote to memory of 4288	628	msedge.exe	90
PID 628 wrote to memory of 4288	628	msedge.exe	90
PID 628 wrote to memory of 4288	628	msedge.exe	90
PID 628 wrote to memory of 4288	628	msedge.exe	90
PID 628 wrote to memory of 4288	628	msedge.exe	90
PID 628 wrote to memory of 4288	628	msedge.exe	90
PID 628 wrote to memory of 4288	628	msedge.exe	90
PID 628 wrote to memory of 4288	628	msedge.exe	90
PID 628 wrote to memory of 4288	628	msedge.exe	90
PID 628 wrote to memory of 4288	628	msedge.exe	90
PID 628 wrote to memory of 4288	628	msedge.exe	90
PID 628 wrote to memory of 4288	628	msedge.exe	90
PID 628 wrote to memory of 4288	628	msedge.exe	90
PID 628 wrote to memory of 4288	628	msedge.exe	90
PID 628 wrote to memory of 4288	628	msedge.exe	90
PID 628 wrote to memory of 4288	628	msedge.exe	90
PID 628 wrote to memory of 4288	628	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\a9f7acfe0cc47170667fc301d60d9e74.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1d1046f8,0x7ffe1d104708,0x7ffe1d104718
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,6152659537374069128,6920014037729021350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,6152659537374069128,6920014037729021350,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,6152659537374069128,6920014037729021350,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6152659537374069128,6920014037729021350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6152659537374069128,6920014037729021350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,6152659537374069128,6920014037729021350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,6152659537374069128,6920014037729021350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6152659537374069128,6920014037729021350,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6152659537374069128,6920014037729021350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6152659537374069128,6920014037729021350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6152659537374069128,6920014037729021350,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,6152659537374069128,6920014037729021350,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4792 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9ffb5f81e8eccd0963c46cbfea1abc20

SHA1
a02a610afd3543de215565bc488a4343bb5c1a59

SHA256
3a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc

SHA512
2d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1b45169ebca0dceadb0f45697799d62

SHA1
803604277318898e6f5c6fb92270ca83b5609cd5

SHA256
4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60

SHA512
357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
504c509e7ccec111dcb2a0736c9a5ba8

SHA1
6af2353a0d05f0c7ba50f0f93d90c241cf89c146

SHA256
27129ac0d6cfe983d48b122664cc88738ca59225d8d352486d680d926e92614a

SHA512
3ee36476c101cc14f23089435038575fd2a86100d2b88afb061728e84d9faa428eef8a81a71c86992096f4b7bd3c0aabf5d0867766351eb1466306459d1d0eb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
472B

MD5
a97e11504b1d3df3e6f9839b77d079d8

SHA1
cfdc74e43c8717c23e5fa8ea04f9e1a99b672025

SHA256
b5ecebd66ea75366b1a5cb245071db3f2e66861f5f401bbec7f93f6a47bc97bd

SHA512
daa1193d255878577ebee1bc44546ce88241bcdd285576c03c493006ff4c4d07f29e8a6c79dbd56423dce7cf21d7b9ae368aad697793558d8049011be80ed2c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b7570ba16a536e4c585094627f46b45e

SHA1
0237fe5e0da99c498772e8be4767c028d86e4ce1

SHA256
f45708fc5bcde3a763d22ea2c7e0611a1763525c5de3f096037fe33d39c5e395

SHA512
6bebeccb03d329cf618047e92539fea4a15a0411ffd5b7eed265e3440ae9e42520ebf5a013c9767acefc69fb22b79d61cd3164f1d4cebe0782d5970a9415995c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
81f9b475385a415317b2a3efc1a36617

SHA1
306c7f33d5f5199b3da4cd82e1cf58988a2277e9

SHA256
7d4bef69eb9b5b0dc901a99bbc2f648ff7eebe3faec155a0b31ee70d4817870d

SHA512
29fb4577cad057ba25d6d7f498b463cc0157aa56eedd443b219fec6e59f03f34fcfcba94f5a04099a85cd56e1a9f0ee2388afbd5eec16fd992dd6a3b6a52c386

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dff8ead7e075727e9df939ede1bf6de7

SHA1
71e3ce1d87cf80fe7d5749e5d1762ab5494317cb

SHA256
79ef0876a9cc2a4efd9b4429a5c3a45add8e0e2669213f320eae56f1799038aa

SHA512
dbe17be43c2e76c0b5d86edfec5f5cc135833f5f536f63b9eb87c1109a0b30c4878dc2249f87d137a95edc8e2626e68294d7c142f2749271a1c08d86acfabe51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0319aaade874c99434220063594f07eb

SHA1
ad5d29ef2583ca0c391b136bc80bf77888b94489

SHA256
791fdac3afd463c497621fe8c0746b328dbe48f887260a150607573d1f57dea5

SHA512
7dd511ae1b85e4b7072ede33b14ae66f3c18a9e1e842272087784bb0dddbc6246236c9613496ca09fa5d87d337d9aef94df056246b19c9316a80a68df4255bca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
908e6eb9acefeb03e5c2a510515ffd5e

SHA1
633df8178f29d0b15c614435e959d2ba0873258a

SHA256
64ebb6a54964c1a402617fbb7d7d5820e8094e501df85ec291b22b54cb11402e

SHA512
bb563ec6580aa453e463a88952efe1f5cc77451f78de8ac91357202fff4a32912605bf6e7125f476ed8b55e85bd728fc7bab334a6ccb68b708fc582653d51947

Download Submit