549dbe51d672d510fcfc4bc41a0b7bc94052ecd2bd5da5b901af6fa830d9a270

Analysis

max time kernel
145s
max time network
144s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
29/02/2024, 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

template.html
Size

746B
MD5

4eb9e59c2bf44ed7b2912998c4532cfa
SHA1

1d81c09a98d815ef0656e1538f65a55795724769
SHA256

8e4784c70028c251d75d80b1155c189984a1d6830ddf919df11161c28f11e2a9
SHA512

8dda0caf34834bcd7b0ab244d5b895fd634700482c0928754433d44c79ac32882b347633ddc1c3b7796c440fc6a7a55ea9329538268ce05904b6cdc62f9f86ba

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1772	msedge.exe
1772	msedge.exe
736	msedge.exe
736	msedge.exe
1900	identity_helper.exe
1900	identity_helper.exe
3288	msedge.exe
3288	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 4456	736	msedge.exe	80
PID 736 wrote to memory of 4456	736	msedge.exe	80
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1184	736	msedge.exe	82
PID 736 wrote to memory of 1772	736	msedge.exe	81
PID 736 wrote to memory of 1772	736	msedge.exe	81
PID 736 wrote to memory of 2800	736	msedge.exe	83
PID 736 wrote to memory of 2800	736	msedge.exe	83
PID 736 wrote to memory of 2800	736	msedge.exe	83
PID 736 wrote to memory of 2800	736	msedge.exe	83
PID 736 wrote to memory of 2800	736	msedge.exe	83
PID 736 wrote to memory of 2800	736	msedge.exe	83
PID 736 wrote to memory of 2800	736	msedge.exe	83
PID 736 wrote to memory of 2800	736	msedge.exe	83
PID 736 wrote to memory of 2800	736	msedge.exe	83
PID 736 wrote to memory of 2800	736	msedge.exe	83
PID 736 wrote to memory of 2800	736	msedge.exe	83
PID 736 wrote to memory of 2800	736	msedge.exe	83
PID 736 wrote to memory of 2800	736	msedge.exe	83
PID 736 wrote to memory of 2800	736	msedge.exe	83
PID 736 wrote to memory of 2800	736	msedge.exe	83
PID 736 wrote to memory of 2800	736	msedge.exe	83
PID 736 wrote to memory of 2800	736	msedge.exe	83
PID 736 wrote to memory of 2800	736	msedge.exe	83
PID 736 wrote to memory of 2800	736	msedge.exe	83
PID 736 wrote to memory of 2800	736	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\template.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc93553cb8,0x7ffc93553cc8,0x7ffc93553cd8
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,10849936414876369423,2098091735782096484,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,10849936414876369423,2098091735782096484,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,10849936414876369423,2098091735782096484,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10849936414876369423,2098091735782096484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10849936414876369423,2098091735782096484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,10849936414876369423,2098091735782096484,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,10849936414876369423,2098091735782096484,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10849936414876369423,2098091735782096484,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10849936414876369423,2098091735782096484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10849936414876369423,2098091735782096484,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10849936414876369423,2098091735782096484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,10849936414876369423,2098091735782096484,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4852 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c65e704fc47bc3d9d2c45a244bb74d76

SHA1
3e7917feebea866e0909e089e0b976b4a0947a6e

SHA256
2e5d6a5eeb72575f974d5fa3cdff7ad4d87a361399ffdd4b03f93cdbdec3a110

SHA512
36c3be0e5fbc23c5c0ad2e14cfb1cf7913bea9a5aeb83f9f6fcf5dbc52a94d8ccb370cef723b0cda82b5fba1941b6a9ff57f77ff0076a2c5cf4250711e3dd909

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c3ea95e17becd26086dd59ba83b8e84

SHA1
7943b2a84dcf26240afc77459ffaaf269bfef29f

SHA256
a241c88bb86182b5998d9818e6e054d29b201b53f4f1a6b9b2ee8ba22dd238dc

SHA512
64c905e923298528783dc64450c96390dc5edbda51f553c04d88ee944b0c660b05392dc0c823d7fb47f604b04061390b285f982dfcc767c8168ccb00d7e94e21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
92f7196a423974e20c910d26a69a1c5a

SHA1
4061a860aa479743c595a390ee7bdfb908eeccd8

SHA256
c049618567d6db06c5325ca149cfd5e6e943d5e310157ae05e0a67ebf6792354

SHA512
137b79b3a35495264546dcb87cf1df3ae35e3018ec63518e12c940844f8c586725d9cb6a31176d0bcb8a5bf21b39c7314dc228ead8f9b33cea33a89b2fa43ea1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dbbf2488e5eb2b61e2bc504a5ba0bab5

SHA1
4970b571a04e12e052cc72369a3e1b54b8d6ecf9

SHA256
8fa69b287b8ab9fb31ed8e95212469866db283fb4bf0329056ca646a7bb5a8ae

SHA512
d0c980f25c446f6b94e1237eda017aeacd14d3dde09bf05ae9896fad2a27933a494e2f9210e3cc519737065a44a01a68798cd9d2da5bbfe9a96e19ea85a2a0af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\f6cc5e7d-69a8-41ed-b38a-45493ed5dc40.tmp

Filesize
11KB

MD5
e7eb9edb1618d06b05d0344caf5af94d

SHA1
49c84f45bb3f4535b9fd50840785b0ead6adea71

SHA256
63257891e0ae33cd55c511702ec18ce4c802af3ee417c2cb9cf4351834e14026

SHA512
2df1a380abcd76f5042f97cbe293d7b5dfa7a96eb031cb5ca30bf49ca52f2f4d530ce04e08e675f05e6830982dee1923b45947f7f70112f731c54ede7d428ec2

Download Submit