80b7e9fd52111d86131da2a693655b8549b2493a2e3cb08d79c8b103ab41a7da

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6cb6c79f46eee901e4e0614a50dafe5.html
Size

83KB
MD5

b6cb6c79f46eee901e4e0614a50dafe5
SHA1

82e0203e54810df2ad6e62e9d9632ed752f2f3c6
SHA256

80b7e9fd52111d86131da2a693655b8549b2493a2e3cb08d79c8b103ab41a7da
SHA512

849bf491993bcdb05d40183014afa3fec1ed93e11c0b972a32bef5f9129314d0077ac7bfcd622331ecff1354fad3bf254c31dd468f3d34f86a4c7fb887ef1642
SSDEEP

1536:q+ts9gSwaQT0NcNtxNSNeNBNYNoNJNbNa9xQ:q+K9gSwT0NcNtxNSNeNBNYNoNJNbNag

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3008	msedge.exe
3008	msedge.exe
636	msedge.exe
636	msedge.exe
2424	identity_helper.exe
2424	identity_helper.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 5076	636	msedge.exe	87
PID 636 wrote to memory of 5076	636	msedge.exe	87
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 5012	636	msedge.exe	88
PID 636 wrote to memory of 3008	636	msedge.exe	89
PID 636 wrote to memory of 3008	636	msedge.exe	89
PID 636 wrote to memory of 3512	636	msedge.exe	90
PID 636 wrote to memory of 3512	636	msedge.exe	90
PID 636 wrote to memory of 3512	636	msedge.exe	90
PID 636 wrote to memory of 3512	636	msedge.exe	90
PID 636 wrote to memory of 3512	636	msedge.exe	90
PID 636 wrote to memory of 3512	636	msedge.exe	90
PID 636 wrote to memory of 3512	636	msedge.exe	90
PID 636 wrote to memory of 3512	636	msedge.exe	90
PID 636 wrote to memory of 3512	636	msedge.exe	90
PID 636 wrote to memory of 3512	636	msedge.exe	90
PID 636 wrote to memory of 3512	636	msedge.exe	90
PID 636 wrote to memory of 3512	636	msedge.exe	90
PID 636 wrote to memory of 3512	636	msedge.exe	90
PID 636 wrote to memory of 3512	636	msedge.exe	90
PID 636 wrote to memory of 3512	636	msedge.exe	90
PID 636 wrote to memory of 3512	636	msedge.exe	90
PID 636 wrote to memory of 3512	636	msedge.exe	90
PID 636 wrote to memory of 3512	636	msedge.exe	90
PID 636 wrote to memory of 3512	636	msedge.exe	90
PID 636 wrote to memory of 3512	636	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\b6cb6c79f46eee901e4e0614a50dafe5.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa454146f8,0x7ffa45414708,0x7ffa45414718
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,1706082263234953330,16332997732131102133,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,1706082263234953330,16332997732131102133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,1706082263234953330,16332997732131102133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:8
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1706082263234953330,16332997732131102133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1706082263234953330,16332997732131102133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1706082263234953330,16332997732131102133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,1706082263234953330,16332997732131102133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,1706082263234953330,16332997732131102133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1706082263234953330,16332997732131102133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1706082263234953330,16332997732131102133,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1706082263234953330,16332997732131102133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1706082263234953330,16332997732131102133,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,1706082263234953330,16332997732131102133,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5696 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e494d16e4b331d7fc483b3ae3b2e0973

SHA1
d13ca61b6404902b716f7b02f0070dec7f36edbf

SHA256
a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165

SHA512
016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0764f5481d3c05f5d391a36463484b49

SHA1
2c96194f04e768ac9d7134bc242808e4d8aeb149

SHA256
cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3

SHA512
a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
741B

MD5
c77c094148be79692ae71b9a74cdffb4

SHA1
50822e3da0632da03a0010aaa469ae13cdf4760f

SHA256
cc4e605bc5fb892bf788f4d522e91767660e6f3b50d8445bd1551370d15ae015

SHA512
c8630e0c792eaa1af0367b1bfa765434706fba3d6f4bde6461922c2d9da603f625224655c3d627a4b6ed2de07c993491f76a7c517b530a438f76c1c4a3a0d95d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7da37bb1f0c37130b7023340a90285d1

SHA1
f3a723e90a48901eda4ce4dd2e2420eaaf25b161

SHA256
40880a424934f739eb458a70396997db028bc791691a7238c78f73a6df4ca915

SHA512
5b836080d10b02048dd73832f06468d0a5a248662945305284e575d28a33ca8d076cae2b3199e917d2519c2e02505e23469ad4a52eed0bd86ffdc7a11592bcf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3aafd76859d68321784f65a3830c512d

SHA1
47c2df1645c4a0344c6b0b13b1c9369e7921cbc0

SHA256
45a3792e33442085a91365cdea459ef663692fdc8deb2e93347524f638a6edff

SHA512
846ca160aa2588fc514855af7955c39ea75c934f141cacc58c38639e20fd7bf9d3369a16c7f6a9e11ba9298d61073c104d98873526be59fde9e947ff6a077e79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4bbbdee5f73bf12352e6deb440ae572d

SHA1
dd498b8a3c825f3027072b1f3aaea5cbca836567

SHA256
a0024c9dbc1707dabf5695776dbc5aded0c74e46853cca200132e98cb029bf74

SHA512
6b7be8f2a0f05d831cc26169e4f7e26661b503ffd9342a2ed66a26dbc4ebff57dfb6df6a39fa35ccd180faccc9fff665bf09841b32b9f437291af96330827346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
0dd32b7dfcfaa67bd36ea515a0feb383

SHA1
368748bd4265cc8803c7dfe14d8a24e4c9157144

SHA256
b942f4d85b6e929b6fb510596dd2a7bb25316ac680221de643ad549eb3d84c20

SHA512
59c554f0dd39f695ad624a8c89bb19bf87d93fb9ee086dca99ddfa94a36047026063e5f8bc71aabba3b268c725d9fd05fbdad6420e5198e8aa7847a8ae4dab08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57bce7.TMP

Filesize
371B

MD5
8c52fdfd3cba37eb6235112630149233

SHA1
3e74ab868b29aaf4abfa160813d5dc3a2a939f2c

SHA256
4c230c980dbc6198353ef48d071995b794007b3eeaa3de337ab661b36663f9c5

SHA512
d232c6cb1392a431d0d0afbe2549c9be2e84ce5fcf7b23e501c8fe96d8df34b4915e2a9013fb64021a6462ec3a630255c0c3ff392aec8ab054f240857940172f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bd6576e39ee9493193966940429f1ee4

SHA1
39e1b36a93caa3d297bfb66b4ef543dbf6f5de81

SHA256
83ac5bf7023de8055c22500d3954945fabf0f069f1620f400adf3a54a5721919

SHA512
986458432bd086f48d419b8668b3f5f983f56647d2ca474a0e7859825653f40ec2e9199b926e7443da93cc73d906589aec8a33381260e585942c6d16749aa3de

Download Submit