ca0cc8d7c57c2d53473ea92034dd2e967aeea3692e585248b856f4a1774e3798

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07-03-2024 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b95a68c2fecbad390ebe15a062900d2b.html
Size

5KB
MD5

b95a68c2fecbad390ebe15a062900d2b
SHA1

8ec74a4e8feccd8ba1a9d742f255cba5dfcd66d7
SHA256

ca0cc8d7c57c2d53473ea92034dd2e967aeea3692e585248b856f4a1774e3798
SHA512

802e026c8c208bc57994cdcca20d43d4f7cb4edede8c6a903af92a4ca05d51e54ebbbbbb1642b29d50a65e0a08a290238267f351d9f921e0aee9018842764836
SSDEEP

96:VON29ZBfpOs9ihbpvpHRsu0T22JzGxFvtCDSUlrkytVND4VGHe:VO4DppiJp2ShtCOsrpVsg+

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3992	msedge.exe
3992	msedge.exe
1576	msedge.exe
1576	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1576	msedge.exe
1576	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 2980	1576	msedge.exe	85
PID 1576 wrote to memory of 2980	1576	msedge.exe	85
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 4544	1576	msedge.exe	86
PID 1576 wrote to memory of 3992	1576	msedge.exe	87
PID 1576 wrote to memory of 3992	1576	msedge.exe	87
PID 1576 wrote to memory of 4284	1576	msedge.exe	88
PID 1576 wrote to memory of 4284	1576	msedge.exe	88
PID 1576 wrote to memory of 4284	1576	msedge.exe	88
PID 1576 wrote to memory of 4284	1576	msedge.exe	88
PID 1576 wrote to memory of 4284	1576	msedge.exe	88
PID 1576 wrote to memory of 4284	1576	msedge.exe	88
PID 1576 wrote to memory of 4284	1576	msedge.exe	88
PID 1576 wrote to memory of 4284	1576	msedge.exe	88
PID 1576 wrote to memory of 4284	1576	msedge.exe	88
PID 1576 wrote to memory of 4284	1576	msedge.exe	88
PID 1576 wrote to memory of 4284	1576	msedge.exe	88
PID 1576 wrote to memory of 4284	1576	msedge.exe	88
PID 1576 wrote to memory of 4284	1576	msedge.exe	88
PID 1576 wrote to memory of 4284	1576	msedge.exe	88
PID 1576 wrote to memory of 4284	1576	msedge.exe	88
PID 1576 wrote to memory of 4284	1576	msedge.exe	88
PID 1576 wrote to memory of 4284	1576	msedge.exe	88
PID 1576 wrote to memory of 4284	1576	msedge.exe	88
PID 1576 wrote to memory of 4284	1576	msedge.exe	88
PID 1576 wrote to memory of 4284	1576	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\b95a68c2fecbad390ebe15a062900d2b.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffc7bd46f8,0x7fffc7bd4708,0x7fffc7bd4718
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,16481275711740650941,6054540804583317279,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,16481275711740650941,6054540804583317279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,16481275711740650941,6054540804583317279,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16481275711740650941,6054540804583317279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16481275711740650941,6054540804583317279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,16481275711740650941,6054540804583317279,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4520 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d6e17218d9a99976d1a14c6f6944c96

SHA1
9e54a19d6c61d99ac8759c5f07b2f0d5faab447f

SHA256
32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93

SHA512
3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b96838126583adb34253cbff0d232112

SHA1
92ee1c3303298d6087584b7f537cc63c30e9a8c6

SHA256
e79b8c9d777affef41a935a048582e7126c14688523477aecd63ddf034c62204

SHA512
dd19f1363be21d8d5c84d23e669b55892197a8c0524a96f93f27ce6a6a51f8fb35e6f55d6f25282224f6c8333dd6e27f8c25e7117ebaa51cc345a84bac2d977b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e2d89a8db4308d659e33bea461c59df1

SHA1
93ec2b10b24fb7336776eedbcbbb4ca37f78c955

SHA256
2834c6b87b8c96f2d761560081acad93311cc3d8c034cfe0944597876f49d467

SHA512
ef1879e603c94476da426de2e5d0e66108cbd1bd5992df321bf5165c6a079435e68af9d44126f739ce24673339a6e3c0c97b61750a703d4b161201631eca9a7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9a59fcb2214bed1e9a88d0147c54fd1a

SHA1
16d6a4340083602369b85e71efb82a8997058cd7

SHA256
4d51e24270e97720dfe05eea433c9a2eb82d24ef2e7e32a73ade308ce9b97aa5

SHA512
752ab8e33db088570276bb9237cc4fadbc29e2286fd201920e2fdeb2e306d184190de27ecbe57a0df0e8a24c88bfee1a1e3e30edb03e086fc30fcf0f3f8292c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
c2ef1d773c3f6f230cedf469f7e34059

SHA1
e410764405adcfead3338c8d0b29371fd1a3f292

SHA256
185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521

SHA512
2ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a0d18a3b0e4f5ceaac6fedf68ef46faf

SHA1
180494de5cd9f841f062456b974e86bc9971b5bd

SHA256
f863878dc7b1f3a57214fce029b52d6f3c80721830aac387c4fe065f3096e015

SHA512
0d1a7ecb121072e22f8813fc657563ef629c36563715227aa9796124356cc304f25062fa98bb996bc6e9173e0b84d483f6aafaac65c294c14d651002194521c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
fbb73592e00760cd12560c0ad8c84b41

SHA1
18a8e288aa0aa623c6e53e78c5b4d26f51abe46d

SHA256
009727cb8623387108c88ee9724216e7d6fdd2b6301b05b2c0dc3c6637a510e9

SHA512
f6ea4d9de7e35559551b26a50585d2bffb4948f512a5b88b3be847c653f00990a675765f08749966f268ee75b6ce32995fb612c28fc324d28b3a879c30b1179f

Download Submit