1eb1adb1ccac89d2f6683cd5222245b3d990c39efa28abdc0285beb97f1e2aa3

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc0fa674b96f609999b388d4a07b72a1.html
Size

118KB
MD5

bc0fa674b96f609999b388d4a07b72a1
SHA1

edd972fd1ec61945883c957e5f804f43bd48e2be
SHA256

1eb1adb1ccac89d2f6683cd5222245b3d990c39efa28abdc0285beb97f1e2aa3
SHA512

372e25a853eccb7f84b5370f2d956f5fe0d886ed3e0d650fa1d0be047f0c4a95466cbe9492cf0b9aec3030e83b8064473b6bedf0eda421524c413faeceb5c053
SSDEEP

3072:kPSHEqJxBHvjLm7V89xEo+N3OVKyTTzuoiaN1s:Q6Equ2VDs

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2440	msedge.exe
2440	msedge.exe
4492	msedge.exe
4492	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 2396	4492	msedge.exe	89
PID 4492 wrote to memory of 2396	4492	msedge.exe	89
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2928	4492	msedge.exe	90
PID 4492 wrote to memory of 2440	4492	msedge.exe	91
PID 4492 wrote to memory of 2440	4492	msedge.exe	91
PID 4492 wrote to memory of 3816	4492	msedge.exe	92
PID 4492 wrote to memory of 3816	4492	msedge.exe	92
PID 4492 wrote to memory of 3816	4492	msedge.exe	92
PID 4492 wrote to memory of 3816	4492	msedge.exe	92
PID 4492 wrote to memory of 3816	4492	msedge.exe	92
PID 4492 wrote to memory of 3816	4492	msedge.exe	92
PID 4492 wrote to memory of 3816	4492	msedge.exe	92
PID 4492 wrote to memory of 3816	4492	msedge.exe	92
PID 4492 wrote to memory of 3816	4492	msedge.exe	92
PID 4492 wrote to memory of 3816	4492	msedge.exe	92
PID 4492 wrote to memory of 3816	4492	msedge.exe	92
PID 4492 wrote to memory of 3816	4492	msedge.exe	92
PID 4492 wrote to memory of 3816	4492	msedge.exe	92
PID 4492 wrote to memory of 3816	4492	msedge.exe	92
PID 4492 wrote to memory of 3816	4492	msedge.exe	92
PID 4492 wrote to memory of 3816	4492	msedge.exe	92
PID 4492 wrote to memory of 3816	4492	msedge.exe	92
PID 4492 wrote to memory of 3816	4492	msedge.exe	92
PID 4492 wrote to memory of 3816	4492	msedge.exe	92
PID 4492 wrote to memory of 3816	4492	msedge.exe	92

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\bc0fa674b96f609999b388d4a07b72a1.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6b9a46f8,0x7ffc6b9a4708,0x7ffc6b9a4718
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,16241063735047154310,13832182508105204003,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,16241063735047154310,13832182508105204003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,16241063735047154310,13832182508105204003,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,16241063735047154310,13832182508105204003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,16241063735047154310,13832182508105204003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,16241063735047154310,13832182508105204003,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5972 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,16241063735047154310,13832182508105204003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,16241063735047154310,13832182508105204003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9ffb5f81e8eccd0963c46cbfea1abc20

SHA1
a02a610afd3543de215565bc488a4343bb5c1a59

SHA256
3a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc

SHA512
2d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1b45169ebca0dceadb0f45697799d62

SHA1
803604277318898e6f5c6fb92270ca83b5609cd5

SHA256
4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60

SHA512
357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
5e005cd83e0e7702b1c3bcd73d447d6b

SHA1
ed60c60f30138168155d3eeb1a5c27306a754c91

SHA256
81246c4a14b71de7ad2be29a6d7ba5382e56e4c9c58679a3b799bfbc6108769f

SHA512
a6073ba3cfd984031f578e9fedd184025b7c9ca90f2b77264d66e9343da54008bf0155f0afe4512092d131a3e683481ddd4122b8620caf8d1457a1ab0f5e8da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
8dbcc695d4a5f644568acb4c0ab0e789

SHA1
9e0320d189292754aa71cea417a61d922f6afa4e

SHA256
1a978ca4091898384e7273cd57e281701b6031481390a1f0a7549871d57566a9

SHA512
a9967cc77fceb3f5f154cb382ea5e1b14fd5932c7140057189a9770e0818d1310d35b4a3696cf8e93e3b24099d7099728037e9eb756afe28b66eb25b9b9b4833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ecbbf64e255d52047608a5d344e358f5

SHA1
a27ac077fecf80b26aeb4c9c19b4036f24c22b12

SHA256
e71739c7d28163f21d756cb34cf2bbbdff7f1625ad70d38c27cb9161a9d8f8f9

SHA512
ba3af641bede97c652eb51e8d68cbfc43a88c236ee473b35a1b155a676d3a7c857490312d5e1ebc4b5e69538971fdca54de369177b4955102f9e2b56910dd998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5f1142d9a45ca94ca40a6df12810d786

SHA1
7b7a65b2ce1b774356b3eff260662bdcc682c88d

SHA256
dfc20057c592f785d24f9ba2947b6881b52d981729bc823866b8fe9235aeb0d3

SHA512
3eec268fe25893c1dbb0d77ca4f255250a7b9e45a4d1182cd888dadcaab112a1cc6727372618d26877c4960bf74fc53b933d3c98f21fd27fac60eae1f72a5e85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
71c75e34c5fdbc431d1542923c5f8555

SHA1
5cab76f71a83dd9a61d53082f0babbcd07640ba3

SHA256
bb0128503f425a090224d733fe2ca893dae42332c801b5bf30265331fecafd7b

SHA512
c3fc42a833d159ea5e93c02404a56fcece57f5ef28e36e1e0f15fb9e44fae24e5414e88b82f24b0600e40f5e59c1ce68988fa37c19097ffda8644b78851606dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
39ad9e9cfd8b3472ec83e338223baf99

SHA1
cfaeba6b4a20371f59b7e0259d9722b2907e6629

SHA256
fb828456eebb55843b97609e4298623e61d799fb65a52076d98adf81e350b797

SHA512
adfef132d15096bb4a5e95d02319bc5726ea6a37c8cddabb382d2e36a03194b21a8784c90e057d4899aaf470d5cc87466fa7287e974e500e3d7355c56691469d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582b12.TMP

Filesize
371B

MD5
9c31af5bf3db749bd34e2c61c649c2b3

SHA1
b6218e99bf2b309d50931097bdcc64807896b521

SHA256
9f4b0557138ef060f381033e42d7aa558054f910978da548e44fbb47ff204eb7

SHA512
098d4f71c175fb5f031e8b325173e67e8d54520d5bc9ee989c054690b1b21dd9b76470cdf99babbaa7e89be0d7c1ed374601503ee5fea69b9aa901942c4aaf43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
733206d69809cf6a5a3c6ba19c4d152c

SHA1
f62eaa62920d9761db9066eb3787501ddb1bc7db

SHA256
7ddf97fc169d1f6d8b83e85ae2460ce37745ea6486f7d6becb8b1f51435b8967

SHA512
07c78e335903e10f8e7c9838c0c8677a45a9bfe1bd6dbe3bd0e98cdbb9408818a4392aa7f78a5a0781ff98e4926b8103e20d58ad78f899befbf531d940e8ce72

Download Submit