1b48d33b9b04365d6c0ef30df34e2ce856af97738b70871c14dfc7f6e47258fb

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be187273a223a35f67b4f1f8292638bf.html
Size

593KB
MD5

be187273a223a35f67b4f1f8292638bf
SHA1

654967147e3155b65797d35f71d709774bb1dc27
SHA256

1b48d33b9b04365d6c0ef30df34e2ce856af97738b70871c14dfc7f6e47258fb
SHA512

c18a2a3e26515bacb3c6fd8074fb7c40c77957e1e3ff9b7456d12b07a307056f8b20709075c498318edf39083e8fc4623405d810258f63194626728049d8fcf8
SSDEEP

1536:NsPuhuTFpcW6e+PhDHMI0UrGwg6lLsDP7fmSOSH2Oklz6G3k4z2GhQiFcmlLpj4T:NsPuhuTFp3p

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2060	msedge.exe
2060	msedge.exe
2592	msedge.exe
2592	msedge.exe
1288	identity_helper.exe
1288	identity_helper.exe
6088	msedge.exe
6088	msedge.exe
6088	msedge.exe
6088	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 820	2592	msedge.exe	87
PID 2592 wrote to memory of 820	2592	msedge.exe	87
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 4136	2592	msedge.exe	88
PID 2592 wrote to memory of 2060	2592	msedge.exe	89
PID 2592 wrote to memory of 2060	2592	msedge.exe	89
PID 2592 wrote to memory of 2984	2592	msedge.exe	90
PID 2592 wrote to memory of 2984	2592	msedge.exe	90
PID 2592 wrote to memory of 2984	2592	msedge.exe	90
PID 2592 wrote to memory of 2984	2592	msedge.exe	90
PID 2592 wrote to memory of 2984	2592	msedge.exe	90
PID 2592 wrote to memory of 2984	2592	msedge.exe	90
PID 2592 wrote to memory of 2984	2592	msedge.exe	90
PID 2592 wrote to memory of 2984	2592	msedge.exe	90
PID 2592 wrote to memory of 2984	2592	msedge.exe	90
PID 2592 wrote to memory of 2984	2592	msedge.exe	90
PID 2592 wrote to memory of 2984	2592	msedge.exe	90
PID 2592 wrote to memory of 2984	2592	msedge.exe	90
PID 2592 wrote to memory of 2984	2592	msedge.exe	90
PID 2592 wrote to memory of 2984	2592	msedge.exe	90
PID 2592 wrote to memory of 2984	2592	msedge.exe	90
PID 2592 wrote to memory of 2984	2592	msedge.exe	90
PID 2592 wrote to memory of 2984	2592	msedge.exe	90
PID 2592 wrote to memory of 2984	2592	msedge.exe	90
PID 2592 wrote to memory of 2984	2592	msedge.exe	90
PID 2592 wrote to memory of 2984	2592	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\be187273a223a35f67b4f1f8292638bf.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff09ce46f8,0x7fff09ce4708,0x7fff09ce4718
  2⤵
  PID:820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,1689752607147240653,13296553968045836444,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,1689752607147240653,13296553968045836444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,1689752607147240653,13296553968045836444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1689752607147240653,13296553968045836444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1689752607147240653,13296553968045836444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1689752607147240653,13296553968045836444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,1689752607147240653,13296553968045836444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
  2⤵
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,1689752607147240653,13296553968045836444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1689752607147240653,13296553968045836444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1689752607147240653,13296553968045836444,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1689752607147240653,13296553968045836444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1689752607147240653,13296553968045836444,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,1689752607147240653,13296553968045836444,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1256 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7740a919423ddc469647f8fdd981324d

SHA1
c1bc3f834507e4940a0b7594e34c4b83bbea7cda

SHA256
bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221

SHA512
7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f44d6f922f830d04d7463189045a5a3

SHA1
2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c

SHA256
0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a

SHA512
7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9a36f04e-789f-453b-9ff0-b9adf7b38ff1.tmp

Filesize
37B

MD5
661760f65468e15dd28c1fd21fb55e6d

SHA1
207638003735c9b113b1f47bb043cdcdbf4b0b5f

SHA256
0a5f22651f8fe6179e924a10a444b7c394c56e1ed6015d3fc336198252984c0e

SHA512
6454c5f69a2d7d7f0df4f066f539561c365bb6b14c466f282a99bf1116b72d757bef0bf03a0e0c68a7538a02a993fc070c52133ca2162c8496017053194f441c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
257B

MD5
6edca6da5130c768f823ef28a90027d1

SHA1
70c6026009dfb8a6ed66186cab6537f5b799bf46

SHA256
100f6f57c8f5a39979ac120d5d5c56dee06d56a20d7e59e848ca97dc648178d2

SHA512
399ac03a157db8117467c7e1204b58f17ca00543824f18f372c8550b8a007e1c17825af2e95e0666f27db25a3c2b842892cf86a711bfc545f6c7b5015999ef03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f0cdedcbe0e2a2fef8c2f586ff1dc571

SHA1
cefb7395c4ef6123bc47a43949420fc90dceed0d

SHA256
50cba77b019d23b707712f39f63a0b63508585c01638ea578047c87bdeaa45fa

SHA512
7e27ea521d9404dbd4875767adf6aad231898d593152262875454ae57a57eab7ee5d2e4b4afeebfad11e477c0545624acb45b0d18d03044deb9adb5d614b4925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
44448d6616ffafc29149f2341934e4b8

SHA1
f510ebd9caba88384152c98eaefa154945907df5

SHA256
e260a0f94ca07a420d9d8f03c3eea9268ba1fa8c76d6f99c8707fcdab1d957c7

SHA512
1fd6a86a6fed50d2459a96e8153b017632bab704e19f40d479eb0eb14637d8e1960b2aced50cc8110bfa1aa7be71de07f0f723955698883f951fe942cb6d3cc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aa732e1295cc416f1549a223ba9c016d

SHA1
2081e79a0800e80ca8028a802f97f3f5f91a75cd

SHA256
41e32169569644fefccce7024a21e8ecfa4dbf650f3cd6054134f8999c2a5b07

SHA512
efc24f1b98eae418d4d82b83659b8a122fad72bf0198d97852c2cb2c8b801d2e9abe2d24d64de9fff6b92a000a4d542ff8c0caf35e759cf0ea2d549836086e5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
ea00cda642b73e2504a1900f65b8d666

SHA1
6926242f170b6171002d89195afecc0b1faf9f75

SHA256
37674eec6c2c7f295495b2b3701c1adb5caaad78457a5a7e989209844926d2bc

SHA512
f478dea62c81a861a4a9ee0e9a0b57e6c896a60ed144443eec2db4a45b1313f12389220c1b59d64f9c794e1eb31994c274a701afd330e44b72a344fef268af9a

Download Submit