5edccc19fbe1a6544529d469f89d6ee64a693d3fb2b7be6ff86b69693062b3e3

Analysis

max time kernel
1682s
max time network
1691s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
11/03/2024, 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

553KB
MD5

7285c043905334cd2d7183be10ebaa5c
SHA1

8627f620369a70b5799088cf39173946fbf2e21f
SHA256

5edccc19fbe1a6544529d469f89d6ee64a693d3fb2b7be6ff86b69693062b3e3
SHA512

a49088eb049a8759997214cb82ceb08cf68f681b3f5b5f0ebd989951dc251082de2b37700c34857d971b3923d1caa44950dfde69f415aef1aed9b447b9c7c3b5
SSDEEP

12288:0PZ+VayOuiW67sVYg0lFhROHr0+KSpXzH/BTUT7svzX05BWV0uOEAFYhE4BJKlf8:0PZ+VjOuM0MY

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2268	msedge.exe
2268	msedge.exe
5008	msedge.exe
5008	msedge.exe
4884	identity_helper.exe
4884	identity_helper.exe
1060	msedge.exe
1060	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 4528	5008	msedge.exe	80
PID 5008 wrote to memory of 4528	5008	msedge.exe	80
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 3404	5008	msedge.exe	82
PID 5008 wrote to memory of 2268	5008	msedge.exe	83
PID 5008 wrote to memory of 2268	5008	msedge.exe	83
PID 5008 wrote to memory of 2816	5008	msedge.exe	84
PID 5008 wrote to memory of 2816	5008	msedge.exe	84
PID 5008 wrote to memory of 2816	5008	msedge.exe	84
PID 5008 wrote to memory of 2816	5008	msedge.exe	84
PID 5008 wrote to memory of 2816	5008	msedge.exe	84
PID 5008 wrote to memory of 2816	5008	msedge.exe	84
PID 5008 wrote to memory of 2816	5008	msedge.exe	84
PID 5008 wrote to memory of 2816	5008	msedge.exe	84
PID 5008 wrote to memory of 2816	5008	msedge.exe	84
PID 5008 wrote to memory of 2816	5008	msedge.exe	84
PID 5008 wrote to memory of 2816	5008	msedge.exe	84
PID 5008 wrote to memory of 2816	5008	msedge.exe	84
PID 5008 wrote to memory of 2816	5008	msedge.exe	84
PID 5008 wrote to memory of 2816	5008	msedge.exe	84
PID 5008 wrote to memory of 2816	5008	msedge.exe	84
PID 5008 wrote to memory of 2816	5008	msedge.exe	84
PID 5008 wrote to memory of 2816	5008	msedge.exe	84
PID 5008 wrote to memory of 2816	5008	msedge.exe	84
PID 5008 wrote to memory of 2816	5008	msedge.exe	84
PID 5008 wrote to memory of 2816	5008	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb74373cb8,0x7ffb74373cc8,0x7ffb74373cd8
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,1196278734673429948,13547080711290510927,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,1196278734673429948,13547080711290510927,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,1196278734673429948,13547080711290510927,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,1196278734673429948,13547080711290510927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,1196278734673429948,13547080711290510927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,1196278734673429948,13547080711290510927,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,1196278734673429948,13547080711290510927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1752 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,1196278734673429948,13547080711290510927,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,1196278734673429948,13547080711290510927,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4076 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,1196278734673429948,13547080711290510927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,1196278734673429948,13547080711290510927,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,1196278734673429948,13547080711290510927,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1652 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2572

C:\Windows\system32\WerFault.exe
"C:\Windows\system32\WerFault.exe" -k -lc WATCHDOG WATCHDOG-20240316-1242.dmp
1⤵
PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c48e8b68231fb5b2d7f1188b930bc0e

SHA1
1822aef5da8fdd47626fb91afcf79a2be175a325

SHA256
c3b287c29eaa57166b2ab1ba9bd0aaced13cc2f946a04b8d708ac429187fe944

SHA512
2bd09b83e44e0104fbe080a8573690217dc9fbf7fd59ff25a1a9e9ebd2d87ac533f9b99350773d081a7e748b39657115a13e94538b153bceb13ecdfc4672a0f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f2dc80f5403feb8461b7ffa09890d6a0

SHA1
d5b61e6d672e7e71571e0132e21cead181da8805

SHA256
eadeadba37eed18e5acba408d7e076270b00403fed372b77164577232232428a

SHA512
5e2119529b99b76be105c43714e4b9977ee2147172c1c44e92bd9b41fa7a66f55d4073c864aac668a912aff2898bd216fb38f2fe34ef65de69ad12965218caf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3de309fb70c4db62af05c29cc017d51a

SHA1
e26e3bf777943a25af7c5c4090e42ab37210304c

SHA256
486c6da19016b3d6c3132fbc2a002a40eea1b28d49accd4e41da40e4c37129a1

SHA512
8b60ff69d1d04e35743d73e9f727160c171d1843b78e87fb5ea54679a37083465c0c85b03a5640bf152b2eb36ee0b6d6e607cc43009f44d048dff26b527a87cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
089a3e5d9be79d7a2b97f1a95b754ef1

SHA1
e0a8cf0b4e63f0ef3d2e5eb0df12ff600ec4792a

SHA256
3fc9c63e862a2ab40af5e426259c9ed91c559e611b73bd7e5305b5c73dacbc7d

SHA512
d5c0dbfdf59d6dbda4d61ca2399286a28807e27a40ec5c268830c43acedc7952f92d28217575a5521d4b1f7f4db822db224d4c1449b096056244b0522c1e3142

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cce2ffd380f552135056c7652f490836

SHA1
b38177e9b353d0f2fdd4054bd1ad1e21e8eef5a8

SHA256
f5ac7af598e3414743a8390b9f68c1334a2da6fdf8d90182f0fbe2b8e804c45c

SHA512
19f13aae7e28b655081e3bbd422f0491dfe1bcbe08f70d19c120937e591428c939f6a2da2c42382e925e05807d45eae3fda37a395912157370489b6623bb5a0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
372B

MD5
6bc6dfce195b4c7349f5af735a62e04e

SHA1
96e844bc13fc1abb6fa164b6f8c5280e073aa729

SHA256
2125848446b36a4e9b092d9ff6792cd361e0a29a089fad31971fd6e5b4419547

SHA512
fd821ca03be0cdd30165020560b2f86b2edb96d883f4fa41c400c435416fb16dde109a25fa335aba0021a0bfb0d79fc7ea86c0127feb7e257cf207dce9b2edc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
372B

MD5
f5510fe8679ba3a53ed156653ad92637

SHA1
22fe5d539b2b379c7a8b753c808b36f5f3229ac7

SHA256
32052912c3e9d4a81af0a9b810f56248020a694d846678a2d9ec896dcc3b2485

SHA512
ab3a78c216ddec0d16356e334ea497ba5aec5f54aa201153cf5b596f301fb71f85ef22a9257454acf61be497d4dfe7415acea7642a4962815bb27cb23679b34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5839b8.TMP

Filesize
204B

MD5
fe70481d0b2a8c21d8125d7fbb52dd2f

SHA1
11ba5995840b4c0755062f1b1625b62fb5514fe5

SHA256
68439ad03931af0f4b20e389ef19c69114b1478ef75ccb6cdcde9167c62b9d9a

SHA512
3b9b6aef89a32677d3fdc4525fcef82e14748809b057b6e3d218c23f24b4a6ec9b6925ef10b83ee041ac3208b9a3a81132f3090605c740c793cd126b7de9320c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
906c2cb0a5272024a121eb4ca8dbea40

SHA1
e2e09081eca32017e5dbdb8666d037b9336efffc

SHA256
89b667ab5c6899745fd0c505c4d36d238e321411da675369cdd2b5ccd4882c53

SHA512
63949174872cb2232503fd381c7a1866c41a13879a4b3396b7802a6c96660b1969beff88acb8d2c3250d6ecbfae37eacc73bd5a6aa1b55192d516fa5ce6b2941

Download Submit