d736a155b59365e510d9a4dad54fba7c17d01b5174b271d08a8c7551e6ba0131

Analysis

max time kernel
147s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5e4ff6f4dac7b7db9f5080f86a74012.html
Size

32KB
MD5

c5e4ff6f4dac7b7db9f5080f86a74012
SHA1

4ee5dfb35e6d16e4858a5d00529aec50512259c6
SHA256

d736a155b59365e510d9a4dad54fba7c17d01b5174b271d08a8c7551e6ba0131
SHA512

beb4cee7dead75899884f762a31ca2d703b27d23d4285cfe7a67b4b998abe80dda829befd225672bf6d23024c71e72ded1fc3b671d4ee57db24dc29ca61b49d8
SSDEEP

768:3RnUKC4PRmI+xIdV61xbbDC1IJWtznXtEB:3RU14PRmIndVq/fWI

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4844	msedge.exe
4844	msedge.exe
1572	msedge.exe
1572	msedge.exe
2236	identity_helper.exe
2236	identity_helper.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 3552	1572	msedge.exe	85
PID 1572 wrote to memory of 3552	1572	msedge.exe	85
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4636	1572	msedge.exe	86
PID 1572 wrote to memory of 4844	1572	msedge.exe	87
PID 1572 wrote to memory of 4844	1572	msedge.exe	87
PID 1572 wrote to memory of 4884	1572	msedge.exe	88
PID 1572 wrote to memory of 4884	1572	msedge.exe	88
PID 1572 wrote to memory of 4884	1572	msedge.exe	88
PID 1572 wrote to memory of 4884	1572	msedge.exe	88
PID 1572 wrote to memory of 4884	1572	msedge.exe	88
PID 1572 wrote to memory of 4884	1572	msedge.exe	88
PID 1572 wrote to memory of 4884	1572	msedge.exe	88
PID 1572 wrote to memory of 4884	1572	msedge.exe	88
PID 1572 wrote to memory of 4884	1572	msedge.exe	88
PID 1572 wrote to memory of 4884	1572	msedge.exe	88
PID 1572 wrote to memory of 4884	1572	msedge.exe	88
PID 1572 wrote to memory of 4884	1572	msedge.exe	88
PID 1572 wrote to memory of 4884	1572	msedge.exe	88
PID 1572 wrote to memory of 4884	1572	msedge.exe	88
PID 1572 wrote to memory of 4884	1572	msedge.exe	88
PID 1572 wrote to memory of 4884	1572	msedge.exe	88
PID 1572 wrote to memory of 4884	1572	msedge.exe	88
PID 1572 wrote to memory of 4884	1572	msedge.exe	88
PID 1572 wrote to memory of 4884	1572	msedge.exe	88
PID 1572 wrote to memory of 4884	1572	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\c5e4ff6f4dac7b7db9f5080f86a74012.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c6c046f8,0x7ff8c6c04708,0x7ff8c6c04718
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,6449021700291030061,5896951721694020465,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,6449021700291030061,5896951721694020465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,6449021700291030061,5896951721694020465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6449021700291030061,5896951721694020465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6449021700291030061,5896951721694020465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6449021700291030061,5896951721694020465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6449021700291030061,5896951721694020465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,6449021700291030061,5896951721694020465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:8
  2⤵
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,6449021700291030061,5896951721694020465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6449021700291030061,5896951721694020465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6449021700291030061,5896951721694020465,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6449021700291030061,5896951721694020465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6449021700291030061,5896951721694020465,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,6449021700291030061,5896951721694020465,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d6e17218d9a99976d1a14c6f6944c96

SHA1
9e54a19d6c61d99ac8759c5f07b2f0d5faab447f

SHA256
32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93

SHA512
3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
c4700a9734c6414b1f3f0f5a935ce87f

SHA1
6097ef5fd878ada701a94ce04283b0a39435be93

SHA256
8337c2128914f4bab0750cd2b5eb2256535326ea2a1f2182b233f58a968db441

SHA512
43f72edcd48130e986b1241fe45285fb51d2a68269844ce1dcbeaf79d2e4df6647ab98080922d381711c35f0e41d611b7cdd18d90c6dffebae00d22973265c49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b392a9d2a14f6a017f53bb37909757b0

SHA1
1d9f42dc09bc46e1d0fb2b084ca1a3c3f546c389

SHA256
74c5bc6a525a3493b231ef22c7f53843b1dcf6b1e52e0994f86b75a10e88fa4a

SHA512
8d52c740a9c8293a945bea4a35f19fb0e4ebf5daa6c2c0e2fd40f75765cc43a6f4b7c69529495e2d48ab21b49e63395af1ede33e9b62556977bc3e091c722eed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2e5fb59229a98856d6e55114713c2909

SHA1
93fae65d7bcd673e2ddb833727cdf5da46555d93

SHA256
af0032201446a9113fe63cc051ba0e58d9f4933519e6a30ee647f80843a8aa99

SHA512
43623b2868aaa922304ec5ce69dea302c92d61fc9371c44895fade9c9ac1861233497177613f2f6026acd26bc9eaf93bf247e33aff4f601ade5638c2ea778d94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
c2ef1d773c3f6f230cedf469f7e34059

SHA1
e410764405adcfead3338c8d0b29371fd1a3f292

SHA256
185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521

SHA512
2ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
767580edb473b297e20ad51f872e3d96

SHA1
2e75f259c899831f8a0165a53238d6f31096bcdb

SHA256
7e7e58a0417e4355ad06821dd7a18bf993d4e50895d934f60dc218d434c67645

SHA512
63da54b8d9cc4e3ce7aac9ecf2c35d3d78b263ce841e7fbbebc5d39b125d1e751162907a719f3fad136dd9c826ee460f0d4abde16b43acf741a2a10a7212dad7

Download Submit