41b66862b886239faa08736fde6014717e6b2f78d5198401c2cd61907e947e77

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6c6dc73e6945d9bd52cecd31d9a15c9.html
Size

47KB
MD5

c6c6dc73e6945d9bd52cecd31d9a15c9
SHA1

9770389e8609e731a9c6d829d49e8ac378083ca0
SHA256

41b66862b886239faa08736fde6014717e6b2f78d5198401c2cd61907e947e77
SHA512

23c3061919066eb2795096e568b7f40f5ccede813aa98b69d467e0558302dc8ea80935d41c6f0d372dc0a30a3669a19215757b8aee28d22b572408b267a6c3db
SSDEEP

768:FaocjtiEqP1ZtIxtrd1id84cTTLKQDITkOQbKD/my/XwGhuWyd:0ocjtiEa/krd1GqTTOQDITkzs/myfFIR

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3616	msedge.exe
3616	msedge.exe
5072	msedge.exe
5072	msedge.exe
4296	identity_helper.exe
4296	identity_helper.exe
5444	msedge.exe
5444	msedge.exe
5444	msedge.exe
5444	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 4864	5072	msedge.exe	83
PID 5072 wrote to memory of 4864	5072	msedge.exe	83
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 4132	5072	msedge.exe	87
PID 5072 wrote to memory of 3616	5072	msedge.exe	88
PID 5072 wrote to memory of 3616	5072	msedge.exe	88
PID 5072 wrote to memory of 3760	5072	msedge.exe	90
PID 5072 wrote to memory of 3760	5072	msedge.exe	90
PID 5072 wrote to memory of 3760	5072	msedge.exe	90
PID 5072 wrote to memory of 3760	5072	msedge.exe	90
PID 5072 wrote to memory of 3760	5072	msedge.exe	90
PID 5072 wrote to memory of 3760	5072	msedge.exe	90
PID 5072 wrote to memory of 3760	5072	msedge.exe	90
PID 5072 wrote to memory of 3760	5072	msedge.exe	90
PID 5072 wrote to memory of 3760	5072	msedge.exe	90
PID 5072 wrote to memory of 3760	5072	msedge.exe	90
PID 5072 wrote to memory of 3760	5072	msedge.exe	90
PID 5072 wrote to memory of 3760	5072	msedge.exe	90
PID 5072 wrote to memory of 3760	5072	msedge.exe	90
PID 5072 wrote to memory of 3760	5072	msedge.exe	90
PID 5072 wrote to memory of 3760	5072	msedge.exe	90
PID 5072 wrote to memory of 3760	5072	msedge.exe	90
PID 5072 wrote to memory of 3760	5072	msedge.exe	90
PID 5072 wrote to memory of 3760	5072	msedge.exe	90
PID 5072 wrote to memory of 3760	5072	msedge.exe	90
PID 5072 wrote to memory of 3760	5072	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\c6c6dc73e6945d9bd52cecd31d9a15c9.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb33fd46f8,0x7ffb33fd4708,0x7ffb33fd4718
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,3270818005713338713,1891206438163165120,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,3270818005713338713,1891206438163165120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,3270818005713338713,1891206438163165120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3270818005713338713,1891206438163165120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3270818005713338713,1891206438163165120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3270818005713338713,1891206438163165120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,3270818005713338713,1891206438163165120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,3270818005713338713,1891206438163165120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3270818005713338713,1891206438163165120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3270818005713338713,1891206438163165120,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3270818005713338713,1891206438163165120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3270818005713338713,1891206438163165120,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,3270818005713338713,1891206438163165120,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5004 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c6136bc98a5aedca2ea3004e9fbe67d

SHA1
74318d997f4c9c351eef86d040bc9b085ce1ad4f

SHA256
50c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2

SHA512
2d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c6aef82e50d05ffc0cf52a6c6d69c91

SHA1
c203efe5b45b0630fee7bd364fe7d63b769e2351

SHA256
d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32

SHA512
77ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
41726e67bbeca873ca3d9a16e5a5abba

SHA1
eea90e820d2e49364c8a47d99b0e07fc56e36f7a

SHA256
2ca65cc8023aca0c04532e2e40e063b1ca22219dca07ac5364f667cdb5d62df4

SHA512
4ddc1bbb9f1600040a6724e8a078b6b9fe23852c5d8eaaa303fc07e91697916bd22e0c30fc082cdcdbed7f0275ca21579c0e2c2007a7b3cfd7cdeb279cfeb984

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3cceea0754d9ea79849a4dce346420c4

SHA1
527aa5cf300257885fc505be64418373f998e3f1

SHA256
b37a1ec786bdc07c56a6797a6691f87d14eaf7957220f3a7e7f3e6854c1dda4d

SHA512
53b16a16d421d49a8af3ab1f403f87c476dd7cfdd51df2e740f86b9f6f6df1e9231c5d7657b742e2eee576f75960083f9305d5dc46320abbd6a98a6dbcf81e18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3cb14a583e699a2c182afc4e16d619bc

SHA1
3f677bf3521d51730ea77fece78b2027ca319f4b

SHA256
25d790a57f8aa34637e898aba1206e54abb72dcd8f1710c6d7d42eda6ed24f5d

SHA512
07cc55585eaecec3134b17c53fe9442d3c21b4ba50f84a0c489df55b50bca786edef9bd12986b4413e61ca453f93c22b35b260f21846755e5873b26a774d384a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8bbc72e3e65cddb6dfa2b29685b493a3

SHA1
fbc29eb77090d73690583b09adf4770a780041ee

SHA256
159b00bdda043ec6b0b28e5b3d86c64fa3724cfc45fcd6bdd03e56600643ee66

SHA512
b89913018052b864222cb1a4d9a36ae75de6709713725d206f8ae81efb4a306cde6bfcc0d94e207994417be94078212aab0d0047a3bcfc63c5eea343ba3db1b0

Download Submit