e2b1ac753128d29980853ab4a0765dac95ed273965ce8bd32fa6917ef4aff1c7

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2024, 11:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d3588cd6b862dac870c04ff2c2f3e176.html
Size

3.5MB
MD5

d3588cd6b862dac870c04ff2c2f3e176
SHA1

a23e652787d14309df4b6afe0749663b5f23edfa
SHA256

e2b1ac753128d29980853ab4a0765dac95ed273965ce8bd32fa6917ef4aff1c7
SHA512

f3c874647c4c08739113b84087d2be86443b892220087d77e0e7bd063d006636e640319e7c34e94edf970fc490fdb07cb4b1d44ecdf08f669b2bbc3a982ed46c
SSDEEP

12288:jLZhBE6ffVfitmg11tmg1P16bf7axluxOT6NAx:jvQjte4tT62x

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
5108	msedge.exe
5108	msedge.exe
1824	msedge.exe
1824	msedge.exe
5116	identity_helper.exe
5116	identity_helper.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 3884	1824	msedge.exe	86
PID 1824 wrote to memory of 3884	1824	msedge.exe	86
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 208	1824	msedge.exe	88
PID 1824 wrote to memory of 5108	1824	msedge.exe	89
PID 1824 wrote to memory of 5108	1824	msedge.exe	89
PID 1824 wrote to memory of 1616	1824	msedge.exe	90
PID 1824 wrote to memory of 1616	1824	msedge.exe	90
PID 1824 wrote to memory of 1616	1824	msedge.exe	90
PID 1824 wrote to memory of 1616	1824	msedge.exe	90
PID 1824 wrote to memory of 1616	1824	msedge.exe	90
PID 1824 wrote to memory of 1616	1824	msedge.exe	90
PID 1824 wrote to memory of 1616	1824	msedge.exe	90
PID 1824 wrote to memory of 1616	1824	msedge.exe	90
PID 1824 wrote to memory of 1616	1824	msedge.exe	90
PID 1824 wrote to memory of 1616	1824	msedge.exe	90
PID 1824 wrote to memory of 1616	1824	msedge.exe	90
PID 1824 wrote to memory of 1616	1824	msedge.exe	90
PID 1824 wrote to memory of 1616	1824	msedge.exe	90
PID 1824 wrote to memory of 1616	1824	msedge.exe	90
PID 1824 wrote to memory of 1616	1824	msedge.exe	90
PID 1824 wrote to memory of 1616	1824	msedge.exe	90
PID 1824 wrote to memory of 1616	1824	msedge.exe	90
PID 1824 wrote to memory of 1616	1824	msedge.exe	90
PID 1824 wrote to memory of 1616	1824	msedge.exe	90
PID 1824 wrote to memory of 1616	1824	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\d3588cd6b862dac870c04ff2c2f3e176.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8028b46f8,0x7ff8028b4708,0x7ff8028b4718
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,17662222271458405967,13513240604758732744,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,17662222271458405967,13513240604758732744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,17662222271458405967,13513240604758732744,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17662222271458405967,13513240604758732744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17662222271458405967,13513240604758732744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,17662222271458405967,13513240604758732744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,17662222271458405967,13513240604758732744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17662222271458405967,13513240604758732744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17662222271458405967,13513240604758732744,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17662222271458405967,13513240604758732744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17662222271458405967,13513240604758732744,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,17662222271458405967,13513240604758732744,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5004 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\4d4d9523-3cbe-40d0-9123-cd4abb991290.tmp

Filesize
12KB

MD5
fa0430cfb8a8a5e53c6b78acd67f1eb3

SHA1
d323aefb08850d60ef291517f2624fbdc09e9978

SHA256
1a27c915fb274a2fa3bb2f4b14713c60d790168e87ea0a0a67fd1eb456077119

SHA512
d69ff6f18c978493e4c2a75338809ff29988252fe0c529f18ae3d9ecdb992f2bce53027c6055ca3cd105bb7421ee6b22f9df1f53fa3c86b05b634b2e9fd77063

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c6136bc98a5aedca2ea3004e9fbe67d

SHA1
74318d997f4c9c351eef86d040bc9b085ce1ad4f

SHA256
50c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2

SHA512
2d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c6aef82e50d05ffc0cf52a6c6d69c91

SHA1
c203efe5b45b0630fee7bd364fe7d63b769e2351

SHA256
d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32

SHA512
77ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
981B

MD5
cd8b96094a9fa204dc3654d3c27c412f

SHA1
f86ea1471c2cf2373111b36fa5a954306253d177

SHA256
9f30ee297ea49c672af6fcd4fa064d73ba9b36650aafa72de7d11781505ba3de

SHA512
e159fd232b81d87d86e2845c370b6b598e6c7bfcb0be119d35f5ccbf81c017c77a9d693e26e1c3a9abee8911231457ef1e126c1ade5bd3b1750ef395abe3c527

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
84ab829542f3a6ca6f9a5feee0a36437

SHA1
b040875eadbe4e3aa98262b44dc5c99857c25c66

SHA256
4c41dc28e52258d047c83f3cf22429c1565b989ae69faebdd2faeba7ec25b3e7

SHA512
5e7dd61c341fcd58fed7e8ab709ba7f3cf3ed34dff6c20e29c5796214a13793befeb09743fc0c5b930a3b9fb7fa8b1fb8411f29a4d416c584c1091725ef34f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
11f02fdc267a942b141082bb20f3b49f

SHA1
804a63b4c7d684680a8b9422ec7a30fc224730ec

SHA256
bd517232cb1c0b76bed5cd421b4675dd5a3a872d895a8e8b2bc8247097e2d076

SHA512
af7a140e1485b88c6e9ecaf4aaf2c4b79b2e2e702eaa880e52221bf1c383648d19f21a9c36aac543e5bf3c887182bc2a5b9c68e8fdd1c34778c5262874c27661

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit