2152a8974f65a0c4af221aad6eafe410012948039e6c6e9f2535f32912b86f94

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18-03-2024 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3d126eb5cc482c6aa54d156cb565280.html
Size

70KB
MD5

d3d126eb5cc482c6aa54d156cb565280
SHA1

7ec084cd9611b50492f2735ddc57a8fe118cb510
SHA256

2152a8974f65a0c4af221aad6eafe410012948039e6c6e9f2535f32912b86f94
SHA512

6b40d159f447542f0b55897b421369a19178226a0deaf2c4bd736fb217f288fde30c57b708cd516502551cc6b99c81f040a5dda9643cd1c80d51013c63753b20
SSDEEP

768:/nHX5ZuVCTo0Fdom8NMgPUiLYOnIbFZne3wNKX2:/nHX3To0FdofMg85OnIbFRe3wN/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4604	msedge.exe
4604	msedge.exe
4912	msedge.exe
4912	msedge.exe
884	identity_helper.exe
884	identity_helper.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 3220	4912	msedge.exe	85
PID 4912 wrote to memory of 3220	4912	msedge.exe	85
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4088	4912	msedge.exe	87
PID 4912 wrote to memory of 4604	4912	msedge.exe	88
PID 4912 wrote to memory of 4604	4912	msedge.exe	88
PID 4912 wrote to memory of 1480	4912	msedge.exe	89
PID 4912 wrote to memory of 1480	4912	msedge.exe	89
PID 4912 wrote to memory of 1480	4912	msedge.exe	89
PID 4912 wrote to memory of 1480	4912	msedge.exe	89
PID 4912 wrote to memory of 1480	4912	msedge.exe	89
PID 4912 wrote to memory of 1480	4912	msedge.exe	89
PID 4912 wrote to memory of 1480	4912	msedge.exe	89
PID 4912 wrote to memory of 1480	4912	msedge.exe	89
PID 4912 wrote to memory of 1480	4912	msedge.exe	89
PID 4912 wrote to memory of 1480	4912	msedge.exe	89
PID 4912 wrote to memory of 1480	4912	msedge.exe	89
PID 4912 wrote to memory of 1480	4912	msedge.exe	89
PID 4912 wrote to memory of 1480	4912	msedge.exe	89
PID 4912 wrote to memory of 1480	4912	msedge.exe	89
PID 4912 wrote to memory of 1480	4912	msedge.exe	89
PID 4912 wrote to memory of 1480	4912	msedge.exe	89
PID 4912 wrote to memory of 1480	4912	msedge.exe	89
PID 4912 wrote to memory of 1480	4912	msedge.exe	89
PID 4912 wrote to memory of 1480	4912	msedge.exe	89
PID 4912 wrote to memory of 1480	4912	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\d3d126eb5cc482c6aa54d156cb565280.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc8b6046f8,0x7ffc8b604708,0x7ffc8b604718
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,12279435411987408910,12812822045997322117,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,12279435411987408910,12812822045997322117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,12279435411987408910,12812822045997322117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
  2⤵
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12279435411987408910,12812822045997322117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12279435411987408910,12812822045997322117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12279435411987408910,12812822045997322117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:984
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,12279435411987408910,12812822045997322117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 /prefetch:8
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,12279435411987408910,12812822045997322117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12279435411987408910,12812822045997322117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12279435411987408910,12812822045997322117,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12279435411987408910,12812822045997322117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12279435411987408910,12812822045997322117,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,12279435411987408910,12812822045997322117,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4724 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c6136bc98a5aedca2ea3004e9fbe67d

SHA1
74318d997f4c9c351eef86d040bc9b085ce1ad4f

SHA256
50c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2

SHA512
2d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c6aef82e50d05ffc0cf52a6c6d69c91

SHA1
c203efe5b45b0630fee7bd364fe7d63b769e2351

SHA256
d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32

SHA512
77ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
ff0370a8a1fcc1a6b3fc726f2b25a0de

SHA1
3907da53e814130d97ac8689919ee55db4cb9384

SHA256
ce30e910887e5147f7548cc67096b02b362eada52df6e5b78113dd066ae74a6b

SHA512
14cc495458214269b93939c844f18d3cc8266dc2e83895fba57058fdf6300969a04a9358ac55c39e757c785b1dcacf7e05fd43936116bbca313a72825db4e6ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
9f3ec33d2cae09bebf44186510cdea89

SHA1
6a0fd85090ed528cfcaae3e202cebbcd93fefc55

SHA256
ba31fc7e34c4c5bc984bb38ec79a26ff31048977e80bd7511a66d9e5bc2dce9d

SHA512
2fff5b3ff668e46228b30143979fedcdc2fd39266d8d4e2973721aec45d185aea50d94dac23c9b7147f3bb91d9731ca7c357f202e8761d0630bfcb6be896f172

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9d53a1ecd9fb96095e461eb71e246b46

SHA1
71f520f07ddbab6b78806b37e021e5e4c6deb39f

SHA256
213a993b18a0a0ac2c032c4428813cfa73413553d5c45621bb0877f0296d5ff1

SHA512
e67ab3732dbe22eb175fda875f06683b3cd67dc6f82e455ada2c979d31d293a48007bba36823727d4a40aae9a1629fbd5bc8fa3d071d18d8ea2ad15b0db38e98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
df7adec70661dd1c574d6c6eb497e576

SHA1
d30b8b61482c91460143c40a332d5d686e832466

SHA256
8cd2ebf46ddd03f1f05f556a497bd6c3ada70c9d8555caccba287ce0acda7e24

SHA512
c8a1ff0d55ab42a461c04847bf9b07e5e2ac27417ca22f837dbc0cc11cb994ce9962974de6cff2535df97ea5ecedc7d3069b5199349caa4e294cf9f601b45a51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
31afd44b50e81629785431fd39bbc293

SHA1
7dfc460d57a9b99a7188b036451ff9bf852c8e74

SHA256
d7a53ad63ee9ccd79cd79a2202d761b5c43e5b6c7ba49e0fa6caedf8034c9b2e

SHA512
2b4d29ebccd8f13cd6473a4a2ad782288a0bc12539c4c73347fdbbd9f01fe5fb875d92ff22824c618d12e3e039683dcec6982bccc7a4f5a0eb10c3e48c7f1656

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e35b464277a88e6fa2807b86a88720f3

SHA1
6323fca82516ffa02e9461082eb8225c7fc5eb1a

SHA256
bea5738c92d6416ee53740db0971a349867c6e37b0215b059fc30aad2895726f

SHA512
9987b88934eea7240e77e227d5c1ffac72b5f58ab86592ea3e72ab59554769d741be2bd75a399777e51a95faee9235deb0e92582057bcc14a53a8b482346321a

Download Submit