c78b1d79a0da9d51edcef721229fc643ca627e562a127dbd82ff91e9c31d09c2

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6280f8ea3fb28f4e9e9bdefccc1a2bd.html
Size

88KB
MD5

d6280f8ea3fb28f4e9e9bdefccc1a2bd
SHA1

ccf12507c7b209ce4c5c8e6e0320892ae31a7144
SHA256

c78b1d79a0da9d51edcef721229fc643ca627e562a127dbd82ff91e9c31d09c2
SHA512

2c4733414d33d7be7388d88b2e6abe2276b1901a5c2bf4e8ab33d974fdb9288414df5f5d5bb36623adbdc2d6467ddde53b4e964430cbca664e87bfe9becc4adf
SSDEEP

1536:eIRIOITIwIgIiKZgNDfIwIGI5IVJ7SqIRIOITIwIgIiKZgNDfIwIGI5IVJ7SW1aY:y1aVoaimIzIn/8v

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2872	msedge.exe
2872	msedge.exe
2104	msedge.exe
2104	msedge.exe
3712	identity_helper.exe
3712	identity_helper.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 1684	2872	msedge.exe	87
PID 2872 wrote to memory of 1684	2872	msedge.exe	87
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 4604	2872	msedge.exe	88
PID 2872 wrote to memory of 2104	2872	msedge.exe	89
PID 2872 wrote to memory of 2104	2872	msedge.exe	89
PID 2872 wrote to memory of 2184	2872	msedge.exe	90
PID 2872 wrote to memory of 2184	2872	msedge.exe	90
PID 2872 wrote to memory of 2184	2872	msedge.exe	90
PID 2872 wrote to memory of 2184	2872	msedge.exe	90
PID 2872 wrote to memory of 2184	2872	msedge.exe	90
PID 2872 wrote to memory of 2184	2872	msedge.exe	90
PID 2872 wrote to memory of 2184	2872	msedge.exe	90
PID 2872 wrote to memory of 2184	2872	msedge.exe	90
PID 2872 wrote to memory of 2184	2872	msedge.exe	90
PID 2872 wrote to memory of 2184	2872	msedge.exe	90
PID 2872 wrote to memory of 2184	2872	msedge.exe	90
PID 2872 wrote to memory of 2184	2872	msedge.exe	90
PID 2872 wrote to memory of 2184	2872	msedge.exe	90
PID 2872 wrote to memory of 2184	2872	msedge.exe	90
PID 2872 wrote to memory of 2184	2872	msedge.exe	90
PID 2872 wrote to memory of 2184	2872	msedge.exe	90
PID 2872 wrote to memory of 2184	2872	msedge.exe	90
PID 2872 wrote to memory of 2184	2872	msedge.exe	90
PID 2872 wrote to memory of 2184	2872	msedge.exe	90
PID 2872 wrote to memory of 2184	2872	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\d6280f8ea3fb28f4e9e9bdefccc1a2bd.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbdbb546f8,0x7ffbdbb54708,0x7ffbdbb54718
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,13983196648390355375,7927527537659127348,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,13983196648390355375,7927527537659127348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,13983196648390355375,7927527537659127348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2400 /prefetch:8
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13983196648390355375,7927527537659127348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2860 /prefetch:1
  2⤵
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13983196648390355375,7927527537659127348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:1
  2⤵
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,13983196648390355375,7927527537659127348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6028 /prefetch:8
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,13983196648390355375,7927527537659127348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6028 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13983196648390355375,7927527537659127348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13983196648390355375,7927527537659127348,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13983196648390355375,7927527537659127348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13983196648390355375,7927527537659127348,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,13983196648390355375,7927527537659127348,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4748 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\9c60d583-516c-481f-9e6d-62504ab15a71.tmp

Filesize
11KB

MD5
132e1304305311eb1cf89996444f9e00

SHA1
5c1ea224a8427adaeb5b4202e9a8f9e73b868f29

SHA256
a50c0790e298dc7acf93ab2f4169cce70e3258251372bd0f52ce170ca6aea69d

SHA512
6bbde7ee64f1d8869f9512b019b89927c082f04822956cf37608c689b9e590023425a0418628ab8b56a24bc319bad93880daade9d89515c4dd45fc9f7d42f99a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
47b2c6613360b818825d076d14c051f7

SHA1
7df7304568313a06540f490bf3305cb89bc03e5c

SHA256
47a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac

SHA512
08d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e0811105475d528ab174dfdb69f935f3

SHA1
dd9689f0f70a07b4e6fb29607e42d2d5faf1f516

SHA256
c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c

SHA512
8374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
308B

MD5
1f56b5f0ccdf82c02631d5c2f0d04f32

SHA1
d77dc5aaf5a76fb2ebf14f222765bffd84634ed4

SHA256
ee486e0a17d6cdb57f912b58cc64684d4e2e8301ef640e63afcb8e1059c5f7cd

SHA512
9fc461419ba92d41f81fa5ac100e39e6373beb782a3ba2601155899a8144080672b7bb09e29480c8d513771ac6aea489db73c54e99a5264b84f9ff9553e23e5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b1bce0cfc19cc768446e0303eed8f4d5

SHA1
353bd3ae6cc2e7a76a0edced0bf397cd6fe95169

SHA256
e1ee2b8b2405da25d1eb475913729abfcf023be4ab1f1abff6a2fa1e78e351f5

SHA512
e2ee0d771210011be7046f6877a92f57e2fca845d9c66eda5a9bcf2711914742c9470a2d4a28aaf7762096f0ad6d0d7be42e736ab2309c939f9dcd1f85b22fc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1e574f5aaa0cccd96b417d94789ceb0f

SHA1
644e1cace1aaf2a019052acb0d8a72a77fb6b595

SHA256
8ee2dba0d4814b70313889fe3165246cc55206176c561f20730b4f6f360d9426

SHA512
c7cd618e8fbd552d4ee9218ca71695f32179a6b644cf35b2badc3a8fc6331fb5451cd888066ef2229623486a9fd923aeff5d9154a8ff35091564ff371541e733

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
af7805b9709d4b50439f2a4bbc8085e1

SHA1
555abc1286b1d0f28adac273240d23831afb31c3

SHA256
8d0eb3844a32d7f967968dbdc8b2af0c734c6e719f12bee0ff3dc72983f012f9

SHA512
447c27a59776f5005bb3351fb4b50725de0e737151796eb864605218bf9bfba330e4cf62f2008882d575828a9067f609bbe55949dd72ed3ae73943cd1b59be01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit