15e1d54db16d949bfb19b1a0387f8ffd2c2b4e9b4708923da15e328bb07800f6

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6be9a554eca3a61d0e6adf0aeeddf96.html
Size

55KB
MD5

d6be9a554eca3a61d0e6adf0aeeddf96
SHA1

159b2091538f222c52a27f482d6341b845fe535c
SHA256

15e1d54db16d949bfb19b1a0387f8ffd2c2b4e9b4708923da15e328bb07800f6
SHA512

c85828e29f51a4c066f5222cfdabd4703d337fe337eadfc697cf95aadccd33cc15f15142fa97a827522367b909ac7fb06bd0778535ab2de6ecda18546a32879a
SSDEEP

1536:AFSk4hMZtwmHtDbHv7oyiyKOflrA0JeJ7vhC3QEyyh+tt:AFkhMZtwmHtDbHTDfKO1A+eJ7vhCAEy7

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2808	msedge.exe
2808	msedge.exe
4948	msedge.exe
4948	msedge.exe
440	identity_helper.exe
440	identity_helper.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 756	4948	msedge.exe	89
PID 4948 wrote to memory of 756	4948	msedge.exe	89
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 1996	4948	msedge.exe	90
PID 4948 wrote to memory of 2808	4948	msedge.exe	91
PID 4948 wrote to memory of 2808	4948	msedge.exe	91
PID 4948 wrote to memory of 3320	4948	msedge.exe	92
PID 4948 wrote to memory of 3320	4948	msedge.exe	92
PID 4948 wrote to memory of 3320	4948	msedge.exe	92
PID 4948 wrote to memory of 3320	4948	msedge.exe	92
PID 4948 wrote to memory of 3320	4948	msedge.exe	92
PID 4948 wrote to memory of 3320	4948	msedge.exe	92
PID 4948 wrote to memory of 3320	4948	msedge.exe	92
PID 4948 wrote to memory of 3320	4948	msedge.exe	92
PID 4948 wrote to memory of 3320	4948	msedge.exe	92
PID 4948 wrote to memory of 3320	4948	msedge.exe	92
PID 4948 wrote to memory of 3320	4948	msedge.exe	92
PID 4948 wrote to memory of 3320	4948	msedge.exe	92
PID 4948 wrote to memory of 3320	4948	msedge.exe	92
PID 4948 wrote to memory of 3320	4948	msedge.exe	92
PID 4948 wrote to memory of 3320	4948	msedge.exe	92
PID 4948 wrote to memory of 3320	4948	msedge.exe	92
PID 4948 wrote to memory of 3320	4948	msedge.exe	92
PID 4948 wrote to memory of 3320	4948	msedge.exe	92
PID 4948 wrote to memory of 3320	4948	msedge.exe	92
PID 4948 wrote to memory of 3320	4948	msedge.exe	92

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\d6be9a554eca3a61d0e6adf0aeeddf96.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb5eeb46f8,0x7ffb5eeb4708,0x7ffb5eeb4718
  2⤵
  PID:756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,4371811161441097924,15185211884900833576,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,4371811161441097924,15185211884900833576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,4371811161441097924,15185211884900833576,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
  2⤵
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4371811161441097924,15185211884900833576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4371811161441097924,15185211884900833576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4371811161441097924,15185211884900833576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,4371811161441097924,15185211884900833576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,4371811161441097924,15185211884900833576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4371811161441097924,15185211884900833576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4371811161441097924,15185211884900833576,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4371811161441097924,15185211884900833576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1256 /prefetch:1
  2⤵
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4371811161441097924,15185211884900833576,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,4371811161441097924,15185211884900833576,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3100 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c6136bc98a5aedca2ea3004e9fbe67d

SHA1
74318d997f4c9c351eef86d040bc9b085ce1ad4f

SHA256
50c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2

SHA512
2d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c6aef82e50d05ffc0cf52a6c6d69c91

SHA1
c203efe5b45b0630fee7bd364fe7d63b769e2351

SHA256
d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32

SHA512
77ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
b30e44a6d7198d26612d82321ea6ff85

SHA1
9f93f7d42fbb25f068bed8e765cf4a130656b9b3

SHA256
e27ef7368a973a7c312d477b0b057454d52e5d00f365f9ea76764f9d6d910e76

SHA512
8fd449fe1086af944c22347b4e9d559f4adf13407b155415ed8f8570f49fe9b49cd4d45b8d949d06bea48c548b42ff4c6d53ad96377fbceb788d089ec4302ce0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
4f5d53fbe26e644c02e77dc65e45056d

SHA1
4539819d7031632994291e3708b08df702f875b2

SHA256
eddb0a0837b59da0d69979747422ad9e8ac0880ec12a30eeece5e5e50a6703ea

SHA512
d753e90fdf18c93e5a0dcb4b8cf20131fc12e654a1cb54c7f149bb14c1a7197da3814bf85d596e10cdfce21ba73889b5b7635295aea3bce7804ea0ccaad97419

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4fb2efca3d399d1cefc33bb6e32e3f7b

SHA1
39237df3d35dc88749bb4566ffc86b9d3d584169

SHA256
8c9aef6c15f1fbe9cc452c91e4706fc9ebbaf6770094bee14dcebc6ab279e673

SHA512
82b3ad9e5f3d44b97b418b8163705a74381251995694eb8a5f1e30d0f6c843a542d255ea2bf98b8fa10810ce61bcd8763c08ad301299b96717e0776c480261fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
187dcd9b5ba765793185b7ee11c3ef7f

SHA1
338a81226e2adeab184a32cffec7ab792a816004

SHA256
e01c5b7490f47c6afaeb305d4dcea681d4a8e951a883b0301bc7b17755a94bec

SHA512
62bacf0cab293f66c1f454aa278f506016204ddcd1bb222d33251f461456ccfa13c0932f597feaf41e7cbcf1cc3f12df3a5980427e81f41fe6030aee894e201a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7539b31555647fafebf511ddda702192

SHA1
3c7c08a27f330a0eeb39d5283415d965bd58120f

SHA256
858a25968c225e3444a40cac871c0a0c3d8ee5318b2746068a0ce0d45aa49ad7

SHA512
50c4024820974615669844741c3122af748a3a7fe5072f98356fcbd94dcaae11ac64b207480a4f688b2a7e6c3c33e860e4e06b4247574c51f70f6f6aeedfaa4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
939705c1e9af80d8a4e36b16a23d4221

SHA1
73fd81c070d9573f56d73cb48613d0a3c2e78936

SHA256
b3bb1c2f2421376d2892dc028d0981b2b940e7c8a669be6bc4f881d3b87d0461

SHA512
5be591264fd80870f9a92e8017eeff67315b56aa51b8d9a6fd7bd5cd7e77996a14e93c162125b0e6489c37a589858a5caa7297e8b1ef6fc70dc3c1ec94702803

Download Submit