7574be66d3de35a33418b9e722a01fbb48551020af244556b667ad1eac4d538e

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2024 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddf8c815e659126c245b850e5702e9b9.html
Size

37KB
MD5

ddf8c815e659126c245b850e5702e9b9
SHA1

18ae7d627cdff32026b3babc465c54bfee2c53c5
SHA256

7574be66d3de35a33418b9e722a01fbb48551020af244556b667ad1eac4d538e
SHA512

1bd4ee03dc1c5710ffd22818e44571b5859d4d8d2a767707de6191d256c0fdffa3d17c18ab28243842f7b86c6065d6d155de037f35db0c079cfa5a43647a0f82
SSDEEP

384:kydsF0RplkLTDF+a62NOpFXQUaRogv1PzP1wwL4oqSTG4WWzbM+LZW3BltIHrWzK:kGsU4BYtBXDR9MeeXObeeet

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3832	msedge.exe
3832	msedge.exe
1044	msedge.exe
1044	msedge.exe
3008	identity_helper.exe
3008	identity_helper.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 4732	1044	msedge.exe	88
PID 1044 wrote to memory of 4732	1044	msedge.exe	88
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 4320	1044	msedge.exe	89
PID 1044 wrote to memory of 3832	1044	msedge.exe	90
PID 1044 wrote to memory of 3832	1044	msedge.exe	90
PID 1044 wrote to memory of 4896	1044	msedge.exe	91
PID 1044 wrote to memory of 4896	1044	msedge.exe	91
PID 1044 wrote to memory of 4896	1044	msedge.exe	91
PID 1044 wrote to memory of 4896	1044	msedge.exe	91
PID 1044 wrote to memory of 4896	1044	msedge.exe	91
PID 1044 wrote to memory of 4896	1044	msedge.exe	91
PID 1044 wrote to memory of 4896	1044	msedge.exe	91
PID 1044 wrote to memory of 4896	1044	msedge.exe	91
PID 1044 wrote to memory of 4896	1044	msedge.exe	91
PID 1044 wrote to memory of 4896	1044	msedge.exe	91
PID 1044 wrote to memory of 4896	1044	msedge.exe	91
PID 1044 wrote to memory of 4896	1044	msedge.exe	91
PID 1044 wrote to memory of 4896	1044	msedge.exe	91
PID 1044 wrote to memory of 4896	1044	msedge.exe	91
PID 1044 wrote to memory of 4896	1044	msedge.exe	91
PID 1044 wrote to memory of 4896	1044	msedge.exe	91
PID 1044 wrote to memory of 4896	1044	msedge.exe	91
PID 1044 wrote to memory of 4896	1044	msedge.exe	91
PID 1044 wrote to memory of 4896	1044	msedge.exe	91
PID 1044 wrote to memory of 4896	1044	msedge.exe	91

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\ddf8c815e659126c245b850e5702e9b9.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8bd1546f8,0x7ff8bd154708,0x7ff8bd154718
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,12597780367127509655,17571214881391909951,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,12597780367127509655,17571214881391909951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,12597780367127509655,17571214881391909951,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12597780367127509655,17571214881391909951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12597780367127509655,17571214881391909951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,12597780367127509655,17571214881391909951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,12597780367127509655,17571214881391909951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12597780367127509655,17571214881391909951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12597780367127509655,17571214881391909951,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12597780367127509655,17571214881391909951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12597780367127509655,17571214881391909951,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,12597780367127509655,17571214881391909951,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9ffb5f81e8eccd0963c46cbfea1abc20

SHA1
a02a610afd3543de215565bc488a4343bb5c1a59

SHA256
3a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc

SHA512
2d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1b45169ebca0dceadb0f45697799d62

SHA1
803604277318898e6f5c6fb92270ca83b5609cd5

SHA256
4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60

SHA512
357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
507B

MD5
aedd31b01db75947bc029168e6a9d724

SHA1
cda619658f91b7705ae04abd52848028e54cf29b

SHA256
7df443bdb3b2b7943637fc759fc2e5f6945e51b60ad1ae742faf9abc406d282f

SHA512
1a6cb79f75dd1a471ae3330ecb47fbbf62b01c8e0f617500b9ff1377b1974dbbdbaf6098e4b1c49c1447e6e16b0a13d2cd58ef66e7f47bb7a34a8571da848e79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a9d384f87afdd257d6853b4f208fc31d

SHA1
3488b0f8e482f72d3b0c054c1f6aa754350bdc0e

SHA256
ef3a0f61a8a27b199423a8dd0b0e357eedb9ec9fb626de600d4c0648366077d6

SHA512
f887721f78b7e5e9c3fcb4406129decd174c7cfe896f89042bd18d792a01605bc6ccac6d63120c57f5b1ae1109b54c03503766e78749a9f0f6446661789f9bac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9dcb072b90bf848d86ecd9284a0844bb

SHA1
842b2f267caaf2e210a6e5f2042fd73b5ae8abb9

SHA256
f958e2c209ab294895b3ce1b63dfba023091261fccabdac50f372d0880c40642

SHA512
60004b024f4cd0d2cf5350792ceca8a027d89a034706b290eae342987d61189750ab2248305dcacc834ef69dec9c695517b9a49f3ab62cd85857ae6cc3b68177

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
238c1c5eedcb2d39ebfc7e7ed0009a75

SHA1
aee9c6703c5cab8a10dc74e88465381bc1cf4383

SHA256
8c36be0375c5643f655a5ee45a4fe58dc6e29f49f64ba8e11359bdfec523f19a

SHA512
d3c948bd4d8b3f0050827269050607947148180434a7d30b07c43cea50a1f765c00d3be49813f7eda58f11b9cc70a24d63cb7f809c9999cf1ac2009e670519aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b55e986e8d2780a6e59586a24d1d6655

SHA1
a7cb1c1f8e0efc8fc5ca23c9b4e4345c9663eafb

SHA256
5c80392fb4ebb29dd7cedd30abe907682fb6a384d105909cbc6c1d9146bcb174

SHA512
d0c01f33f073ea6e892e86240be91abba19e2417f12abec603616b9a3ad2e08eeb402ab7208f276c4aba974e0298d3817e9570963b13b9142581596fc3a158c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c25d4f71a97e4a5a5ece2d08b2682ad5

SHA1
d80e9dc948b34f25ec690e85dbbb778fb2bc59cc

SHA256
d23fcae7ab009cca0f81a02a67aab54f49cfb2de8d43a38db4abb3196bacb6d5

SHA512
4c134b592bca67f25be05769037b55cefaa7a71fc13ff3cbd7075aaf7487f720cd84d4f183c0899c34943959c0ded73849989fe62c99a3db15d0f1cafab2e29f

Download Submit