340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

Resubmissions

25/03/2024, 14:53

240325-r9p88aea5y 4

Analysis

max time kernel
11s
max time network
16s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2024, 14:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

spml.html
Size

162B
MD5

1b7c22a214949975556626d7217e9a39
SHA1

d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256

340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512

ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1088	msedge.exe
1088	msedge.exe
1640	msedge.exe
1640	msedge.exe
3440	identity_helper.exe
3440	identity_helper.exe
708	msedge.exe
708	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 4132	1640	msedge.exe	80
PID 1640 wrote to memory of 4132	1640	msedge.exe	80
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 4988	1640	msedge.exe	81
PID 1640 wrote to memory of 1088	1640	msedge.exe	82
PID 1640 wrote to memory of 1088	1640	msedge.exe	82
PID 1640 wrote to memory of 3672	1640	msedge.exe	83
PID 1640 wrote to memory of 3672	1640	msedge.exe	83
PID 1640 wrote to memory of 3672	1640	msedge.exe	83
PID 1640 wrote to memory of 3672	1640	msedge.exe	83
PID 1640 wrote to memory of 3672	1640	msedge.exe	83
PID 1640 wrote to memory of 3672	1640	msedge.exe	83
PID 1640 wrote to memory of 3672	1640	msedge.exe	83
PID 1640 wrote to memory of 3672	1640	msedge.exe	83
PID 1640 wrote to memory of 3672	1640	msedge.exe	83
PID 1640 wrote to memory of 3672	1640	msedge.exe	83
PID 1640 wrote to memory of 3672	1640	msedge.exe	83
PID 1640 wrote to memory of 3672	1640	msedge.exe	83
PID 1640 wrote to memory of 3672	1640	msedge.exe	83
PID 1640 wrote to memory of 3672	1640	msedge.exe	83
PID 1640 wrote to memory of 3672	1640	msedge.exe	83
PID 1640 wrote to memory of 3672	1640	msedge.exe	83
PID 1640 wrote to memory of 3672	1640	msedge.exe	83
PID 1640 wrote to memory of 3672	1640	msedge.exe	83
PID 1640 wrote to memory of 3672	1640	msedge.exe	83
PID 1640 wrote to memory of 3672	1640	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\spml.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb11a73cb8,0x7ffb11a73cc8,0x7ffb11a73cd8
  2⤵
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,16075112001176109684,11396779806985670822,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,16075112001176109684,11396779806985670822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,16075112001176109684,11396779806985670822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16075112001176109684,11396779806985670822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2772 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16075112001176109684,11396779806985670822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,16075112001176109684,11396779806985670822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16075112001176109684,11396779806985670822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16075112001176109684,11396779806985670822,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16075112001176109684,11396779806985670822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16075112001176109684,11396779806985670822,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,16075112001176109684,11396779806985670822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
341f6b71eb8fcb1e52a749a673b2819c

SHA1
6c81b6acb3ce5f64180cb58a6aae927b882f4109

SHA256
57934852f04cef38bb4acbe4407f707f137fada0c36bab71b2cdfd58cc030a29

SHA512
57ecaa087bc5626752f89501c635a2da8404dbda89260895910a9cc31203e15095eba2e1ce9eee1481f02a43d0df77b75cb9b0d77a3bc3b894fdd1cf0f6ce6f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
88e9aaca62aa2aed293699f139d7e7e1

SHA1
09d9ccfbdff9680366291d5d1bc311b0b56a05e9

SHA256
27dcdb1cddab5d56ac53cff93489038de93f61b5504f8595b1eb2d3124bbc12c

SHA512
d90dabe34504dde422f5f6dec87851af8f4849f521759a768dfa0a38f50827b099dfde256d8f8467460c289bdb168358b2678772b8b49418c23b882ba21d4793

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
caaaa8e95efe8cea45d9163803c253fe

SHA1
75438c010e5211eb0b1bf28426dca4d16e335dac

SHA256
b87057da6f21f4b8b59e5d53c676553c81aeca1930640f1acfef273a1d0365e5

SHA512
60efa3a699ec5555e92c86b5f03de77cce7729e16b2dd35c4b3a45be80593dd4f4540003e01d1f86e08e8c67383d841d1eb35b32343c13b0b1c9dbb846a61701

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
09ee8e36a632b2373f4c3658e1fc352b

SHA1
c609f8cfe495c449f23962e4f2078d9185cd56d3

SHA256
8157c0a4b0e1f15c34556fdce774f01571ef77e977fb59a297310312d50b7d8b

SHA512
84f4a2e41f334a3079a37a27cf1a6c9849b5c8ae38882a403c9bbe802c4121cd18f27367d56dbce94d391752c9db18ee45d36c293a382ffa87a9b62d606d98f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
33f819ffbcd834b540c65473707ad019

SHA1
d0c94758a54164b9450ed39c983c80fba9346d10

SHA256
11be9b748d80fe6582897a9155ff0e26aa07e22b39938b12f79b23cfc78bae51

SHA512
82c14ea4984e2ad6541ffb452e190c5e2829e5d9dce6990e80e6fec12ebd982bb8e0e2d10f30f24b0f370569a169c3497fedb8c599e6ff1cfc81df66339623de

Download Submit