cda2899f84cc78f7462fdb2fd58b89b0d9cdfd8ad5db46df60966599ed439010

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2024, 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

def2cf958870a6405d3e233548e0f5fa.html
Size

51KB
MD5

def2cf958870a6405d3e233548e0f5fa
SHA1

e6662579b2b60e734ba9015a3fdfe6f866f54a5d
SHA256

cda2899f84cc78f7462fdb2fd58b89b0d9cdfd8ad5db46df60966599ed439010
SHA512

c17518f0f3c051a19929888e9508b1fa9df97b633377098762f0fe418377fb7c3f62691de638fc61d3501c2fa0fb7253bd7c06037ddfa85ce7c16a852693e00f
SSDEEP

1536:KR5CFLeJdqH62I7YT3KvrnQO8SOcfErMzz7AAyqwQGvkBAGhqiajp8B:fFLeJdqHGY3KvrnQO8SOcfiMznALqwQd

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3220	msedge.exe
3220	msedge.exe
4936	msedge.exe
4936	msedge.exe
372	identity_helper.exe
372	identity_helper.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 2972	4936	msedge.exe	87
PID 4936 wrote to memory of 2972	4936	msedge.exe	87
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 4908	4936	msedge.exe	88
PID 4936 wrote to memory of 3220	4936	msedge.exe	89
PID 4936 wrote to memory of 3220	4936	msedge.exe	89
PID 4936 wrote to memory of 2500	4936	msedge.exe	90
PID 4936 wrote to memory of 2500	4936	msedge.exe	90
PID 4936 wrote to memory of 2500	4936	msedge.exe	90
PID 4936 wrote to memory of 2500	4936	msedge.exe	90
PID 4936 wrote to memory of 2500	4936	msedge.exe	90
PID 4936 wrote to memory of 2500	4936	msedge.exe	90
PID 4936 wrote to memory of 2500	4936	msedge.exe	90
PID 4936 wrote to memory of 2500	4936	msedge.exe	90
PID 4936 wrote to memory of 2500	4936	msedge.exe	90
PID 4936 wrote to memory of 2500	4936	msedge.exe	90
PID 4936 wrote to memory of 2500	4936	msedge.exe	90
PID 4936 wrote to memory of 2500	4936	msedge.exe	90
PID 4936 wrote to memory of 2500	4936	msedge.exe	90
PID 4936 wrote to memory of 2500	4936	msedge.exe	90
PID 4936 wrote to memory of 2500	4936	msedge.exe	90
PID 4936 wrote to memory of 2500	4936	msedge.exe	90
PID 4936 wrote to memory of 2500	4936	msedge.exe	90
PID 4936 wrote to memory of 2500	4936	msedge.exe	90
PID 4936 wrote to memory of 2500	4936	msedge.exe	90
PID 4936 wrote to memory of 2500	4936	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\def2cf958870a6405d3e233548e0f5fa.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd7ad346f8,0x7ffd7ad34708,0x7ffd7ad34718
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,6659735250431621436,15935037655343849464,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,6659735250431621436,15935037655343849464,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,6659735250431621436,15935037655343849464,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6659735250431621436,15935037655343849464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6659735250431621436,15935037655343849464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,6659735250431621436,15935037655343849464,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,6659735250431621436,15935037655343849464,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6659735250431621436,15935037655343849464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6659735250431621436,15935037655343849464,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6659735250431621436,15935037655343849464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2740 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6659735250431621436,15935037655343849464,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2016 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,6659735250431621436,15935037655343849464,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3684 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c6136bc98a5aedca2ea3004e9fbe67d

SHA1
74318d997f4c9c351eef86d040bc9b085ce1ad4f

SHA256
50c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2

SHA512
2d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c6aef82e50d05ffc0cf52a6c6d69c91

SHA1
c203efe5b45b0630fee7bd364fe7d63b769e2351

SHA256
d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32

SHA512
77ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
462B

MD5
1b3432e611d2d59f147dc1c2deaf009c

SHA1
87812b6ae47689c8cd94bc467cfa4bfedfc14a3f

SHA256
c20d675ab08c8fcb79cdfdef849e84638569b95f9eff830e96041198cd61a534

SHA512
966b0015b330867ba6a1a9355fcbe1d0910def9a459b0a58a0a896dfbbd702e52c30cb57cff51275ddccb5d1387659972d75013a0cc1b9d76f4f8cbc3d8883d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d2e42c3a899df723db65ef372796d5fd

SHA1
5b7147140e9514b378484a7699c8317ba46626d4

SHA256
be802e5c7a196209fa51d34b6500f62027d010933be1c7e649f1fed74de08a07

SHA512
9533365864538848d5246252c1f079891cd4ac690228d15c3b58650dcbecb09c53222498d6639f94c5fd54a52585bfd9c9b64d6ea809d6d78a3931132b3ee7a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
03ad684d22da2545d3816365f5432632

SHA1
f31dc6ed8ce29b949c6397cc90bcef9bd7675e1d

SHA256
7f957f843d0569e75c9c0791d157527c54c0b6c02c2f3084d9d730dc78ea2dcb

SHA512
42cb518fb6170376290903bcb1dbc686627aeb278ee18b326069d71b6207c7b0685961b90db43ea3772aaf0b92093539b486d54fcc46bbe71ce18d9687914240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cac1c264d971f12e794e278d40b8d575

SHA1
45aee29405500cb0598de41cde9e3a162291876e

SHA256
de9a78a40a07bb9823c257741cf5d670f59570087de918906c6e225c162e70ca

SHA512
3204f8522823b57467c16113f13eb29e311098053d7cfdfe9c84e74dce3cd116af4220a7439a29586c239b6008ac4bbd7086516059f688d5687ace7f122632f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
356B

MD5
4957532b0226f86e044ef342e5b20e54

SHA1
9ca89f1fce30928e180441dfaaaad7742ee77db7

SHA256
dd7b7a746806ea65fadc970657e4ecd71e3583d03fb9f843e79721af2939fe01

SHA512
c7d7f9c5298322e2c6446487e3eb437181daa47d4dd8bc092f951e740f765948e22e4596579f2f53a2ef8623b9fa99082a4877513eec630e8053bc87979aedc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e639.TMP

Filesize
360B

MD5
968cd24f4b2719a2df9caf7633e6989d

SHA1
82d600cc5fbade26e7a6ed181a6ce611df54e95a

SHA256
810edb0357fce58b8551305dd1346bd728ea7a637934a6bd8e11b91a29ec46ea

SHA512
90a0ebcdc6fa2c742f565310a290fe3eb6e8bcee9406a42e5680de35be249557132461879bb6d7a3fcce5426168128a1485a9bec0a82a16ea11ac4665d8af361

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4a04c4123cc4142c494cb837497f3a88

SHA1
6923106df10a28c717ee6cc3004ad7f07d4f835e

SHA256
e96e390c2ce188dd630d03a4b1d282d3d06680e622b074ff54eede1e1b7a18c8

SHA512
7e1ee18488e13bc706a954dabcd6cfaf38c46017252904530d7048612b8136efac711558993a4ea1c6c44c7bca7932bf34c39ecf3df82299619b7ded35a1b780

Download Submit