Analysis
-
max time kernel
145s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2024 07:29
Static task
static1
Behavioral task
behavioral1
Sample
sample.html
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
sample.html
Resource
win10v2004-20240226-en
General
-
Target
sample.html
-
Size
146B
-
MD5
9fe3cb2b7313dc79bb477bc8fde184a7
-
SHA1
4d7b3cb41e90618358d0ee066c45c76227a13747
-
SHA256
32f2fa940d4b4fe19aca1e53a24e5aac29c57b7c5ee78588325b87f1b649c864
-
SHA512
c54ad4f5292784e50b4830a8210b0d4d4ee08b803f4975c9859e637d483b3af38cb0436ac501dea0c73867b1a2c41b39ef2c27dc3fb20f3f27519b719ea743db
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 2176 msedge.exe 2176 msedge.exe 888 msedge.exe 888 msedge.exe 2380 identity_helper.exe 2380 identity_helper.exe 2080 msedge.exe 2080 msedge.exe 2080 msedge.exe 2080 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 888 wrote to memory of 1328 888 msedge.exe msedge.exe PID 888 wrote to memory of 1328 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2956 888 msedge.exe msedge.exe PID 888 wrote to memory of 2176 888 msedge.exe msedge.exe PID 888 wrote to memory of 2176 888 msedge.exe msedge.exe PID 888 wrote to memory of 3540 888 msedge.exe msedge.exe PID 888 wrote to memory of 3540 888 msedge.exe msedge.exe PID 888 wrote to memory of 3540 888 msedge.exe msedge.exe PID 888 wrote to memory of 3540 888 msedge.exe msedge.exe PID 888 wrote to memory of 3540 888 msedge.exe msedge.exe PID 888 wrote to memory of 3540 888 msedge.exe msedge.exe PID 888 wrote to memory of 3540 888 msedge.exe msedge.exe PID 888 wrote to memory of 3540 888 msedge.exe msedge.exe PID 888 wrote to memory of 3540 888 msedge.exe msedge.exe PID 888 wrote to memory of 3540 888 msedge.exe msedge.exe PID 888 wrote to memory of 3540 888 msedge.exe msedge.exe PID 888 wrote to memory of 3540 888 msedge.exe msedge.exe PID 888 wrote to memory of 3540 888 msedge.exe msedge.exe PID 888 wrote to memory of 3540 888 msedge.exe msedge.exe PID 888 wrote to memory of 3540 888 msedge.exe msedge.exe PID 888 wrote to memory of 3540 888 msedge.exe msedge.exe PID 888 wrote to memory of 3540 888 msedge.exe msedge.exe PID 888 wrote to memory of 3540 888 msedge.exe msedge.exe PID 888 wrote to memory of 3540 888 msedge.exe msedge.exe PID 888 wrote to memory of 3540 888 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab59f46f8,0x7ffab59f4708,0x7ffab59f47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13696307475861174522,10296584593078968815,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,13696307475861174522,10296584593078968815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,13696307475861174522,10296584593078968815,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13696307475861174522,10296584593078968815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13696307475861174522,10296584593078968815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13696307475861174522,10296584593078968815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13696307475861174522,10296584593078968815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13696307475861174522,10296584593078968815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13696307475861174522,10296584593078968815,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13696307475861174522,10296584593078968815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13696307475861174522,10296584593078968815,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13696307475861174522,10296584593078968815,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1320 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD547b2c6613360b818825d076d14c051f7
SHA17df7304568313a06540f490bf3305cb89bc03e5c
SHA25647a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac
SHA51208d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e0811105475d528ab174dfdb69f935f3
SHA1dd9689f0f70a07b4e6fb29607e42d2d5faf1f516
SHA256c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c
SHA5128374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b467e65b3b0f381e805c5abeeb24bddb
SHA1c00be95dc2a64b0ddf0b46e7082676494580893f
SHA256e18d99d61d5316e515406dade1e13ec63ab5fcabf811925084c07633475ae2db
SHA5125e107c17b4c898efc6cd9e4dfbfd2e38d337783730a9581880bdf774008db8c140cdbb0c1222d3c1b5e761d726af756eff4da82a619f222d880c43c634ba7de4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5af7c41810a86997e9ccbf4cc661985fb
SHA1eccd8cde7056286b10549ac603cb2c8825a04d0b
SHA256a1a58c8a5e36939412404fe15da24fb5d9c416d5fb999f4ad7934006a876a0f1
SHA512c065ccf80ae364bc1385bb10fadb52f1eccab6859d1b96775fc9293f0ad0716e6301234d81982744c7f471f6d0cf0a7eb47c74817e6a5e402328481fad0817c1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD51c2c0a50edf75cfc3733942880a02f5d
SHA1e35dabde1a348c55bc2d96937867fabadeb3ffa0
SHA2566f94b940ed041b3a006b08f0c0346c58d2f963ec5fe6a6b894292ae3c0ef0446
SHA51283f0a3443443ac9ec796e1067af4933bcb3e03231e896b880d854383eb0790950df0e77f1b8fb5b60f333a9e596bb77e1a2912f2567c3ec682396c2dfc83a53b
-
\??\pipe\LOCAL\crashpad_888_RDOEPTFUPQDLSSXFMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e