6e72fc6e2c7629f2e9f3e7510eaf5258790bddfae42f4714a2d569b01e1e21df

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

28KB
MD5

b449d34c7068920c0f70e625cb2f57ce
SHA1

f759ccbb31b6c6abcc7dcc52f8ff069d4cf1e8d3
SHA256

ac39442a335f4c9e24d8de651dceceed1c5f321cc90dc2348e217424cba498a5
SHA512

69fd8f3a7615c8e2d81da75f4d04b3369b863d409d46eacd3229945fc2ca8168bfe95ec93ca86f6324cab605c4de1f69b52a3330ff2e581038990e8de770ef62
SSDEEP

384:SInFpv1RldqkFqP+6PhAu0rsf4sW0ZMy+fxWK9/1RFxvMotdvu3hl:SM9/XPg+6fw8My+fhM+dvahl

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3064	msedge.exe
3064	msedge.exe
3504	msedge.exe
3504	msedge.exe
1348	identity_helper.exe
1348	identity_helper.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 2380	3504	msedge.exe	82
PID 3504 wrote to memory of 2380	3504	msedge.exe	82
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 1720	3504	msedge.exe	83
PID 3504 wrote to memory of 3064	3504	msedge.exe	84
PID 3504 wrote to memory of 3064	3504	msedge.exe	84
PID 3504 wrote to memory of 1172	3504	msedge.exe	85
PID 3504 wrote to memory of 1172	3504	msedge.exe	85
PID 3504 wrote to memory of 1172	3504	msedge.exe	85
PID 3504 wrote to memory of 1172	3504	msedge.exe	85
PID 3504 wrote to memory of 1172	3504	msedge.exe	85
PID 3504 wrote to memory of 1172	3504	msedge.exe	85
PID 3504 wrote to memory of 1172	3504	msedge.exe	85
PID 3504 wrote to memory of 1172	3504	msedge.exe	85
PID 3504 wrote to memory of 1172	3504	msedge.exe	85
PID 3504 wrote to memory of 1172	3504	msedge.exe	85
PID 3504 wrote to memory of 1172	3504	msedge.exe	85
PID 3504 wrote to memory of 1172	3504	msedge.exe	85
PID 3504 wrote to memory of 1172	3504	msedge.exe	85
PID 3504 wrote to memory of 1172	3504	msedge.exe	85
PID 3504 wrote to memory of 1172	3504	msedge.exe	85
PID 3504 wrote to memory of 1172	3504	msedge.exe	85
PID 3504 wrote to memory of 1172	3504	msedge.exe	85
PID 3504 wrote to memory of 1172	3504	msedge.exe	85
PID 3504 wrote to memory of 1172	3504	msedge.exe	85
PID 3504 wrote to memory of 1172	3504	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e6a746f8,0x7ff9e6a74708,0x7ff9e6a74718
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,3269431374831580478,12863779606437310091,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,3269431374831580478,12863779606437310091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,3269431374831580478,12863779606437310091,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3269431374831580478,12863779606437310091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3269431374831580478,12863779606437310091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3269431374831580478,12863779606437310091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3269431374831580478,12863779606437310091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3269431374831580478,12863779606437310091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,3269431374831580478,12863779606437310091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5996 /prefetch:8
  2⤵
  PID:1416
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,3269431374831580478,12863779606437310091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5996 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3269431374831580478,12863779606437310091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3269431374831580478,12863779606437310091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,3269431374831580478,12863779606437310091,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8c91c8582b0c918416d14bd7eedd686e

SHA1
b2ff8149bc21144fdcec64111afda492965c6621

SHA256
1e839706b748c04adf8efa2790564ca1efd707fdf6451e71af6862e07123717e

SHA512
a93be868d9f08097bff39069378a0bfa0f5c78e74e9e8df820be9b0426cbfe84e03e9638b329b6142279ed140a120c4c4c21857f410fc4789a370445c3919dcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2579d07b98bbefadc929d80fb3dbd32a

SHA1
1ceb57c4b81f0f23500e118a4b9a225116a467de

SHA256
b8443c289ad36568a2bf794ac9ec1f259a9dd930c36680dafc8d0cb4de81feb6

SHA512
53522ad5e8e2a272d5b1bff9b9226b7d976d47413891c60d7efebd4365baff12b6891e3f79b20e14892ec7c654ad2d437941014290c428c6b1bd78a7b3e557de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
887B

MD5
0759243896f33b2730d8d072c96acaef

SHA1
807edaad57959e0a6d01a0c73e1b818fdb657a76

SHA256
3441e43add5b61fae06ebcd857850ce6087b18c607affa4a5503abca6a99ed34

SHA512
2fe54cc9303dea38bf752b131579b50f851d37eaad79cf7089532eaf1e51f2f7cafcb2065306a57d4b32068c5f8cdf3446dc54b4208127f96f5266058410adec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f6cd2df4e470551d711d3bfd7a303c2b

SHA1
670cd1224493c051a88e56bc3fdeaedaaaff5a5c

SHA256
47bbfee7374bd5f144fe244485fba9aa5e84a5f793155f14c06f5d3f3aa1ecfa

SHA512
bc2fe38be5b46f404de339dee099b295ae2dd07bea37aa3f77b5428aade66a4a47cbf704571d967abcee318d95e447df249767d627e4ab98e6988137e6b23a9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b48a30fe-993d-4839-ac5e-aec6e1f8d108.tmp

Filesize
6KB

MD5
2abf9de7c11d68e41b5f66490d836ed3

SHA1
13e70b736d49f0a1fac53c16bd2433db930f1787

SHA256
6fe224f627036b72d9964c02383b73d871c0192288f952611fa83797fde9a2ad

SHA512
0ff259f011b42c7740f35e7882c68f2fe49e072d7a1dfb40bcda586e4fcb3091b68c102c86d48a43cfe8fcb6138aa903fbe9b76d9bd343e9f1c987f63711fd06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
29c5a95817e52b97d2f9deb268368cba

SHA1
050986536b03ccdd80f0585069148ef8d1bef402

SHA256
86925224a90a7b330a909f4ebae71bcb7507744ac000ff937e3cc7bf2acc6c72

SHA512
59681eeec453f4fc67bad3ff601794d76ec4ae53c405c069ae13059891cd3c4c47fe9f29533820e76c5321bb3788d192a56f2b5784411e52da88eba1116abe43

Download Submit