b59205eca264da474405651f122b791a389603aa8b0d06320357eca3c41173d2

Analysis

max time kernel
145s
max time network
127s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
18-04-2024 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

relationship.html
Size

279B
MD5

df97c4acf627baf6ca61d7974db45589
SHA1

e138c76e88132b8d0de98e6b227330038187be5f
SHA256

b59205eca264da474405651f122b791a389603aa8b0d06320357eca3c41173d2
SHA512

d3dae154b7b106a47593048b86dcf3a1ca373294298b000509eaaa812c022d4e0945c3f87e3e389c540569f3d9936bdf337aded8caed8ec27134003d992389ad

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2828	msedge.exe
2828	msedge.exe
416	msedge.exe
416	msedge.exe
2244	msedge.exe
2244	msedge.exe
3136	identity_helper.exe
3136	identity_helper.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 416 wrote to memory of 3588	416	msedge.exe	77
PID 416 wrote to memory of 3588	416	msedge.exe	77
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 1944	416	msedge.exe	78
PID 416 wrote to memory of 2828	416	msedge.exe	79
PID 416 wrote to memory of 2828	416	msedge.exe	79
PID 416 wrote to memory of 3700	416	msedge.exe	80
PID 416 wrote to memory of 3700	416	msedge.exe	80
PID 416 wrote to memory of 3700	416	msedge.exe	80
PID 416 wrote to memory of 3700	416	msedge.exe	80
PID 416 wrote to memory of 3700	416	msedge.exe	80
PID 416 wrote to memory of 3700	416	msedge.exe	80
PID 416 wrote to memory of 3700	416	msedge.exe	80
PID 416 wrote to memory of 3700	416	msedge.exe	80
PID 416 wrote to memory of 3700	416	msedge.exe	80
PID 416 wrote to memory of 3700	416	msedge.exe	80
PID 416 wrote to memory of 3700	416	msedge.exe	80
PID 416 wrote to memory of 3700	416	msedge.exe	80
PID 416 wrote to memory of 3700	416	msedge.exe	80
PID 416 wrote to memory of 3700	416	msedge.exe	80
PID 416 wrote to memory of 3700	416	msedge.exe	80
PID 416 wrote to memory of 3700	416	msedge.exe	80
PID 416 wrote to memory of 3700	416	msedge.exe	80
PID 416 wrote to memory of 3700	416	msedge.exe	80
PID 416 wrote to memory of 3700	416	msedge.exe	80
PID 416 wrote to memory of 3700	416	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\relationship.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe67213cb8,0x7ffe67213cc8,0x7ffe67213cd8
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,1583190923811325104,15124910295806628838,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,1583190923811325104,15124910295806628838,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,1583190923811325104,15124910295806628838,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:8
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,1583190923811325104,15124910295806628838,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,1583190923811325104,15124910295806628838,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,1583190923811325104,15124910295806628838,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4080 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,1583190923811325104,15124910295806628838,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,1583190923811325104,15124910295806628838,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,1583190923811325104,15124910295806628838,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,1583190923811325104,15124910295806628838,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,1583190923811325104,15124910295806628838,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,1583190923811325104,15124910295806628838,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5276 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\8a58c1ba-e844-4313-9bd9-1ccdb997cbb4.tmp

Filesize
11KB

MD5
e5d4dcc0cb0c567c4ee9bcec6f441bd2

SHA1
95553d1a7b83d636a467d8a40fd37c106450ba6c

SHA256
cce3614550ad4bb599a261c33ad68f5f8f721fd538c91ed1ab0eb2350d005c1c

SHA512
9692bdeac6636925a17e97a870d841d7c813a6b778b3cb4c4f79b0b2c3db3c5690565d27c9ead97f8aa3b661780f322dddacb714fa1492afa4407d5cf3c26e4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0fcda4fac8ec713700f95299a89bc126

SHA1
576a818957f882dc0b892a29da15c4bb71b93455

SHA256
f7a257742d3a6e6edd16ac8c4c4696d4bdf653041868329461444a0973e71430

SHA512
ab350ca508c412ff860f82d25ac7492afb3baf4a2827249ebc7ec9632ee444f8f0716389f0623afc0756f395cf00d7a90a0f89b360acdf72b1befe34eecb5986

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
21986fa2280bae3957498a58adf62fc2

SHA1
d01ad69975b7dc46eba6806783450f987fa2b48d

SHA256
c91d76b0f27ccea28c4f5f872dee6a98f2d37424ef0b5f188af8c6757090cbb5

SHA512
ae9ba1abe7def7f6924d486a58427f04a02af7dd82aa3a36c1ed527a23ec7897f00b0e30f22529e9599ae2db88e8abc7ba8013b426885aa3c961ee74678455f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5733692e78b8e188c4d9ad18053459ac

SHA1
9abab6d1fbf109f75892ee9367905b0cd4490f39

SHA256
72744faa9f6a7485286638da9151d9b15080116e368ea5254546016d7be76863

SHA512
9e8a30bf3109eaf827fd89fd49f4c93d992d9fa1a02e34c3ae618f9ceea97be6ee833dceaf584157e5fd1a5da88bb995fa6019baeb9f6546b97eed6214750a64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1600a19f1a0ee3e2fcfd34cb67718e85

SHA1
157328ce286f704a136e1bde9752773df40a346b

SHA256
7e6258a26b1c64a970a5a1f64ee7c8e6805319cb1d8b445db763f16d7ef200e3

SHA512
92cf047dfbd2a0251fe94fa77dbfabe4fe874f3a19f93e905867be3ee3293e789cd13cbbf2e7f311ade315af1b7e845af4ceba3bbd19c86986b592a1c60b00d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit