1bbb308c8ce91946108fca53ddd2fa9daa664687bfb9e05a8d8d5631063b2cbb

Analysis

max time kernel
1681s
max time network
1693s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
18/04/2024, 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

download.html
Size

16KB
MD5

5e176e60f62fa8c5e591e77710799ca9
SHA1

e6e1e69cf9cddf360c5770702340a1ea5a5f0d62
SHA256

1bbb308c8ce91946108fca53ddd2fa9daa664687bfb9e05a8d8d5631063b2cbb
SHA512

0430989303d4ffb7408a6897df0ed1cef23e8c9fc2754c4684030f60c04cb2bcf81f75955a0cef959474f5c2c4e3eb4d255c69e0fff18f6ac031282c8f1f1335
SSDEEP

384:ih4AvZ3zuRReuaAjtJwVHFE/qNtNeaTQ595BY:ih/B3WJjtJwVHqi7EaTWW

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3152	msedge.exe
3152	msedge.exe
452	msedge.exe
452	msedge.exe
3332	identity_helper.exe
3332	identity_helper.exe
2068	msedge.exe
2068	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 4164	3152	msedge.exe	80
PID 3152 wrote to memory of 4164	3152	msedge.exe	80
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 3856	3152	msedge.exe	81
PID 3152 wrote to memory of 452	3152	msedge.exe	82
PID 3152 wrote to memory of 452	3152	msedge.exe	82
PID 3152 wrote to memory of 1568	3152	msedge.exe	83
PID 3152 wrote to memory of 1568	3152	msedge.exe	83
PID 3152 wrote to memory of 1568	3152	msedge.exe	83
PID 3152 wrote to memory of 1568	3152	msedge.exe	83
PID 3152 wrote to memory of 1568	3152	msedge.exe	83
PID 3152 wrote to memory of 1568	3152	msedge.exe	83
PID 3152 wrote to memory of 1568	3152	msedge.exe	83
PID 3152 wrote to memory of 1568	3152	msedge.exe	83
PID 3152 wrote to memory of 1568	3152	msedge.exe	83
PID 3152 wrote to memory of 1568	3152	msedge.exe	83
PID 3152 wrote to memory of 1568	3152	msedge.exe	83
PID 3152 wrote to memory of 1568	3152	msedge.exe	83
PID 3152 wrote to memory of 1568	3152	msedge.exe	83
PID 3152 wrote to memory of 1568	3152	msedge.exe	83
PID 3152 wrote to memory of 1568	3152	msedge.exe	83
PID 3152 wrote to memory of 1568	3152	msedge.exe	83
PID 3152 wrote to memory of 1568	3152	msedge.exe	83
PID 3152 wrote to memory of 1568	3152	msedge.exe	83
PID 3152 wrote to memory of 1568	3152	msedge.exe	83
PID 3152 wrote to memory of 1568	3152	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\download.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe08653cb8,0x7ffe08653cc8,0x7ffe08653cd8
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,9487959340602964299,3183491913642165612,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,9487959340602964299,3183491913642165612,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,9487959340602964299,3183491913642165612,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9487959340602964299,3183491913642165612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9487959340602964299,3183491913642165612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9487959340602964299,3183491913642165612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9487959340602964299,3183491913642165612,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9487959340602964299,3183491913642165612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9487959340602964299,3183491913642165612,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:780
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,9487959340602964299,3183491913642165612,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,9487959340602964299,3183491913642165612,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,9487959340602964299,3183491913642165612,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1644 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7554e30cbebbfe1aba35488a485a9166

SHA1
1312cb8e5027ef37ca2e3e9a8689e3bc23f44f80

SHA256
0180b897f28fb36a3f005962f6e83fc855fe91a65dfd291124d4d8f8badd1d6f

SHA512
350bde3084974b5b17c7b5b05dd1365687cec55ef21e73f1c12754a93a6a4addaee4dd93ab849a2374325c1a60c73eac9ab5adb90d72c03195f5946a03a47540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b7fc16380cbf29a5dec23030995e553e

SHA1
62e7fe0fcf81ab250469ee6c5a89393856dcc3c1

SHA256
6f7e137ea862e054ace2561adfc7c65312b0fbe5b13f51dcec8a303049403b9a

SHA512
f18c70f701d070846bf1e7ad995fb5a959144122ce1fa9f1719952309c6195f39b3c699cf9d59e3c26f7b41a3b697f275bb89c03ac325beacc5fce60a4b45ac4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d3e534fb7a9795a6581e84beffe18c60

SHA1
16cb8623af0332205d647d0d61ca6bc70c642c64

SHA256
c31ab9d643508537ee1d58425a34ee6b8c17149e46788f942e183764311f43ab

SHA512
970de5ebdb673763223d0943ef32486367367ea2216fc7080d2211b45ac277e43cf385bfe62b178f8e38670102245496c779d5cb898c11ec6e812ab30f02d8fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c8e7d2100d68a01a5c2eceee47d9b554

SHA1
6c0a8d9085f93a87367b822dda1f3efca9497c43

SHA256
be16c5dd4fc45a40a665888bcb4e8724b55767f3edf45f6d920d1a7fe79a0705

SHA512
467027a0b8666d0a87a58d7e61ca78f567d2e22269c1ce6dc9fb9080b561c46ee04f1be2db0c81bcc64701e5f29451e9a05ca235d3571f7c8bc45888048ed8ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9076452989be02fa8fe2dcb17661ba91

SHA1
7b869af86ae406bccce18080619afdf786d79587

SHA256
05cdedf50439180ab45391438080b9b09c894ad6ae65b7708b9ba0eb70801b1c

SHA512
770e5d53f45f955171f42d485aca1fe47b89fd75d86ca2b7cc8b0f25926b582396c277c67d173952b37871e7f25d5966f561d968dd4f5c47a5271b8a6df6e021

Download Submit