6165da8efea2af3d7c90dbfea76575ff2bd210420bc241b50eb2e1925475e026

Analysis

max time kernel
147s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
24/04/2024, 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IqOh.html
Size

20KB
MD5

64bfa5706fa58561ab54d28dd47923b8
SHA1

3ebe174bf83dc52b22251b378fde29ebc46d88ea
SHA256

6165da8efea2af3d7c90dbfea76575ff2bd210420bc241b50eb2e1925475e026
SHA512

a40e6cd2c9ece1d030edb2fa4fcb827403add976864c4ed87dcab9b871acbf5553b1794a64fb6ba475c180703e611b99a3b8595fd95bd1c6679a2b36ef9a8c3b
SSDEEP

192:jQ7hEoDgEUpeWw9y89uQABYwfp68WfZXIQhVaEa2i8ca1Wb/:jQetyAZBoBdaEaU1Wr

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1344	msedge.exe
1344	msedge.exe
1728	msedge.exe
1728	msedge.exe
492	identity_helper.exe
492	identity_helper.exe
1932	msedge.exe
1932	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 32	1728	msedge.exe	79
PID 1728 wrote to memory of 32	1728	msedge.exe	79
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 4400	1728	msedge.exe	80
PID 1728 wrote to memory of 1344	1728	msedge.exe	81
PID 1728 wrote to memory of 1344	1728	msedge.exe	81
PID 1728 wrote to memory of 3912	1728	msedge.exe	82
PID 1728 wrote to memory of 3912	1728	msedge.exe	82
PID 1728 wrote to memory of 3912	1728	msedge.exe	82
PID 1728 wrote to memory of 3912	1728	msedge.exe	82
PID 1728 wrote to memory of 3912	1728	msedge.exe	82
PID 1728 wrote to memory of 3912	1728	msedge.exe	82
PID 1728 wrote to memory of 3912	1728	msedge.exe	82
PID 1728 wrote to memory of 3912	1728	msedge.exe	82
PID 1728 wrote to memory of 3912	1728	msedge.exe	82
PID 1728 wrote to memory of 3912	1728	msedge.exe	82
PID 1728 wrote to memory of 3912	1728	msedge.exe	82
PID 1728 wrote to memory of 3912	1728	msedge.exe	82
PID 1728 wrote to memory of 3912	1728	msedge.exe	82
PID 1728 wrote to memory of 3912	1728	msedge.exe	82
PID 1728 wrote to memory of 3912	1728	msedge.exe	82
PID 1728 wrote to memory of 3912	1728	msedge.exe	82
PID 1728 wrote to memory of 3912	1728	msedge.exe	82
PID 1728 wrote to memory of 3912	1728	msedge.exe	82
PID 1728 wrote to memory of 3912	1728	msedge.exe	82
PID 1728 wrote to memory of 3912	1728	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\IqOh.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffba003cb8,0x7fffba003cc8,0x7fffba003cd8
  2⤵
  PID:32
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,529663653522850318,3386729906042487895,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,529663653522850318,3386729906042487895,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,529663653522850318,3386729906042487895,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:8
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,529663653522850318,3386729906042487895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,529663653522850318,3386729906042487895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,529663653522850318,3386729906042487895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,529663653522850318,3386729906042487895,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,529663653522850318,3386729906042487895,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,529663653522850318,3386729906042487895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,529663653522850318,3386729906042487895,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,529663653522850318,3386729906042487895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,529663653522850318,3386729906042487895,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,529663653522850318,3386729906042487895,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4704 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6e15af8f29dec1e606c7774ef749eaf2

SHA1
15fbec608e4aa6ddd0e7fd8ea64c2e8197345e97

SHA256
de9124e3fddde204df6a6df22b8b87a51823ba227d3e304a6a6aced9da00c74c

SHA512
1c9c9acd158273749e666271a5cdb2a6aebf6e2b43b835ebcc49d5b48490cbbf4deddef08c232417cee33d4809dec9ddac2478765c1f3d7ed8ea7441f5fd1d15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e5a2dac1f49835cf442fde4b7f74b88

SHA1
7b2cf4e2820f304adf533d43e6d75b3008941f72

SHA256
30bd1e1bafb4502c91c1fb568372c0fb046d32a4b732e6b88ce59ea23663e4ce

SHA512
933ac835894ce6cb8aac0261153823c96b6abec955173653dd56e534d644efd03aec71acb4f8cb0b9af871962296ec06cd03e570a0ac53098b8cd55657543786

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
958B

MD5
cea28e2aa65323140a4ce75285456d12

SHA1
7640c67798b7b94ce48091e011d1e63d553d7f85

SHA256
c0695c5c507a4df7b41e0d1b039bb1e0f05a3add11ef1fb87ceb1706ec242a54

SHA512
14c51439de794541a449439d02f27ef844cff8f9c946185e41773f04114a7889571da2e1550b939dac7ca3d4f7dac8e899806d0134171f29e43cbd8345e9670b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e9fe7eeacee0d3dc16fb843fb18e4e19

SHA1
38d1e456173647320ac83e60ce374f4fb39aa194

SHA256
973e1c1fa68eb09ec1e316b73a5a95d3dd1a4d4490eab8e3ac86bb71f45969d1

SHA512
dc0a6b8a6a22feddad4eb02d95805e71a3e281f4e1b2bb5ce60d68a8718c286caecb2267c9c84cf4206a049b627bc054cfa19bb5e4625a584fd40b74a66ce72f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
26d4c798871d4a285fe283c5d2f54352

SHA1
85b65d786eb2b1c45794cdec79aa311b03e6bb87

SHA256
64fd4ddd36fd898cfb98747d3ab0947b03e23851c357d56c07742308efe80487

SHA512
0494bf70367012ffcd469c4040dc7cf1f118b585bdcc1c4e8033c668dd97a03593e922f7a8ef5749e71507f699ca02fdace83433bc66382ca51c9d08170e96ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
ae3f23e089453a6e3385f5795dc6c23c

SHA1
75eb8b04bf2beaa0bfe5d048f9f65ebbd18a5f11

SHA256
c79bd310c7e9c9900ac3b93a71967da8cec6835cd92e56ee3bdb28e869945617

SHA512
c194f6cf5d15db299ecbf01ad2ab887504ef96b993a2537264a463f833843646930a46a154603f4518d2ff86edbd5d1b1133aad2fca25be62d1abf37fb1f535c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
875dc2a87e1c76cc2d050f246749bf2a

SHA1
8560fe7a47459ec4c07d16bb342f33f76b9773bf

SHA256
a467aa2418747ef8c133b8744fc0635d819e03693c202f8b05abdcceddacd755

SHA512
2d670d07e1f03bc1b8364447b64c8148c379315a2e944373413b831981bf01cdec349169d298b16339b7963ad25bdeb8b73d365575e1881929de40ee850306a2

Download Submit