1c158db04b4efc7e8440d25c4a4e16658bc43a0f084c3c16d9fa80f5fb9cfc95

Analysis

max time kernel
145s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vitamin-c-pink-grapefruit.html
Size

24KB
MD5

e42eb4f2ffa46a31b84728fc4f59948a
SHA1

6d48c9691dec1790336e36eced5bb93789a8294b
SHA256

739c32b0da18bca3ce2b7b284fd19e99ec59e8252002c08ffd6ddf154354bace
SHA512

0f0ca67e1029d1425ea6499495d79a4627b4609fcf68d9fbc73bb418168dd690df7de351b633dae8d27d8a0b6feb30373260b03922e6dba271a85ce94ce051a3
SSDEEP

384:XXQd00gJp5EYKSc3H3jnnKSZ3W32gKSFxKSb9CbTKSHiYfKSO10DL2bdrp2CUind:XXTTPJrpNnzjcOXfAq57JMMCw

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
5096	msedge.exe
5096	msedge.exe
4684	msedge.exe
4684	msedge.exe
4624	identity_helper.exe
4624	identity_helper.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4684 msedge.exe
4684 msedge.exe
4684 msedge.exe
4684 msedge.exe
4684 msedge.exe
4684 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4684 wrote to memory of 2460	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2460	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4876	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 5096	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 5096	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2944	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2944	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2944	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2944	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2944	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2944	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2944	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2944	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2944	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2944	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2944	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2944	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2944	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2944	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2944	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2944	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2944	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2944	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2944	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2944	4684	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\vitamin-c-pink-grapefruit.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85f1746f8,0x7ff85f174708,0x7ff85f174718
2⤵
PID:2460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,8407471865624133941,11718240463986555259,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
2⤵
PID:4876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,8407471865624133941,11718240463986555259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,8407471865624133941,11718240463986555259,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
2⤵
PID:2944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,8407471865624133941,11718240463986555259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
2⤵
PID:3932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,8407471865624133941,11718240463986555259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
2⤵
PID:3812

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,8407471865624133941,11718240463986555259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 /prefetch:8
2⤵
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,8407471865624133941,11718240463986555259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,8407471865624133941,11718240463986555259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
2⤵
PID:3136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,8407471865624133941,11718240463986555259,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
2⤵
PID:2540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,8407471865624133941,11718240463986555259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
2⤵
PID:4852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,8407471865624133941,11718240463986555259,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
2⤵
PID:4272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,8407471865624133941,11718240463986555259,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3124

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4788

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
2a70f1bd4da893a67660d6432970788d

SHA1
ddf4047e0d468f56ea0c0d8ff078a86a0bb62873

SHA256
c550af5ba51f68ac4d18747edc5dea1a655dd212d84bad1e6168ba7a97745561

SHA512
26b9a365e77df032fc5c461d85d1ba313eafead38827190608c6537ec12b2dfdbed4e1705bfd1e61899034791ad6fa88ea7490c3a48cdaec4d04cd0577b11343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
fbe1ce4d182aaffb80de94263be1dd35

SHA1
bc6c9827aa35a136a7d79be9e606ff359e2ac3ea

SHA256
0021f72dbca789f179762b0e17c28fe0b93a12539b08294800e47469905aeb51

SHA512
3fb0a3b38e7d4a30f5560594b1d14e6e58419e274255fb68dfe0ca897aa181f9ce8cb2048403f851fd36a17b0e34d272d03927769d41a500b2fe64806354902f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
caa56cb957253c719560ef62b24da054

SHA1
885281bf281c7baaf0c7b62ad7e316199ae797d5

SHA256
038abdc9509ab40d7f133fa3b7ce77a7e0ddf1124e9ac5db078713d738c076b5

SHA512
2b4c1d24be879a1062c89dd44f5c7e2a07c16533f35a19c182ab94a86253876dae2d5100b2caf540a2dc304060a380de84a50ce21b74e1279c4de8bf1e3d2a65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
8dcb68f8fe0b06acce7e7e1bd1dd126b

SHA1
5f938c240316d3a9b9241455d4aaed18539eeb98

SHA256
f29b610da2b922b9ccbf55f823cd2625ac8ce5a177f34789d93a42912f74f266

SHA512
d305ae00f7798861f966492802c8a997c225416f19eba1663733912405e3466580b2061bcf3b8c0d278984bf789db94fb60d96f4da996a062534b112484fe570

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
2a44e60b846bbb8e298a211e5071e9c7

SHA1
31953b11f7a58fd9eccc2a85e4a7c056c1626235

SHA256
89d0a0b1eee391008c531411c01e558cad70ca1f22f375afafd434d6535532f6

SHA512
2c64c644c389a4a09c25e00d501a83fa6a91d24c878063c82a3500d09df5fcf1209a1a40b22a0b4cf94034131d5e1cbc76d026e96053187e1a7cc3d99fd333a1

Download Submit
\??\pipe\LOCAL\crashpad_4684_RASFZLSQIPBLMEXI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit