266c766d3d9968f640d195cae5c3db396d998b488af4d388167c9edf9ca452fc

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

220KB
MD5

4990174599c354cdc62ac570cd25086b
SHA1

3fb87c388a063c28ece7ad2024c470779bba7cd0
SHA256

dee381c640cd7b780983c4fbd08708f18a40c4fafc359c7dcc8409632edf4480
SHA512

e3ab78e89d2ec0cf4382dd7c8e502a6bd3245860268e813135b9569a4bbcd2e57670fe8ccabf37a3a7c558f3727166a2ec01e29e729800147e67963785ae6161
SSDEEP

3072:Smut7rlbSbDEa7dXyfkMY+BES09JXAnyrZalI+YQ:SmK2sa7IsMYod+X3oI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1904	msedge.exe
1904	msedge.exe
4224	msedge.exe
4224	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4224	msedge.exe
4224	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 3532	4224	msedge.exe	83
PID 4224 wrote to memory of 3532	4224	msedge.exe	83
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1040	4224	msedge.exe	84
PID 4224 wrote to memory of 1904	4224	msedge.exe	85
PID 4224 wrote to memory of 1904	4224	msedge.exe	85
PID 4224 wrote to memory of 2816	4224	msedge.exe	86
PID 4224 wrote to memory of 2816	4224	msedge.exe	86
PID 4224 wrote to memory of 2816	4224	msedge.exe	86
PID 4224 wrote to memory of 2816	4224	msedge.exe	86
PID 4224 wrote to memory of 2816	4224	msedge.exe	86
PID 4224 wrote to memory of 2816	4224	msedge.exe	86
PID 4224 wrote to memory of 2816	4224	msedge.exe	86
PID 4224 wrote to memory of 2816	4224	msedge.exe	86
PID 4224 wrote to memory of 2816	4224	msedge.exe	86
PID 4224 wrote to memory of 2816	4224	msedge.exe	86
PID 4224 wrote to memory of 2816	4224	msedge.exe	86
PID 4224 wrote to memory of 2816	4224	msedge.exe	86
PID 4224 wrote to memory of 2816	4224	msedge.exe	86
PID 4224 wrote to memory of 2816	4224	msedge.exe	86
PID 4224 wrote to memory of 2816	4224	msedge.exe	86
PID 4224 wrote to memory of 2816	4224	msedge.exe	86
PID 4224 wrote to memory of 2816	4224	msedge.exe	86
PID 4224 wrote to memory of 2816	4224	msedge.exe	86
PID 4224 wrote to memory of 2816	4224	msedge.exe	86
PID 4224 wrote to memory of 2816	4224	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff88c4c46f8,0x7ff88c4c4708,0x7ff88c4c4718
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,12474729721627796161,5681934134259303351,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,12474729721627796161,5681934134259303351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,12474729721627796161,5681934134259303351,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12474729721627796161,5681934134259303351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12474729721627796161,5681934134259303351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,12474729721627796161,5681934134259303351,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2140

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4e96ed67859d0bafd47d805a71041f49

SHA1
7806c54ae29a6c8d01dcbc78e5525ddde321b16b

SHA256
bd13ddab4dc4bbf01ed50341953c9638f6d71faf92bc79fbfe93687432c2292d

SHA512
432201c3119779d91d13da55a26d4ff4ce4a9529e00b44ec1738029f92610d4e6e25c05694adf949c3e9c70fbbbbea723f63c29287906729f5e88a046a2edcb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1cbd0e9a14155b7f5d4f542d09a83153

SHA1
27a442a921921d69743a8e4b76ff0b66016c4b76

SHA256
243d05d6af19bfe3e06b1f7507342ead88f9d87b84e239ad1d144e9e454b548c

SHA512
17e5217d5bf67571afb0e7ef30ac21c11ea6553f89457548d96ee4461011f641a7872a37257239fa5f25702f027afb85d5bd9faf2f2f183992b8879407e56a0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
156649ccffff609e4150d145935b8191

SHA1
fb3cfd7ea3c8b89e2f4c75be87c76180786672ff

SHA256
b33f0f9ab67042617b730c4f30707a5342a564fb0b59bab9acc6bbe2f007cdfb

SHA512
8d90dabddb0326c77ea8c30cd0fcf1d8e695216ca23b499fc8e364a607dc15e174d9b726327020c491b5b40774e279abbbc2e2fc88a846d60193ccd5db8e2ac9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
94b8984a1bbd2c34906dd6d2ef566015

SHA1
959c2f589e1df982b6256206153944b6ab154fe5

SHA256
6ad6fdb9ceb01373dd0f0ad838d2b1f44e2edd216c692bc4d5b0eef420fae624

SHA512
f88c193e00fcb732c1685ed63a072cf925d4ed2afe34410abf05872e9367f127c91d0fa05e385d84c73d23a4159213725b740e1e12a3289c6315fce1875de850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0fa75595bb7ad4610f797510c8f4efed

SHA1
d8e6d1cc0cda62d6668eab1d6ae13892dbde1832

SHA256
ebfb384e2b6a73227821c1c55b93e1752e306e3addbc1e73e987f195fb1d036d

SHA512
2e04d5d7893a948529616574685d7ad3923256b0c0d9dd459b496339322fc09f5793ad1dccefe78e5754d797089c01e2d74d57c95debbc831b48a3e14a9e9cb8

Download Submit