d3675e66296d6e539c1b7d8949a3fe7c29f9886d6a9888ce042c4e28844a18b4

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

213KB
MD5

727c8452591130a862e0c249693da588
SHA1

e7bca7d9437395d46fbd2cebafe9bd025d4abac8
SHA256

456f864ed6e4c94bba853e6a644d2fc3cb1ac234bb072981c55748d4ff7906cc
SHA512

f6e11c3c59cc8d4323b6a9cdc263a02222dd9d4f25cb700f91f506684abd587b34256e2c3192f5140db16a404828ee6c4eedb07010de178e03afc5322e586488
SSDEEP

3072:SYySZ5tyFHryfkMY+BES09JXAnyrZalI+YQ:SYxeOsMYod+X3oI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4872	msedge.exe
4872	msedge.exe
4824	msedge.exe
4824	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4824	msedge.exe
4824	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 1864	4824	msedge.exe	83
PID 4824 wrote to memory of 1864	4824	msedge.exe	83
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 2848	4824	msedge.exe	84
PID 4824 wrote to memory of 4872	4824	msedge.exe	85
PID 4824 wrote to memory of 4872	4824	msedge.exe	85
PID 4824 wrote to memory of 1560	4824	msedge.exe	86
PID 4824 wrote to memory of 1560	4824	msedge.exe	86
PID 4824 wrote to memory of 1560	4824	msedge.exe	86
PID 4824 wrote to memory of 1560	4824	msedge.exe	86
PID 4824 wrote to memory of 1560	4824	msedge.exe	86
PID 4824 wrote to memory of 1560	4824	msedge.exe	86
PID 4824 wrote to memory of 1560	4824	msedge.exe	86
PID 4824 wrote to memory of 1560	4824	msedge.exe	86
PID 4824 wrote to memory of 1560	4824	msedge.exe	86
PID 4824 wrote to memory of 1560	4824	msedge.exe	86
PID 4824 wrote to memory of 1560	4824	msedge.exe	86
PID 4824 wrote to memory of 1560	4824	msedge.exe	86
PID 4824 wrote to memory of 1560	4824	msedge.exe	86
PID 4824 wrote to memory of 1560	4824	msedge.exe	86
PID 4824 wrote to memory of 1560	4824	msedge.exe	86
PID 4824 wrote to memory of 1560	4824	msedge.exe	86
PID 4824 wrote to memory of 1560	4824	msedge.exe	86
PID 4824 wrote to memory of 1560	4824	msedge.exe	86
PID 4824 wrote to memory of 1560	4824	msedge.exe	86
PID 4824 wrote to memory of 1560	4824	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec2bb46f8,0x7ffec2bb4708,0x7ffec2bb4718
  2⤵
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,1074481755026503640,16462824501537723298,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,1074481755026503640,16462824501537723298,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,1074481755026503640,16462824501537723298,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1074481755026503640,16462824501537723298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1074481755026503640,16462824501537723298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,1074481755026503640,16462824501537723298,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5028 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
46635e41a45922b451d6b6f527c5bc9f

SHA1
fefb37dda187a78ed155fcf94dcfd053ea5c852e

SHA256
11b3fde86a06831b00b6f985c3afa04823c28e556f946c97c041fe23f1ec2d7d

SHA512
a170dab7db7c95433fc47cae15a2d06c3fdf750062fa4dcd6376752b1ccf5169e5ecec0c1176154e453069a3abe37ec4a5cb3db7bab7eb511e9d9307ec82d6ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
288dc6530df4ad45d0b34fdd021d38aa

SHA1
475f0af687963c2982b39eec558d7472b16f5b23

SHA256
7fc04375f4e61d6bcb06d2957d72064ebc44b55f19f2bfef8bf2f60969d4620f

SHA512
8fb3cf1e7467ca2bacdaa2c82278383c391db906cc1df3e5c22383ee4286f924a450af6a4b5b405a8ed2074ab535b630c826dc0a6188be1be5c71a164c7831fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4870581f949fc26985e1e8497a200c1e

SHA1
961301a194c91d71ec857b1e267d776f21dfc085

SHA256
1a34d4e61bc364a4dd65fb9e8ded324db0af1b33799b6a7f42b02de5dc1cf9a3

SHA512
bc5957233ca41c00be97ca56f924bd45dc66e44dff8062e83b2cbd53bc6ad11c471fb3a12566d2dae426ff36b491e89b725873000f95c8d24e3ae5d06ecf9cd3

Download Submit