9ae83803efc85ff1842cf4102598b944c4ff88e9ed54716d5ec9b311b7c75abd

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

221KB
MD5

f792a3951ab644caf6066ce1c219f3b3
SHA1

b2b8d8cbd4c7e268188912a7b74ecff0984da192
SHA256

8af473f1037e0c0f626959181076ac7619d8a0ea504642889d2118cfd1488be4
SHA512

47f684a2c9e1c36ff0d15666c030b44aab34c70c497cf8092e12fe6608db6951734302c333b1ba5af36323469b027ed917cb4005934f0e79b1e6123e1d26d074
SSDEEP

3072:SMDiI8RqkREI7yfkMY+BES09JXAnyrZalI+YQ:SM+HMZsMYod+X3oI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3620	msedge.exe
3620	msedge.exe
5072	msedge.exe
5072	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5072	msedge.exe
5072	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 1736	5072	msedge.exe	81
PID 5072 wrote to memory of 1736	5072	msedge.exe	81
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3852	5072	msedge.exe	83
PID 5072 wrote to memory of 3620	5072	msedge.exe	84
PID 5072 wrote to memory of 3620	5072	msedge.exe	84
PID 5072 wrote to memory of 1872	5072	msedge.exe	85
PID 5072 wrote to memory of 1872	5072	msedge.exe	85
PID 5072 wrote to memory of 1872	5072	msedge.exe	85
PID 5072 wrote to memory of 1872	5072	msedge.exe	85
PID 5072 wrote to memory of 1872	5072	msedge.exe	85
PID 5072 wrote to memory of 1872	5072	msedge.exe	85
PID 5072 wrote to memory of 1872	5072	msedge.exe	85
PID 5072 wrote to memory of 1872	5072	msedge.exe	85
PID 5072 wrote to memory of 1872	5072	msedge.exe	85
PID 5072 wrote to memory of 1872	5072	msedge.exe	85
PID 5072 wrote to memory of 1872	5072	msedge.exe	85
PID 5072 wrote to memory of 1872	5072	msedge.exe	85
PID 5072 wrote to memory of 1872	5072	msedge.exe	85
PID 5072 wrote to memory of 1872	5072	msedge.exe	85
PID 5072 wrote to memory of 1872	5072	msedge.exe	85
PID 5072 wrote to memory of 1872	5072	msedge.exe	85
PID 5072 wrote to memory of 1872	5072	msedge.exe	85
PID 5072 wrote to memory of 1872	5072	msedge.exe	85
PID 5072 wrote to memory of 1872	5072	msedge.exe	85
PID 5072 wrote to memory of 1872	5072	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa463d46f8,0x7ffa463d4708,0x7ffa463d4718
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,13365911810238356713,9048278796590444570,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,13365911810238356713,9048278796590444570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,13365911810238356713,9048278796590444570,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13365911810238356713,9048278796590444570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13365911810238356713,9048278796590444570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,13365911810238356713,9048278796590444570,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4824 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\75c8481b-0015-4659-8978-e4e9abba97bd.tmp

Filesize
11KB

MD5
d7566badabf3d6b5bca5475da28c95c9

SHA1
6f92ff0ac5ffa003150c675b338ed5784c2634aa

SHA256
40abee63156716400f3c79d30e5a848b6a87ad85258f6da820e9bb285bcfbd90

SHA512
c153f458e67db2e6b28228468b9c4627c60cdd67842a623e2b6ced49040f69978192e2ab97318e04872f707c279f05fcce8a1d315df03f8080283bdca68ea836

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\38a08d3e-3450-49d0-a093-8e3fad609059.tmp

Filesize
6KB

MD5
930eb65e6b7632b884a3cf6aec915ede

SHA1
7b31a7cea0991a15127f4efbec55d62f35410291

SHA256
a71cbeff380ebc868fdf1ba761c06524352abe4347eba78e459a65cd5a094bd0

SHA512
a000ad4de708af145d6bea70cb429f6bf977f5391e013531b05c0e4016ea658cc32aa75ab8dc34f10959084010c85dedb388d2b7dc07b48e4a67e68dff06eeb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\51290c63-1b0b-4407-9f60-b98df512f96a.tmp

Filesize
6KB

MD5
4db0d86b8c3b54623fb01f94f0171442

SHA1
a4288ac1348ce6443ed95c12f199332df17db3c8

SHA256
4b5db3e58d903dd5f8faea9fe8039d6ab5335a8b63937dee8d4b3053ab96007d

SHA512
4376f64b90c4f8b746ca88939a78ec0e9c45c7fe8ac917420b618f2ff48746c9430983ad0ccae9678446be5d9501ca819530c99b1c339acd7287d4894395e884

Download Submit