0b7708b66efb722b90b9a1578b217dd395a8f9685f9acff5ce0c7431fc5a4e1f

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 11:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

213KB
MD5

502f9f82e3d2247a167b079c5c4606c4
SHA1

c88d1c70dd5ce2aa092c35f782860f6d604f106b
SHA256

42b5f5fd5dade4afae866091638ef046359ad5c608c858a4b996b8e1ff47f144
SHA512

7352b35bd8721382aba705eefff6e049462a1e5a8231ef5bf21c2c7ba7aafacea616d68fdfe940ebd22bd403714c46d221a74b81d54ef6c3a2238c733b8fa3db
SSDEEP

3072:STLmVOdaAGryfkMY+BES09JXAnyrZalI+YQ:STJ2OsMYod+X3oI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1184	msedge.exe
1184	msedge.exe
4120	msedge.exe
4120	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4120	msedge.exe
4120	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 4692	4120	msedge.exe	81
PID 4120 wrote to memory of 4692	4120	msedge.exe	81
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 2208	4120	msedge.exe	82
PID 4120 wrote to memory of 1184	4120	msedge.exe	83
PID 4120 wrote to memory of 1184	4120	msedge.exe	83
PID 4120 wrote to memory of 4872	4120	msedge.exe	84
PID 4120 wrote to memory of 4872	4120	msedge.exe	84
PID 4120 wrote to memory of 4872	4120	msedge.exe	84
PID 4120 wrote to memory of 4872	4120	msedge.exe	84
PID 4120 wrote to memory of 4872	4120	msedge.exe	84
PID 4120 wrote to memory of 4872	4120	msedge.exe	84
PID 4120 wrote to memory of 4872	4120	msedge.exe	84
PID 4120 wrote to memory of 4872	4120	msedge.exe	84
PID 4120 wrote to memory of 4872	4120	msedge.exe	84
PID 4120 wrote to memory of 4872	4120	msedge.exe	84
PID 4120 wrote to memory of 4872	4120	msedge.exe	84
PID 4120 wrote to memory of 4872	4120	msedge.exe	84
PID 4120 wrote to memory of 4872	4120	msedge.exe	84
PID 4120 wrote to memory of 4872	4120	msedge.exe	84
PID 4120 wrote to memory of 4872	4120	msedge.exe	84
PID 4120 wrote to memory of 4872	4120	msedge.exe	84
PID 4120 wrote to memory of 4872	4120	msedge.exe	84
PID 4120 wrote to memory of 4872	4120	msedge.exe	84
PID 4120 wrote to memory of 4872	4120	msedge.exe	84
PID 4120 wrote to memory of 4872	4120	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff0a6a46f8,0x7fff0a6a4708,0x7fff0a6a4718
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,8898163091574600046,2111978331393794460,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,8898163091574600046,2111978331393794460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,8898163091574600046,2111978331393794460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8898163091574600046,2111978331393794460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8898163091574600046,2111978331393794460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,8898163091574600046,2111978331393794460,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2720 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6a43d7f1b633ce25a700b68a8fd57b3f

SHA1
3198f23fd8351e61d33ff9c40439890c0f871b6a

SHA256
4063e6d9d087d34e1c07e565f95ee07162e7ce1f1281ebbe8052fc5a5486fdbd

SHA512
5a63e97a2913a483c1cf80356846d60e33993e22a0ad8764a45711ccd23684bab237736b6dfe58472a56b24d4b6215cbc8ecdcb5b442cc9d91e345f93a4b0a59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
55fb535e6e8cc886924f8072eecf3011

SHA1
6a0c92fbc50d67a5c1237de4411f8a84aff1a7a8

SHA256
40dc5b4473d4a042ffdeff1be1045382430d8f3216f6ecb23b0f02f57a6bd1dc

SHA512
a4aebac557f24585b477b986f874c9b810df862ea8a652dfea5a1f7e0f53127cb2196e5f4acf1a32a9aa224fcff9b688f8d1fe7e62751339f6d87c3be32377a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d33bba8351a1847e7b39b1d723983ad0

SHA1
b629ed7b1f4ffd0cc31498336998298945feed34

SHA256
8b0a7440b2922e317580b04225ad86abbcb2c4a7dc3c022ed608b90f91a35008

SHA512
e25a6372fb94d65dd14848d95bf2479e5308dbefb2457d6676e79919b63914a0337d97da86e1b2eab0f8dafa785d6f950501b4e08c72969e62ba93e8340c7ae5

Download Submit