01a83a73ce1b987cf64fb5e4d41b1b8cdde3c933c061b898f3c78e0be04092c5

Analysis

max time kernel
145s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 15:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

link.html
Size

267KB
MD5

72076bb55b9497b9377f3b6113575725
SHA1

b8d9cb8cbd4f91dd10e94c2799af0d289dd6ae33
SHA256

01a83a73ce1b987cf64fb5e4d41b1b8cdde3c933c061b898f3c78e0be04092c5
SHA512

7e90653b043a5fab00a8db04b924497e718a43254ea5729fdf206a3357d291e1aeb7ad8a39c881059e512be3f2d69619d5f269cd0350b746e1c6b1d39a2bd02e
SSDEEP

1536:r3DPs4/kDPOujZdzbjvrX/3GxtNdw4NIg4BMJpTTZIaplPyH8PUVYjIt61yAWSNl:rjsLPYJ3PyHjOIt61ypSNK0/QGT7

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1364	msedge.exe
1364	msedge.exe
4168	msedge.exe
4168	msedge.exe
3832	identity_helper.exe
3832	identity_helper.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 3968	4168	msedge.exe	82
PID 4168 wrote to memory of 3968	4168	msedge.exe	82
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 3552	4168	msedge.exe	83
PID 4168 wrote to memory of 1364	4168	msedge.exe	84
PID 4168 wrote to memory of 1364	4168	msedge.exe	84
PID 4168 wrote to memory of 740	4168	msedge.exe	85
PID 4168 wrote to memory of 740	4168	msedge.exe	85
PID 4168 wrote to memory of 740	4168	msedge.exe	85
PID 4168 wrote to memory of 740	4168	msedge.exe	85
PID 4168 wrote to memory of 740	4168	msedge.exe	85
PID 4168 wrote to memory of 740	4168	msedge.exe	85
PID 4168 wrote to memory of 740	4168	msedge.exe	85
PID 4168 wrote to memory of 740	4168	msedge.exe	85
PID 4168 wrote to memory of 740	4168	msedge.exe	85
PID 4168 wrote to memory of 740	4168	msedge.exe	85
PID 4168 wrote to memory of 740	4168	msedge.exe	85
PID 4168 wrote to memory of 740	4168	msedge.exe	85
PID 4168 wrote to memory of 740	4168	msedge.exe	85
PID 4168 wrote to memory of 740	4168	msedge.exe	85
PID 4168 wrote to memory of 740	4168	msedge.exe	85
PID 4168 wrote to memory of 740	4168	msedge.exe	85
PID 4168 wrote to memory of 740	4168	msedge.exe	85
PID 4168 wrote to memory of 740	4168	msedge.exe	85
PID 4168 wrote to memory of 740	4168	msedge.exe	85
PID 4168 wrote to memory of 740	4168	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\link.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd03446f8,0x7ffdd0344708,0x7ffdd0344718
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,4271768756785225377,12617547968019880213,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,4271768756785225377,12617547968019880213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,4271768756785225377,12617547968019880213,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4271768756785225377,12617547968019880213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4271768756785225377,12617547968019880213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,4271768756785225377,12617547968019880213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,4271768756785225377,12617547968019880213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4271768756785225377,12617547968019880213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4271768756785225377,12617547968019880213,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4271768756785225377,12617547968019880213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2992 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,4271768756785225377,12617547968019880213,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,4271768756785225377,12617547968019880213,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1288 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ab0b4682a93bb41351f22bb21b7bd326

SHA1
4b3d3d6a9ec9589c1959c87ed58e4fcdcfda0bd1

SHA256
d6ccd9e0dca85bdb53a5d640872a1fa729f0a3646dac69bb0f79462b6d4930d7

SHA512
e634e15ac4c3f0e75a8aebc8103e5fdc9e18eb2e609fe927028f4f224b44d970261209e8588352550fedea9f056e7aa4eb55940911d5fd72bdb18de5f2ad990d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5b98d5f046b1a94721cd3c97a1014f7a

SHA1
2855162bf0d35309dc777da6a684027d8816801f

SHA256
dbf1ae0a13e58ad5d5a1bfcbeaa80c9666698b78c65d53ce1e460fcbb33e9d10

SHA512
7e4ab0e7c7c2e9ae60427911de6e1148e0aa5346735622bc8bd6034aad27e42c748df201fa252b2f9c9c418b2b03b19218fc3aaa29cc9cb3c2a4f46f8012c390

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fee3ec8e89c68d4805816f11d6a25b35

SHA1
6ef2acbc68ef86a6f22559bc6455fcbc891f0c7b

SHA256
53ff99bae737b00933e4dfd2ee13b37cf06e4fc2c5d9cbd44f1c4523bba4fab8

SHA512
f5a579589c7844254678aa370ea0d006c5e96a9e6881599cdf7ed45c3b9aa4a860526c50747a3e6c6bbc365675fe636049805162bb90c1c4547f16b18418ab0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
da041c1f22b0c0a18852b15ec2ab805c

SHA1
76b4b4a83d2ce55c08f9b7a46282df81e6acde96

SHA256
9d2bae1e4e0d5f58fffea4dd445426f6830abe9ec8c5f243e93c6963c27a0ef4

SHA512
35711bb4e403a83acd34657d0cb9260e7190ccc150fea2fa7b1c895bda5f7f0dbae5bdbd662834fd2c2e35851981468d8866024ba480f605705e1436e58067c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
664cfebc940b0662b54994b9c7479e72

SHA1
ea0ac0277eeff2e582f4d3cb21bc33f2738070b2

SHA256
de423648e11f2da9bdaa639ff115e03f61c52a5c423d458a7cc0892bc9db6fcd

SHA512
a04b7152cc6a9111e61fd00bfd98d2b2fdf89c4e4dde8046aca48330c0692c94d0907752baaca6ccf1a6f4c6fd4c2eee662061218d38f7762ad97a369e31e42a

Download Submit