6c78721e2a80f89b07b7ff2c519940268084fca1fcda5a338a6904fbce093e93

General

Target

sample.html
Size

218KB
MD5

fc98e7004476981de8118e7da60c3a21
SHA1

6ea902230ceeb58a5f41d6106bb80771ceea68fa
SHA256

801d3915905e9244e9687476b9f43b50da41a98dc5323ae35205f47fd1fa5cfc
SHA512

0e498459baedfce21ea726c66335f2b6a4a61cbe5625cc829b111d6b8ab885ce499e6913a2f0c162e1b3f335a0d4f267550de1af8921d7f6d534ab2d41d4914b
SSDEEP

3072:S20p8lHhLgcyfkMY+BES09JXAnyrZalI+YQ:S20p85hUBsMYod+X3oI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

1568 msedge.exe
1568 msedge.exe
4896 msedge.exe
4896 msedge.exe
4424 msedge.exe
4424 msedge.exe
4424 msedge.exe
4424 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

4896 msedge.exe
4896 msedge.exe

pid	process
1568	msedge.exe
1568	msedge.exe
4896	msedge.exe
4896	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4896 wrote to memory of 5780	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 5780	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1196	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1568	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 1568	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 5324	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 5324	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 5324	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 5324	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 5324	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 5324	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 5324	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 5324	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 5324	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 5324	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 5324	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 5324	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 5324	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 5324	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 5324	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 5324	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 5324	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 5324	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 5324	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 5324	4896	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa127d46f8,0x7ffa127d4708,0x7ffa127d4718
2⤵
PID:5780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,6125991595300640906,3432830621921293418,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
2⤵
PID:1196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,6125991595300640906,3432830621921293418,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1804 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,6125991595300640906,3432830621921293418,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
2⤵
PID:5324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6125991595300640906,3432830621921293418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
2⤵
PID:2552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6125991595300640906,3432830621921293418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
2⤵
PID:5712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,6125991595300640906,3432830621921293418,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4852 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ec76de01d4193e2182abdb1afebe46bb

SHA1
fc0bd3a4152fcf7e909b60dfd909a12d0ff9a0e8

SHA256
34e8e0fabeae4cb23a5762f2fc8fab578aa146b95e36b2eb6ed4c4665c4ec7ec

SHA512
d6df84d375c938b769f8bd494e5949e189aa6b280885c8a6aa4ab6572b7b927584397740a1ed5aed315f8b9fe212aab8f1bc19654b75af6c1b0a54b0c89883f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7bb7e607b29a9c10bbc12c3115bec08c

SHA1
bf37945d839ab92b07fd57fd2fff3fc0605b9d5b

SHA256
245125055e8e4c61d0b43a57cffdf897aaf175467dbc8828e7457df2b6b4299e

SHA512
0cbb9f25f85be595774cbb93af8bcb6f38b0f2d90dacf055dd7e4068a55fac1bd1be30693d0c801c2f0707821296bbf142aa7dc2c94cdec054953fb81dcb7d9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
20c90b33342428096c45443e090f652d

SHA1
69678b6da1f9aade48f740d031fa612ec9627571

SHA256
898c9fb3cb12c05ce75bf19ac36f8bc7765d666cecb13250a0d0a4cb115502d3

SHA512
1da495b558c832569306591983c7d473fab3c4afa0be10ebe026c757497e8a95ce858d0d99f33935bcec3b7e03c11e3e820202397ffa61e866c8246addb6ec94

Download Submit
\??\pipe\LOCAL\crashpad_4896_EIYYSYXKROLVQDRR

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads