dd307763f5e2d3dc92f17f1eea18ed34337555ac143ba448924edec66a0c4eac

General

Target

sample.html
Size

213KB
MD5

f2914b81c1227bc9a7aa2d4445ff6c81
SHA1

708d2951fca219ff755d7f19190b9a882af93549
SHA256

5c8630012f078a334a4b010f70129251249e55e6381f7f9fa79f4264a5bbcc49
SHA512

5a94882288aa232376d422b4aad038c3d4d07a0ad37152bdb8d6c959192c48f26d98e689344bb1e5c9a0902cf59e22e0d4c7f2d06f500a36649eb817e2e54060
SSDEEP

3072:S5IprOMa5A6AzyfkMY+BES09JXAnyrZalI+YQ:S5IBIaWsMYod+X3oI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

1068 msedge.exe
1068 msedge.exe
4156 msedge.exe
4156 msedge.exe
2372 msedge.exe
2372 msedge.exe
2372 msedge.exe
2372 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

4156 msedge.exe
4156 msedge.exe

pid	process
1068	msedge.exe
1068	msedge.exe
4156	msedge.exe
4156	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4156 wrote to memory of 2296	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 2296	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 4492	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 1068	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 1068	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 3388	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 3388	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 3388	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 3388	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 3388	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 3388	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 3388	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 3388	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 3388	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 3388	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 3388	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 3388	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 3388	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 3388	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 3388	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 3388	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 3388	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 3388	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 3388	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 3388	4156	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc502e46f8,0x7ffc502e4708,0x7ffc502e4718
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,6277101592397309844,921531797763215241,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,6277101592397309844,921531797763215241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,6277101592397309844,921531797763215241,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6277101592397309844,921531797763215241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6277101592397309844,921531797763215241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,6277101592397309844,921531797763215241,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5335bbd13b189a0108d9e316c061ac7c

SHA1
39905097ae5911d204559916841f6e075a3b2ceb

SHA256
d98063cd885b25987821dff201ff677aa1ca114fa2b49d3818b0b06d7d700e4f

SHA512
e3729a8c0441ea64f2044b8eb2448dd25c7d1d5c5c211ce036fb8f93edb5e86fde8cb2ee64a51443829907adc501a2f8d61c14c2d5987f8c6bf575d4d01c3d18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ddbe44c7eaf72d17623b1d87ce370239

SHA1
b965b95521592504ac4b826e41ac96a7db1c5bb9

SHA256
94a9fe3a529a28b4cd3394d719984af4a69c4f24d824bf8472792fa9e5952826

SHA512
375c6d2065552faad8ae4a4ba600355c33960fe717209450f97e9557815f4347fefeebc82aab6d930d9ea7ffe95dab045a63b5f470c8147c07850903ee52c20e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
546bedad893f392591b17d92bd6c9f50

SHA1
f7cfd08771be97a9e25a6fa048d67637d1313634

SHA256
29636ea626cb638bfb17c33ccf7300a5d048106a50af644a9fe6e67d1580da9c

SHA512
2bd7626d97991824cb5ffecd84b9c1e6ca0e14bd667896662bfff11bfe951e5678af9f93a1d0d272e790e7eff9721a2edb38a76e1d2d390eb27280d051331f5c

Download Submit
\??\pipe\LOCAL\crashpad_4156_BLGRCCHNJINUFYRI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads