0aa276395b99aaa8c76dc02e90fb991337cb8fc36413f16bee59b287fac82885

General

Target

sample.html
Size

213KB
MD5

d171df5f85fd2b810ba02137565e529f
SHA1

53fc67443f55cca338a9332237c35ce52463c103
SHA256

14fad864e0be36ccccc3d681c097c30b3a1aae3abe60c7cb27a1913138b300f6
SHA512

ce43f4adb12500ead54224e184406da9fa1e965c347e0f3bfe5f5675f73022bef1f251afe7b623de06151ad8ac10ee1ba8a4c747f53ff93a2b5c26be96809a64
SSDEEP

3072:SL4GWxCUyEGyyfkMY+BES09JXAnyrZalI+YQ:SLKQ3sMYod+X3oI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

1020 msedge.exe
1020 msedge.exe
3096 msedge.exe
3096 msedge.exe
2512 msedge.exe
2512 msedge.exe
2512 msedge.exe
2512 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

3096 msedge.exe
3096 msedge.exe

pid	process
1020	msedge.exe
1020	msedge.exe
3096	msedge.exe
3096	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3096 wrote to memory of 2556	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 2556	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4788	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 1020	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 1020	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 596	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 596	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 596	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 596	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 596	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 596	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 596	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 596	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 596	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 596	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 596	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 596	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 596	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 596	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 596	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 596	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 596	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 596	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 596	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 596	3096	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec5a346f8,0x7ffec5a34708,0x7ffec5a34718
2⤵
PID:2556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,17372242704569397864,8001833789238961743,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
2⤵
PID:4788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,17372242704569397864,8001833789238961743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,17372242704569397864,8001833789238961743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2456 /prefetch:8
2⤵
PID:596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,17372242704569397864,8001833789238961743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
2⤵
PID:4892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,17372242704569397864,8001833789238961743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
2⤵
PID:1384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,17372242704569397864,8001833789238961743,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2684 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ef224cc1e629feabd37f6855246d1895

SHA1
dc52d92fd106f91ccbbbee0db897ad413b200137

SHA256
27b931b29ca8c16274ecd76d5292888ae1c10b405e7816895cc0f49bc6d361f2

SHA512
48aaf06b12a9ccadb6f3bf41d0a18dd31b97773b40a68ff12bc941dbe2dd0f93f10d260a44a8c8e671a00d0db0a647a58e570a9b6fb672eafa7146d06da1265b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
447d5027dd63bcb2cbccc01e4eaf6ef4

SHA1
b69516728a6836639a59bc762e97bd0708b9e1d6

SHA256
aee655db3de9f2c5db51bacfd1fe3a6b21ae018211137e8e3e16355b82aea464

SHA512
1c6988e67fec932280576c544fefef79c78407f8668dcbb6e2f4bfca5c3309699af46fb9dccb20cb252da15367a9702cfd21db5cbf5601c40e81d544a86e0b95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6981d804bdc0095b9720f8c2894f678d

SHA1
0c38ebb7b1ed16ae02be77bf5392678f717445f0

SHA256
0ad0c709b0f9ee22345b871bfcfe59caa3d4db7df82894abe4fd8d1293dafb4a

SHA512
0d4f78d3d1a704ea0f71ab868a1e923de5984976816084e1c2c61c101a9525f8ace7c8a8a9f6235ae1088bd149e15cf27d25006a28aeff121974c7343d4bcea1

Download Submit
\??\pipe\LOCAL\crashpad_3096_LLXOYREHUFOLGSDA

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads