c5b255f3795d3af1415c4f6bea58dec00aa8eb2656abceeae98cc6f0a761002e

Analysis

max time kernel
145s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bd8ca8921dca41369f9b7e3aaae0a6e_JaffaCakes118.html
Size

139KB
MD5

6bd8ca8921dca41369f9b7e3aaae0a6e
SHA1

754a0f80a0e8f4d8ab21472b08a2617a87583f0f
SHA256

c5b255f3795d3af1415c4f6bea58dec00aa8eb2656abceeae98cc6f0a761002e
SHA512

1074566846fd224ed988dc33b0b56bd8682295f47dacac948e66c720f6e5f12db94d6b60c28b34030942f62512dbe01a4079236b41d1c66c448f978b6e31044e
SSDEEP

3072:SPVdjqDjlC4vqrEWZ+zlAz+sJIz0riiDdAzrwPtu8ZUHnzli:SPKC4vqrEWZ+zlAz+sJIz0riiDdAzrwb

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

4824 msedge.exe
4824 msedge.exe
1796 msedge.exe
1796 msedge.exe
2500 msedge.exe
2500 msedge.exe
2500 msedge.exe
2500 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

1796 msedge.exe
1796 msedge.exe
1796 msedge.exe
1796 msedge.exe

pid	process
4824	msedge.exe
4824	msedge.exe
1796	msedge.exe
1796	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1796 wrote to memory of 372	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 372	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4960	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4824	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4824	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 2012	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 2012	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 2012	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 2012	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 2012	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 2012	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 2012	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 2012	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 2012	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 2012	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 2012	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 2012	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 2012	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 2012	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 2012	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 2012	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 2012	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 2012	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 2012	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 2012	1796	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\6bd8ca8921dca41369f9b7e3aaae0a6e_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa05d646f8,0x7ffa05d64708,0x7ffa05d64718
2⤵
PID:372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,6704769900835094465,8792601223749094380,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
2⤵
PID:4960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,6704769900835094465,8792601223749094380,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,6704769900835094465,8792601223749094380,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
2⤵
PID:2012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6704769900835094465,8792601223749094380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
2⤵
PID:3516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6704769900835094465,8792601223749094380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
2⤵
PID:872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6704769900835094465,8792601223749094380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
2⤵
PID:3444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6704769900835094465,8792601223749094380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
2⤵
PID:2436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,6704769900835094465,8792601223749094380,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4852 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1572

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
216B

MD5
de833571a3886341cbd75aca2ec4d013

SHA1
89fbbc2f8f47b510917bcc99451297f5f5774d3a

SHA256
689bae305278390e23f0763198492ab1d8232650e72651f85c62c5f8c6d62fc0

SHA512
785cb17275bcbe0cb1b7b9f1730ec7b2b7153c3316b6cd56dd1bf891a0b1c486542d4dce62dabc9a9a6d620999e1da02cab514697c4a704fbef6d070e96542ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
e7d1536ee0266c8c20b105acf95b288f

SHA1
d9862e38c1c465dbba0c2db5942eefb25602f41b

SHA256
bf091acfa65eebd28fa12215e97a5c71ec1cdb15c518944a7d8d7c0dbd520b4e

SHA512
bd3319eb2162942557481f43850b289f4b2d55ced3c87bf1bfa89e61c54ee7f08c9a82a8b3f2c1ea13a785098d6d7a691bfe6b34248c7d93bd178bfd74f82f6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
62af3a9fdbf88b38dbe83cd85a79f49f

SHA1
7404b44e7a7b7c6933ed67a4cfe4713ab6050b0c

SHA256
ed7bcac9267e8232a9f231c66e8960ea6b14f8b170ddec135e37d7aae2118320

SHA512
d1dad8ebae02c414fc76d9eb9f411d960a7305ef34e82666491705685bd03fbd0f1bf3aa7fcabf7b1f074029ee7316e4a86fbbe5a43f40c5c1c8f576f653cd50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
6340e2cbcce8df37b03fe431bb5ad10b

SHA1
b080e1c85483517b5219e1b63eb41389f5ed5b47

SHA256
595c95638039ece80b683e9c9bd5c501487ecb2e665591d43b767c2acdd05cc4

SHA512
390103656a70961d2e5c66fc0c5b2e52c18e7f4e8efb02bab98f17aebabb51254d6fe3e862e58e97aa8a28265bcb160fb966e5f7ca710f601ac8ad75d71cfc69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
fa3c9e33c4ba0211d91d529bdce055d8

SHA1
527cb3940e4307be4afb9c34dcc6ba118e5eb006

SHA256
bdaa78073057fbabc2c5844a5a9c621edbd8be6fa325b560cd3e228dfa211c55

SHA512
b910bda356b1031a0e5992d4bcdbbd1c96e16febeb7f2220ba37cb5bb23364a2a29ef638060622b47caf7623b7b4c2c8cc350741bc0028a88cb8c1d2202f30a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
f2a1c2d478b9e168e61178846050cb25

SHA1
a1be7616df86e3effaa93121976c2ea9e8f6dad2

SHA256
401c1c3146d11fb331ecce5b2c292769eafac204545341332cf8050095d91bc2

SHA512
61ce4d4dbba6d6586a0ee3e850476f254c968e9f189847b44b884c81ea8172bf3ab727272d577752b0f5569239edd081ecb58978faf889a3bb942cbba86f8d2e

Download Submit
\??\pipe\LOCAL\crashpad_1796_NERZTLINMZZULRSR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit