Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2024, 18:30
Static task
static1
Behavioral task
behavioral1
Sample
sample.html
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
sample.html
Resource
win10v2004-20240426-en
General
-
Target
sample.html
-
Size
107KB
-
MD5
9fb2960e43f0a41d976ec95752d0da03
-
SHA1
9982895e0caf6746b4f965fc9052f56a89dcbf45
-
SHA256
ce4d15839928216da5d2d21b2e27b5aa120456b46166d2a15cd1135834af9d60
-
SHA512
2016e1cbd64c4eb9f5b45662111c3b9fd87dd2b98e8a593e441c852f448c60a6c2dd33b6a42c739d157c9eaf2e0a36be8cc8f71f4d2846fcb032485b5572abcb
-
SSDEEP
768:rVnjZZk3eehkUp3nbaEOqkvt6Xtj9FQmcr6v25OF:rVnjZZkusWyXtj9FQmcr6v252
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1028 msedge.exe 1028 msedge.exe 5072 msedge.exe 5072 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 5072 msedge.exe 5072 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5072 wrote to memory of 4992 5072 msedge.exe 82 PID 5072 wrote to memory of 4992 5072 msedge.exe 82 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 3040 5072 msedge.exe 83 PID 5072 wrote to memory of 1028 5072 msedge.exe 84 PID 5072 wrote to memory of 1028 5072 msedge.exe 84 PID 5072 wrote to memory of 1200 5072 msedge.exe 85 PID 5072 wrote to memory of 1200 5072 msedge.exe 85 PID 5072 wrote to memory of 1200 5072 msedge.exe 85 PID 5072 wrote to memory of 1200 5072 msedge.exe 85 PID 5072 wrote to memory of 1200 5072 msedge.exe 85 PID 5072 wrote to memory of 1200 5072 msedge.exe 85 PID 5072 wrote to memory of 1200 5072 msedge.exe 85 PID 5072 wrote to memory of 1200 5072 msedge.exe 85 PID 5072 wrote to memory of 1200 5072 msedge.exe 85 PID 5072 wrote to memory of 1200 5072 msedge.exe 85 PID 5072 wrote to memory of 1200 5072 msedge.exe 85 PID 5072 wrote to memory of 1200 5072 msedge.exe 85 PID 5072 wrote to memory of 1200 5072 msedge.exe 85 PID 5072 wrote to memory of 1200 5072 msedge.exe 85 PID 5072 wrote to memory of 1200 5072 msedge.exe 85 PID 5072 wrote to memory of 1200 5072 msedge.exe 85 PID 5072 wrote to memory of 1200 5072 msedge.exe 85 PID 5072 wrote to memory of 1200 5072 msedge.exe 85 PID 5072 wrote to memory of 1200 5072 msedge.exe 85 PID 5072 wrote to memory of 1200 5072 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa970046f8,0x7ffa97004708,0x7ffa970047182⤵PID:4992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,17432603766708575345,2803754679954572039,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:22⤵PID:3040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,17432603766708575345,2803754679954572039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,17432603766708575345,2803754679954572039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:82⤵PID:1200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17432603766708575345,2803754679954572039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:12⤵PID:1288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17432603766708575345,2803754679954572039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵PID:1736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,17432603766708575345,2803754679954572039,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3036 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4404
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:924
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4720
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5c9c4c494f8fba32d95ba2125f00586a3
SHA18a600205528aef7953144f1cf6f7a5115e3611de
SHA256a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b
SHA5129d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d
-
Filesize
152B
MD54dc6fc5e708279a3310fe55d9c44743d
SHA1a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2
SHA256a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8
SHA5125874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13
-
Filesize
5KB
MD563cd96e396e751622ef03672c84b7744
SHA1ef118106870f843ce5503c5c3bf14cfa83995cbf
SHA256b4cd2ae01953023b48695c6c8cd62037033900a65ca189a705367e098cf7b07e
SHA512b22d83e11991459eea8b44f1c6e64053195e962a893a5f378607c2f4789c6ec3c1a9767a81d2db6638658baff1ec341917ccb68e7243db4d12d1f849b2b2c66e
-
Filesize
6KB
MD568fdaa9480441f663055119af9c0287d
SHA168e3004b2b5d080d1dac68fdbbf91afb9e73104f
SHA25617c752de774a128afec152ae5f1f672f007d50e1c914fa9a517c82d3a54e34a5
SHA512256f551e707ae35bffde3cea6655a67bbf441ca9aa52433aa569388219897235b893ec68b9f81e88c4b21ea57468866390e32d70481345c282cbf935904f33dc
-
Filesize
10KB
MD500a9c6cb658c9866b410070b5b8a15b7
SHA1fe5d06fce60fb4161a0a3b6690c46ed93e9d11b8
SHA2562fee4e34ba9cf610c1086d52b4cf33edbc5ad40855dc15bb38f0bc3799408a65
SHA512a6dd7fdd4ec6eac2b92d640280902ce972d5a851122a32ef413287440c91df85d56e140a2537012cabad3a16bebb578942ca9e25351ee182412be60b9813b6d1