a9194f08e33bfa3aadea4b5fe7d51f4539575cf15f14137296bb6fcc053f84dd

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

218KB
MD5

f30174fae5325afb063521c77a88b403
SHA1

5daa04987b996fcda82d2d38fdc0d1ed06e0f202
SHA256

f43d57e4738210abeb4e9d047ce1c8af5f951571234efef84ed93601a590f50e
SHA512

133d89ea4440e7802223a03a12742aa176cf0420857a1655461db3b70c3b4a721b39d54f1236261e00c0d417ae1145ab25fe4dddff1e3f387c53f055dd4bfc31
SSDEEP

3072:ScAEHAaToZqQyfkMY+BES09JXAnyrZalI+YQ:SHE/ToMNsMYod+X3oI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4740	msedge.exe
4740	msedge.exe
4964	msedge.exe
4964	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4964	msedge.exe
4964	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 2640	4964	msedge.exe	82
PID 4964 wrote to memory of 2640	4964	msedge.exe	82
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4896	4964	msedge.exe	83
PID 4964 wrote to memory of 4740	4964	msedge.exe	84
PID 4964 wrote to memory of 4740	4964	msedge.exe	84
PID 4964 wrote to memory of 3040	4964	msedge.exe	85
PID 4964 wrote to memory of 3040	4964	msedge.exe	85
PID 4964 wrote to memory of 3040	4964	msedge.exe	85
PID 4964 wrote to memory of 3040	4964	msedge.exe	85
PID 4964 wrote to memory of 3040	4964	msedge.exe	85
PID 4964 wrote to memory of 3040	4964	msedge.exe	85
PID 4964 wrote to memory of 3040	4964	msedge.exe	85
PID 4964 wrote to memory of 3040	4964	msedge.exe	85
PID 4964 wrote to memory of 3040	4964	msedge.exe	85
PID 4964 wrote to memory of 3040	4964	msedge.exe	85
PID 4964 wrote to memory of 3040	4964	msedge.exe	85
PID 4964 wrote to memory of 3040	4964	msedge.exe	85
PID 4964 wrote to memory of 3040	4964	msedge.exe	85
PID 4964 wrote to memory of 3040	4964	msedge.exe	85
PID 4964 wrote to memory of 3040	4964	msedge.exe	85
PID 4964 wrote to memory of 3040	4964	msedge.exe	85
PID 4964 wrote to memory of 3040	4964	msedge.exe	85
PID 4964 wrote to memory of 3040	4964	msedge.exe	85
PID 4964 wrote to memory of 3040	4964	msedge.exe	85
PID 4964 wrote to memory of 3040	4964	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb29fd46f8,0x7ffb29fd4708,0x7ffb29fd4718
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,2912962665257302947,12103608471843408986,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,2912962665257302947,12103608471843408986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,2912962665257302947,12103608471843408986,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2912962665257302947,12103608471843408986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2912962665257302947,12103608471843408986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,2912962665257302947,12103608471843408986,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3124 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dabfafd78687947a9de64dd5b776d25f

SHA1
16084c74980dbad713f9d332091985808b436dea

SHA256
c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201

SHA512
dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c39b3aa574c0c938c80eb263bb450311

SHA1
f4d11275b63f4f906be7a55ec6ca050c62c18c88

SHA256
66f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c

SHA512
eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7f7a529206a4a67c5fb812ab2dc28f38

SHA1
af732c84e59c319b2b7e9ce6481265c6ab440132

SHA256
304b5cc1902aa3cd52b9c150c01cf0cb8fd75032d43b5711c6b7f98166285c33

SHA512
4dea29d548b1c8b6713ed911e6744ae21c805df175bccd2c2c64e097a46e3108d31a4bb4dc4c655c04a56cdabd82d5d6f04f045ebb0f51f7545414af9eb06d1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cda619a64d2956bc50f7cc08edddedad

SHA1
fabed33dfae18396bf9b6b674c90e3365962b9b2

SHA256
d7d07678cd0be10f22babbcf99bf83969b465422e6aa1df68455b03473541ae3

SHA512
dcfacd0f74b5b1450e3ba4f78b5df03a3dbc9f81d5eed1bbda0f325b4ed49f594621982e04f70e4b1309e68dff4f0ad0492ed92010700fe30b93326a854dd66d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
871ee3950985aaaae5853ec97c3fa6fc

SHA1
3c2728e4b726fe0c21ca4041d4a8eb136e75cceb

SHA256
6905f81e9d1f940d6e52e93d7b32eca0ba29a95bb3c0af2dfce14731c64a1d1d

SHA512
b21c400878ba2e06573fdaa1bfac02d1d6c31016a152e0e9d028f0dd13ce41b2d67f391eef14651a0674a2a21d8bc541997772a693eb95b3dbc15bdb9dee531e

Download Submit