45bd89a2472835f6173fa068bad4a9a4c8cf72387025b923be7321bdc3c0c55d

Analysis

max time kernel
1680s
max time network
1687s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
05-07-2024 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

19KB
MD5

24ff8837881db8f652db816caa0529be
SHA1

6df039eda2c7586a4ab18ead37508ca9d24176df
SHA256

45bd89a2472835f6173fa068bad4a9a4c8cf72387025b923be7321bdc3c0c55d
SHA512

9a6685c9c11e3fb6643f5b0fbfb3db2a68f44c52e5714498179314d01196a4941bca265c8890dfa5011a5e5440f147080517777ca97249e3473835fcf3c4e502
SSDEEP

384:6HXisspY1ocy4+4lbGagBvhpNoIe8A1S2m0i3Y06Ib3nfm1xCejiw:K91ocy49Ea8JpNBev3i3Y06O3fYxPiw

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1208	msedge.exe
1208	msedge.exe
1484	msedge.exe
1484	msedge.exe
2788	identity_helper.exe
2788	identity_helper.exe
4200	msedge.exe
4200	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 3016	1484	msedge.exe	79
PID 1484 wrote to memory of 3016	1484	msedge.exe	79
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 3504	1484	msedge.exe	81
PID 1484 wrote to memory of 1208	1484	msedge.exe	82
PID 1484 wrote to memory of 1208	1484	msedge.exe	82
PID 1484 wrote to memory of 1008	1484	msedge.exe	83
PID 1484 wrote to memory of 1008	1484	msedge.exe	83
PID 1484 wrote to memory of 1008	1484	msedge.exe	83
PID 1484 wrote to memory of 1008	1484	msedge.exe	83
PID 1484 wrote to memory of 1008	1484	msedge.exe	83
PID 1484 wrote to memory of 1008	1484	msedge.exe	83
PID 1484 wrote to memory of 1008	1484	msedge.exe	83
PID 1484 wrote to memory of 1008	1484	msedge.exe	83
PID 1484 wrote to memory of 1008	1484	msedge.exe	83
PID 1484 wrote to memory of 1008	1484	msedge.exe	83
PID 1484 wrote to memory of 1008	1484	msedge.exe	83
PID 1484 wrote to memory of 1008	1484	msedge.exe	83
PID 1484 wrote to memory of 1008	1484	msedge.exe	83
PID 1484 wrote to memory of 1008	1484	msedge.exe	83
PID 1484 wrote to memory of 1008	1484	msedge.exe	83
PID 1484 wrote to memory of 1008	1484	msedge.exe	83
PID 1484 wrote to memory of 1008	1484	msedge.exe	83
PID 1484 wrote to memory of 1008	1484	msedge.exe	83
PID 1484 wrote to memory of 1008	1484	msedge.exe	83
PID 1484 wrote to memory of 1008	1484	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffaf1a3cb8,0x7fffaf1a3cc8,0x7fffaf1a3cd8
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,6211967649940078757,4838162454237010739,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,6211967649940078757,4838162454237010739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,6211967649940078757,4838162454237010739,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6211967649940078757,4838162454237010739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6211967649940078757,4838162454237010739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,6211967649940078757,4838162454237010739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6211967649940078757,4838162454237010739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6211967649940078757,4838162454237010739,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6211967649940078757,4838162454237010739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6211967649940078757,4838162454237010739,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:1804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,6211967649940078757,4838162454237010739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,6211967649940078757,4838162454237010739,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4368 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b1f20c797906f82fd003270485ceaef

SHA1
51ee0859382d77aba329e0ec2dad81b383c534ed

SHA256
7980e988f80ffc29a79b2d13c0d4160ad1d1f77fb6ddd95b7ec263b7421a0c91

SHA512
7b8f859ffa55759a1e90540754bc80a4218ddf2ee953736865ba4c5c9aa33556bd8ac45da1dce7426c75c5d754268c450054f875927cbba800ad665f09941cde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
11b22949a84a750056bef0aa6ea4fc45

SHA1
c3d49da0344a2bb3cebbce6569b1fd223aa2ebd8

SHA256
59db861ff42f39a5f777bd9b8a167b7b15c96e60ed148ea875a9f1f0d4caaa6f

SHA512
01bbc38a4b8fb8a53c3897d63d3362c8a980fcb395986671cfd13e0fa893a68ab3e45379127da69565e0b1e4125a41834c62b06b8d9b852c6b71a1ec68a930b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6f0283ab-4c12-4a24-b9b9-005cda0714ec.tmp

Filesize
5KB

MD5
ac13c02b40edba3ad262932d9f2cc751

SHA1
2ecf62fed160412ecf67a291ef0fa0c82fe2ce87

SHA256
f86fa3e6ff15d94a505a2256ef2f82b123ed72d04f31c66d32b7213d4db6f0e9

SHA512
ac256a2b9c6fae4a95014d47ebea4a93068bcbeff0538197b9724779c54f78c262eb1af95b3565b1ea39941d7b9dee1ed8a8a24a21a66fa822ac5248ebab1a85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e426b40d-1484-4dbf-922f-864eb8487e2d.tmp

Filesize
5KB

MD5
1aff7628e3b501378067d36db24ffc58

SHA1
6aebd2fcf14e652f1d79f3aa93b5e2d6c352e7e4

SHA256
b78ba5d96f2930989b88fabe237663dd0611a0dc9e97079c1613c7cac77bab1e

SHA512
70ee6a0b5c95eeca5bf40252b7493ade23b644cd28892e22a36e5e78b94342cdc515527533fda0a7020f17248f2abd276bca01ccc850f986635e2806bf33cd16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\eaec5bdb-08ba-4789-9331-2bc972a67d4d.tmp

Filesize
11KB

MD5
d80e53f94fc6cf3a393b1cd8e1860d0d

SHA1
9ef24da75342d7469e1207a16eeefa42fcf6d421

SHA256
c1d01462abfdb9748988bddb3da490a0012aa9df06e58ad6d8640948709d9722

SHA512
a167c9a685e9ec7b12e8f9d7929a982695b7cf7df09bc5481244e6132cd036ba0c67f22ab7d22b7ef4f2d5c811b9473a40757df6acbd4f1cce676e295d0921f3

Download Submit