d446bd3563ba88d464cf9e9a81ede5895565eeaac3c40b32951a39ef5789c90a

Analysis

max time kernel
113s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 03:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3e2810627e86998a92eba09292a8c230N.html
Size

837KB
MD5

3e2810627e86998a92eba09292a8c230
SHA1

3d09cc2de7c4061b5023a14ad319f1f964f252fc
SHA256

d446bd3563ba88d464cf9e9a81ede5895565eeaac3c40b32951a39ef5789c90a
SHA512

bebe242ca0863103e907b8c44ca6125fdff4e9e5c42ea274b8cf491e319bd5dd05a022b15d92cb175f3b7836c78fc67676b8a216db081709888d1f20b9e73c72
SSDEEP

6144:UWXmNRSt1mIYR4YJTs6HlJzn488vPmAh88vPmAO88vPmAn88vPmA088vPmAl88vx:LXmNPIYR4cxz41h1O1n101l1L

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-701583114-2636601053-947405450-1000\{BA4FDF23-29AF-48E7-88AA-C20E4C8D0015}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2880	msedge.exe
2880	msedge.exe
1028	msedge.exe
1028	msedge.exe
1752	msedge.exe
3488	msedge.exe
3488	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 4596	1028	msedge.exe	83
PID 1028 wrote to memory of 4596	1028	msedge.exe	83
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 516	1028	msedge.exe	85
PID 1028 wrote to memory of 2880	1028	msedge.exe	86
PID 1028 wrote to memory of 2880	1028	msedge.exe	86
PID 1028 wrote to memory of 4480	1028	msedge.exe	87
PID 1028 wrote to memory of 4480	1028	msedge.exe	87
PID 1028 wrote to memory of 4480	1028	msedge.exe	87
PID 1028 wrote to memory of 4480	1028	msedge.exe	87
PID 1028 wrote to memory of 4480	1028	msedge.exe	87
PID 1028 wrote to memory of 4480	1028	msedge.exe	87
PID 1028 wrote to memory of 4480	1028	msedge.exe	87
PID 1028 wrote to memory of 4480	1028	msedge.exe	87
PID 1028 wrote to memory of 4480	1028	msedge.exe	87
PID 1028 wrote to memory of 4480	1028	msedge.exe	87
PID 1028 wrote to memory of 4480	1028	msedge.exe	87
PID 1028 wrote to memory of 4480	1028	msedge.exe	87
PID 1028 wrote to memory of 4480	1028	msedge.exe	87
PID 1028 wrote to memory of 4480	1028	msedge.exe	87
PID 1028 wrote to memory of 4480	1028	msedge.exe	87
PID 1028 wrote to memory of 4480	1028	msedge.exe	87
PID 1028 wrote to memory of 4480	1028	msedge.exe	87
PID 1028 wrote to memory of 4480	1028	msedge.exe	87
PID 1028 wrote to memory of 4480	1028	msedge.exe	87
PID 1028 wrote to memory of 4480	1028	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\3e2810627e86998a92eba09292a8c230N.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4a7346f8,0x7fff4a734708,0x7fff4a734718
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2256,2993554384571665135,10267356481091310899,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2256,2993554384571665135,10267356481091310899,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2256,2993554384571665135,10267356481091310899,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,2993554384571665135,10267356481091310899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,2993554384571665135,10267356481091310899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,2993554384571665135,10267356481091310899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1
  2⤵
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2256,2993554384571665135,10267356481091310899,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=2412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2256,2993554384571665135,10267356481091310899,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2256,2993554384571665135,10267356481091310899,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,2993554384571665135,10267356481091310899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:1156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d406f3135e11b0a0829109c1090a41dc

SHA1
810f00e803c17274f9af074fc6c47849ad6e873e

SHA256
91f57909a10174b06c862089a9c1f3b3aeafea74a70ee1942ce11bb80d9eace4

SHA512
2b9f0f94b1e8a1b62ab38af8df2add0ec9e4c6dfa94d9c84cc24fe86d2d57d4fc0d9ec8a9775cf42a859ddfd130260128185a0e2588992bca8fd4ebf5ee6d409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7f37f119665df6beaa925337bbff0e84

SHA1
c2601d11f8aa77e12ab3508479cbf20c27cbd865

SHA256
1073dbff3ec315ac85361c35c8ba791cc4198149b097c7b287dda1d791925027

SHA512
8e180e41dd27c51e81788564b19b8ff411028890da506fbf767d394b1e73ec53e046c8d07235b2ec7c1c593c976bbf74ed9b7d442d68b526a0a77a9b5b0ab817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\74dfd699-7536-4966-9cf1-e0fab2e28f5a.tmp

Filesize
6KB

MD5
5ff6b205623e1f44b31e14d258fc4c93

SHA1
f376283c4dfa4c4126ea354a37a431514a848d13

SHA256
287aac087905846183e614eb2d7163b8454bba5e806c66646c0ef70d452d0c93

SHA512
df94ebbf305dd2ec17c373903d51ad5c451b2242fd6fd68a79dac90ff72d95d449acdf93e1d2f3ec7c105dfae2b2822fd04a5de59abed406c682152aff349963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
5f673d06736c59f1023ccc0fe77478b3

SHA1
25a9246d53c5064af98680af06201f4e6e5c4d51

SHA256
635d43533b8267119806efc4811e40fdc4f92d9c4801f7f23c9042fddc514664

SHA512
c466e554fda0f046537ca640ba656597444958c37128f5459cebf09443df6b63cb54acc82cd438e9212c738efac4fe652f3cada37888907d40ff8f06630c70ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
b4b9c5e522fbedd7676049a431f3cfcd

SHA1
4a4fec9a2ec3c5592b4b2ca5db0636e0508db7c1

SHA256
2a7791bdc4b2d4cdbd2e937bbd6ef07628b9ef4bd2a96ce658cdc2e4aec30c2c

SHA512
7ff007888b004fce83fbf890b336debf0e076eede5acc64057b0b3353c4ceaaeef87d81c7cd72ac697ef1470ae7ef386d80ddbf5a4faf293567616f5fd2c714c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a1e0f6828843a148ca0c4f0d06dd1c2e

SHA1
dc9e65d2253b83dfb88b01f8408d6568c82276d7

SHA256
cd4e4cb1f5c1f7019c9491cfbabe968f870559a6ed74c6158cd6f54ffc8f143a

SHA512
50882ee5da7ee1daee582f0097916cdecd06f56c625964e1aaf021a2e6ede9bcda1a8f116a329980471463951436794594112741b8ed847a3d0e09ebc12e15cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
489770c3ee6da61fa25998e33c52eda7

SHA1
caa52b73ba1260420ded76bd9a78c03cc3c3cdcc

SHA256
b84ab77a16f6f17bd7395d9e4c742797fb3825ed604452d0c19a7493d3f77596

SHA512
831facad6c38e39e36fa079609f3a56202be585233ab0e89db032a6f350ddae2d63ec30f62a0476a99fc082010697c8be49991425c7876928368d0808526afb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ee19.TMP

Filesize
1KB

MD5
1d6e680b3a0938b66f0ae5176f6cd405

SHA1
8f5191238d4bbad058c3747f02d9afaac6659bc6

SHA256
02b6c265c559a744db89cdbf47dfa2fbd30dab4f079adb09051c000e4b1df885

SHA512
1557d2b82a9354e2be93207d8adf4bd218217d8ef61d8fee74f84c44bfbf94a51ef21c477afe7e78aae2bc964e799b5fe0410b99be1145063a99bb5e1e3f9c4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
63c93cfbfb64837d0073bbb54c72031f

SHA1
9b1d8d1ac98896e583a8b065546c4e1a6c164d89

SHA256
6979fc52553e198520545c2b2b80d56a0a30867e16460ec0c3703b8ea99d2a46

SHA512
5b9ef2ec21951dcdfab3a9f03b806876920f1eefd54a3015761d19d84fc826495fc6d804fc3c85aa15a2028a36b5e6e1db013bda297072802e42de1b98c90e41

Download Submit